Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Simson Garfinkel analyses Skype - Open Society Institute

From: David Farber <dave () farber net>
Date: Fri, 28 Jan 2005 18:59:54 -0500

------ Forwarded Message
From: David Wagner <daw () cs berkeley edu>
Date: Thu, 27 Jan 2005 15:22:09 -0800 (PST)
To: <cryptography () metzdowd com>
Subject: Simson Garfinkel analyses Skype - Open Society Institute

Adam Shostack <adam () homeport org> writes:

On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote:
| In article <41E07994.5060004 () systemics com> you write:
| >Voice Over Internet Protocol and Skype Security
| >Is Skype secure?
| 
| The answer appears to be, "no one knows".  The report accurately reports
| that because the security mechanisms in Skype are secret, it is impossible
| to analyze meaningfully its security.  Most of the discussion of the
| potential risks and questions seems quite good to me.
| 
| But in one or two places the report says things like "A conversation on
| Skype is vastly more private than a traditional analog or ISDN telephone"
| and "Skype is more secure than today's VoIP systems".  I don't see any
| basis for statements like this.  Unfortunately, I guess these sorts of
| statements have to be viewed as blind guesswork.  Those claims probably
| should have been omitted from the report, in my opinion -- there is
| really no evidence either way.  Fortunately, these statements are the
| exception and only appear in one or two places in the report.

The basis for these statements is what the other systems don't do.  My
Vonage VOIP phone has exactly zero security.  It uses the SIP-TLS
port, without encryption.  It doesn't encrypt anything.  So, its easy
to be more secure than that.  So, while it may be bad cryptography, it
is still better than the alternatives.  Unfortunately.


I don't buy it.  How do you know that Skype is "more secure", let alone
"vastly more private"?  Maybe Skype is just as insecure as those other
systems.  For all we know, maybe Skype is doing the moral equivalent
of encrypting with the all-zeros key, or using a repeating xor with a
many-time pad, or somesuch.  Without more information, we just don't know.

I'm sorry to pick nits, but I have to stand by my statement.  No matter
how atrociously bad other systems may be, I don't see any basis for saying
that Skype is any better.  It might be better, or it might be just as bad.
We don't know.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo () metzdowd com

------ End of Forwarded Message


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: