Re:Skype (quick question)

[krymson () gmail com]

Quick question, quick answer!

Google should give a plethora of results on this topic. Just be careful to look at the source, as Skype/eBay has, 
itself, released a lot of information on the security of Skype, and that typically has a bias (obviously).

1) Skype's encryption is only as good as Skype has made it. It is proprietary, so we don't get to see it or vet it. 
Cross your fingers. Likewise, if you conduct confidential business over Skype, can you trust that Skype isn't giving 
the keys away from national orgs or doing its own logging? We have no idea how reversible it may be off the wire. 
Because of the distributed P2P architecture, your calls can go through Sweden before bouncing back to New York. If that 
node in Sweden can decrypt the calls...

2) Skype suffers from all the same issues as IM programs; malicious links, files, social engineering, and any plugins. 
No difference here.

3) Skype allows automatic updates, silent to the user (this may be updated these days). You install Skype, the first 
time it checks you tell it to go ahead and save your preference to auto install downloads, and you never see it again. 
Who knows what Skype will do. Granted, they have little reason to be malicious, but you never know what oddness can 
happen...

4) As far as I know, Skype logins are for Skype only, and not integrated into any enterprise or SSO system. This means 
if a Skype login/password from one of your users is compromised, let's just hope they don't use the same password for 
everything. (Again, no different from any other IM system.)

5) This is an annoyance and not necessarily a security issue, but if you do network monitoring, you'll see all kinds of 
funky and odd connections outbound to Taiwan, Finland, China, Russia, Argentina, the US, Iceland, and so on. That's the 
nature of the distributed medium. If you watch your traffic, these are typically redflags for your admins. Skype will 
dilute that approach.

6) Skype once had its network go down for about 4 days. This was hot on the heels (like hours) after a security release 
describing a DOS on Skype servers. Because the whole system conveniently went down for 4 days, this couldn't be widely 
tested/confirmed. After 4 days and Skype vehemently denying any security issues, the POC code was confirmed to no 
longer work. This is a huge strike to me in how much I trust them.

7) Skype has had several vuln disclosures in the past year. They're no different than any other product, really.

8) Your home users or any non-NATted systems may become super nodes on the network. This may open them up to any remote 
attacks (none that I know of at this time), but definitely uses their bandwidth to support call connections. Again, an 
annoyance in my books.


<- snip ->
Has anyone heard of any security concerns regarding the use of Skype? 
If any anyone knows of any real or potential security issues, could 
you let me know by responding to this message please?

Many thanks, Rick.