March 23, 2006
This morning, Ric Harwood drew the attention of Bristol Underscore to this old article:
Beware eBay bearing Skype: ominous security omens
I took a look, and made my own contribution to Underscore (edited here):
I am not sure the article is up to the usual high standards of securityfocus,
but very enlightening - and very topical, because Zfone was
released last week.
SKYPE and VoIP: The article says that open standards VoIP
(voice-over-internet-protocol) is not peer-to-peer and not encrypted,
while Skype is. Not true. In fact both SIP and H.323 are
peer-to-peer. Although some providers choose to route voice traffic
over their own fibre, most don't. Further both SIP and H.323 have
optional encryption, which some equipment supports. The problem is -
for encryption to work, the caller and receiver must exchange trusted
public keys (or shared secrets) 'out of band'. This is hard, and
conventionally needs a troublesome Public Key Infrastructure, so
hardly anyone bothers. Without the key exchange, VoIP, including
Skype, is not private, even if it is encrypted, as it does not need
any code-breaking skills to launch so-called 'spoofing' or
'man-in-the-middle' attacks. Without key exchange, encryption
provides a totally bogus veneer of security. Skype might hand over
your call logs to anyone who faxes (I don't know) but that is only one
of your worries.
ZFONE : Last week, Phil Zimmermann (of PGP fame) published the sources
of a beta project of his: Zfone - that will make make open standards
VoIP conversations reasonably private without a public key
infrastructure. Notice that his source is proprietary (not open
source), but he is allowing the world to read it so that security
experts can identify flaws in the encryption.
Andy Davies responded with an interesting link to slides from Black Hat Europe, that I bookmarked
Silver Needle in the Skype http://www.furl.net/item.jsp?id=7675311
David
post a comment
last updated 2 years ago
#
lkhjgslkhclkhsf
1 year ago # reply