more on skype

[David Farber <dave () farber net>]

Begin forwarded message:

From: Stephan Somogyi <ip045 () st gyroscope net>
Date: August 12, 2005 4:27:19 PM EDT
To: dave () farber net
Subject: Re: [IP] skype


What reason do we have to trust Skype's end-to-end encryption today?

Skype hasn't shown any inclination to describe either its protocol or  
crypto implementation, much less release source code. Simson  
Garfinkel's paper showed that Skype traffic is obscured, but his  
findings give us no way to objectively assess actual security  
provided. For all we know, Skype's use of crypto is as secure as ROT13.

It bothers me how readily we forget WEP: An IEEE standards committee  
concocted a system -- using fully buzzword-compliant crypto -- that  
resulted in a standard that proved ineffective even against  
lackadaisical attack.

If Skype cared about proving to its customers that its system was  
secure, it would already have done so. Instead, it continues to  
practice security through obscurity.

A false sense of security is worse than knowingly not having any.  
Just because Skype says it offers encryption doesn't mean it provides  
any real security at all.

s.

-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/