Comments on: Top Ten Concerns to Skype Security http://sbin.cn/blog/2005/10/17/top-ten-concerns-to-skype-security/ Technologies and comments on cloud and telecom security, bridging China and the world! Mon, 05 Mar 2012 09:33:01 +0000 hourly 1 http://wordpress.org/?v= By: Telecom,Security and P2P » Blog Archive » Skypekiller sounds ridiculous http://sbin.cn/blog/2005/10/17/top-ten-concerns-to-skype-security/comment-page-1/#comment-2880 Telecom,Security and P2P » Blog Archive » Skypekiller sounds ridiculous Mon, 30 Apr 2007 05:47:49 +0000 http://sbin.cn/blog/?p=62#comment-2880 [...] or not enterprises should permit Skype. The focus point here is its security issues. I list out ten security concerns to Skype before. However, it’s indeed of value. It can help lower the voice communication cost and [...] [...] or not enterprises should permit Skype. The focus point here is its security issues. I list out ten security concerns to Skype before. However, it’s indeed of value. It can help lower the voice communication cost and [...]

]]> By: zhaol http://sbin.cn/blog/2005/10/17/top-ten-concerns-to-skype-security/comment-page-1/#comment-83 zhaol Mon, 07 Nov 2005 05:43:25 +0000 http://sbin.cn/blog/?p=62#comment-83 Juergen Nieveler wrote: > Lassi Hippeläinen wrote: > >> Skype uses asymmetric PKI to authenticate the clients. Each new client >> first generates a certificate with a dedicated server. Skype has a >> bunch of those servers, distributed geographically. > > If so, the keys never leave the servers (which of course is a bad > thing) - after all, you can login from any PC anywhere in the world. > > That means that Skype still is able to eavesdrop on you... > > Juergen Nieveler The servers only participate in authentication. The call session is peer-to-peer and need not pass through anything that Skype can control. -- Lassi Juergen Nieveler wrote:

> Lassi Hippeläinen wrote:
>
>> Skype uses asymmetric PKI to authenticate the clients. Each new client
>> first generates a certificate with a dedicated server. Skype has a
>> bunch of those servers, distributed geographically.
>
> If so, the keys never leave the servers (which of course is a bad
> thing) – after all, you can login from any PC anywhere in the world.
>
> That means that Skype still is able to eavesdrop on you…
>
> Juergen Nieveler

The servers only participate in authentication. The call session is
peer-to-peer and need not pass through anything that Skype can control.

– Lassi

]]> By: zhaol http://sbin.cn/blog/2005/10/17/top-ten-concerns-to-skype-security/comment-page-1/#comment-82 zhaol Mon, 07 Nov 2005 05:42:51 +0000 http://sbin.cn/blog/?p=62#comment-82 Some reponses to the TOP TEN Concerns: I don't think the AES key is stored anywhere. It is created for each session, and possibly recreated during the session after some time interval. Skype uses asymmetric PKI to authenticate the clients. Each new client first generates a certificate with a dedicated server. Skype has a bunch of those servers, distributed geographically. One of my colleagues suggested that when eBay bought Skype, they weren't interested in the VoIP business, they wanted the PKI infra with its 50+ million customers. -- Lassi Some reponses to the TOP TEN Concerns:

I don’t think the AES key is stored anywhere. It is created for each
session, and possibly recreated during the session after some time
interval.

Skype uses asymmetric PKI to authenticate the clients. Each new client first
generates a certificate with a dedicated server. Skype has a bunch of those
servers, distributed geographically.

One of my colleagues suggested that when eBay bought Skype, they weren’t
interested in the VoIP business, they wanted the PKI infra with its 50+
million customers.

– Lassi

]]> By: zhaol http://sbin.cn/blog/2005/10/17/top-ten-concerns-to-skype-security/comment-page-1/#comment-81 zhaol Mon, 07 Nov 2005 05:42:18 +0000 http://sbin.cn/blog/?p=62#comment-81 Some reponses to the TOP TEN Conerns: Are these two questions related to each other? If yes, the AES cipher is an symmetrical one where you only need a private key. If skype uses an asymmetrical cipher as well it would be nice if anyone outside there could explain the function of this cipher (in skype). Maybe to negotiate the symetrical key as SSL do it? Walter Some reponses to the TOP TEN Conerns:

Are these two questions related to each other? If yes, the AES cipher is
an symmetrical one where you only need a private key. If skype uses an
asymmetrical cipher as well it would be nice if anyone outside there
could explain the function of this cipher (in skype). Maybe to negotiate
the symetrical key as SSL do it?

Walter

]]> By: Telecom, Security and P2P » Skype published a security whitepaper http://sbin.cn/blog/2005/10/17/top-ten-concerns-to-skype-security/comment-page-1/#comment-80 Telecom, Security and P2P » Skype published a security whitepaper Fri, 28 Oct 2005 01:58:38 +0000 http://sbin.cn/blog/?p=62#comment-80 [...] As everybody know, security is the most concern point to choose a IM/P2P application. Refer to my post of Top Ten Concerns to Skpye, many uncertainties make a number of enterprise IT managers and professionals hesitate to use Skype. Two days ago, Skype published a security whitepaper to explain the security concerns, for full version, click here. The designers of Skype did not hesitate to employ cryptography widely and well in order to establish a foundation of trust, authenticity, and confidentiality for their peer-to-peer services. The implementers of Skype implemented the cryptographic functions correctly and efficiently. As a result, the confidentiality of a Skype session is far greater than that offered by a wired or wireless telephone call or by email and email attachments. [...] [...] As everybody know, security is the most concern point to choose a IM/P2P application. Refer to my post of Top Ten Concerns to Skpye, many uncertainties make a number of enterprise IT managers and professionals hesitate to use Skype. Two days ago, Skype published a security whitepaper to explain the security concerns, for full version, click here. The designers of Skype did not hesitate to employ cryptography widely and well in order to establish a foundation of trust, authenticity, and confidentiality for their peer-to-peer services. The implementers of Skype implemented the cryptographic functions correctly and efficiently. As a result, the confidentiality of a Skype session is far greater than that offered by a wired or wireless telephone call or by email and email attachments. [...]

]]> By: zhaol http://sbin.cn/blog/2005/10/17/top-ten-concerns-to-skype-security/comment-page-1/#comment-79 zhaol Wed, 26 Oct 2005 06:03:13 +0000 http://sbin.cn/blog/?p=62#comment-79 non-formal answers from Tom Berson via Skype: 1. No 2. No, unless you or other party to chat has some Trojan on you computer 3. There is no processing in the middle 4. Possibly, but not by Skype 5, 6, 7 see paper 8. I am not an expert about the network layer 9. Skype-to-Skype calls, no. 10. I do not think so. Thanks to Tom's explanation. Richard non-formal answers from Tom Berson via Skype:

1. No
2. No, unless you or other party to chat has some Trojan on you computer
3. There is no processing in the middle
4. Possibly, but not by Skype
5, 6, 7 see paper
8. I am not an expert about the network layer
9. Skype-to-Skype calls, no.
10. I do not think so.

Thanks to Tom’s explanation.

Richard

]]> By: zhaol http://sbin.cn/blog/2005/10/17/top-ten-concerns-to-skype-security/comment-page-1/#comment-78 zhaol Tue, 25 Oct 2005 02:56:10 +0000 http://sbin.cn/blog/?p=62#comment-78 I think the whitepaper published by Skype only addresses the 5th, 6th and 7th concerns, while leaving others not covered. I think the whitepaper published by Skype only addresses the 5th, 6th and 7th concerns, while leaving others not covered.

]]>