more on skype

[David Farber <dave () farber net>]

Begin forwarded message:

From: Brad Templeton <btm () templetons com>
Date: August 13, 2005 4:21:55 PM EDT
To: David Farber <dave () farber net>
Cc: Ip Ip <ip () v2 listbox com>
Subject: Re: [IP] more on skype


> What reason do we have to trust Skype's end-to-end encryption today?
>
> Skype hasn't shown any inclination to describe either its protocol or
> crypto implementation, much less release source code. Simson
> Garfinkel's paper showed that Skype traffic is obscured, but his
> findings give us no way to objectively assess actual security
> provided. For all we know, Skype's use of crypto is as secure as  
> ROT13.
>
> It bothers me how readily we forget WEP: An IEEE standards committee
> concocted a system -- using fully buzzword-compliant crypto -- that
> resulted in a standard that proved ineffective even against
> lackadaisical attack.
>
> If Skype cared about proving to its customers that its system was
> secure, it would already have done so. Instead, it continues to
> practice security through obscurity.
>
> A false sense of security is worse than knowingly not having any.
> Just because Skype says it offers encryption doesn't mean it provides
> any real security at all.

Not only could this not be more wrong, it is this not uncommon view
that have given us the encrytion regime we have today -- namely almost
none of the world's traffic is encrypted, in the name of this concept
that somehow this is better than encryption of unknown quality.

It's not that I don't wish Skype's protocols were available for  
scrutiny.
I do wish that, and I would have more faith in them if they were.  But
that's _more_ faith, not a jump from 0% faith to 99% faith.

Skype's protocols have been examined by those skilled at cryptanalysis,
and so far no announced window into them has been found.   This is not
everything but it is not nothing.  And since I personally know Skype's
funders and know them to be men of honour, I have reasonable confidence
that there would not be deliberate backdoors in the system.

But in spite of the rant above, Skype has done more to deliver  
encryption
into the hands of the masses than just about anybody.   More than Phil
Zimmerman (which is not to say Phil's not a hero of this, but the
reality is that even he doesn't get very much PGP encrypted mail, and  
most
people can be reasonably confident that Phil has a copy of PGP.)

Skype did this by doing ZUI encryption (Zero user interface.)  Most of
the users of Skype are not aware or barely aware of the encryption.
And they encrypt by default.   Frankly, today, use of PGP or other
encryption software singles you out as somebody who cares.   Use of
encryption by you in Skype signifies nothing.

Encryption products should be strong, and should be subject to scrutiny
and verified.  But they should also be used in the real world to encrypt
things!


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/