Interesting People mailing list archives
more on skype
From: David Farber <dave () farber net>
Date: Sat, 13 Aug 2005 17:32:56 -0400
Begin forwarded message: From: Brad Templeton <btm () templetons com> Date: August 13, 2005 4:21:55 PM EDT To: David Farber <dave () farber net> Cc: Ip Ip <ip () v2 listbox com> Subject: Re: [IP] more on skype
What reason do we have to trust Skype's end-to-end encryption today? Skype hasn't shown any inclination to describe either its protocol or crypto implementation, much less release source code. Simson Garfinkel's paper showed that Skype traffic is obscured, but his findings give us no way to objectively assess actual securityprovided. For all we know, Skype's use of crypto is as secure as ROT13.It bothers me how readily we forget WEP: An IEEE standards committee concocted a system -- using fully buzzword-compliant crypto -- that resulted in a standard that proved ineffective even against lackadaisical attack. If Skype cared about proving to its customers that its system was secure, it would already have done so. Instead, it continues to practice security through obscurity. A false sense of security is worse than knowingly not having any. Just because Skype says it offers encryption doesn't mean it provides any real security at all.
Not only could this not be more wrong, it is this not uncommon view that have given us the encrytion regime we have today -- namely almost none of the world's traffic is encrypted, in the name of this concept that somehow this is better than encryption of unknown quality.It's not that I don't wish Skype's protocols were available for scrutiny.
I do wish that, and I would have more faith in them if they were. But that's _more_ faith, not a jump from 0% faith to 99% faith. Skype's protocols have been examined by those skilled at cryptanalysis, and so far no announced window into them has been found. This is not everything but it is not nothing. And since I personally know Skype's funders and know them to be men of honour, I have reasonable confidence that there would not be deliberate backdoors in the system.But in spite of the rant above, Skype has done more to deliver encryption
into the hands of the masses than just about anybody. More than Phil Zimmerman (which is not to say Phil's not a hero of this, but thereality is that even he doesn't get very much PGP encrypted mail, and most
people can be reasonably confident that Phil has a copy of PGP.) Skype did this by doing ZUI encryption (Zero user interface.) Most of the users of Skype are not aware or barely aware of the encryption. And they encrypt by default. Frankly, today, use of PGP or other encryption software singles you out as somebody who cares. Use of encryption by you in Skype signifies nothing. Encryption products should be strong, and should be subject to scrutiny and verified. But they should also be used in the real world to encrypt things! ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on skype David Farber (Aug 13)
- <Possible follow-ups>
- more on skype David Farber (Aug 19)