At 01:13 AM 9/8/2005, Eugen Leitl wrote:
On Thu, Sep 08, 2005 at 05:31:32AM +0100, Dave Howe wrote:
Don't really need one. the Skype concept of "supernodes" - users that relay conversations for other users - could be used just as simply, and is
What hinders Mallory from running most of supernodes?
Budget? But Mallory doesn't need to run *most* of the supernodes - hitting just the current targets is good enough, especially if the central sites or client software can be tricked into not using encryption or using compromised keys.
Plus of course some sort of assurance that skype's crypto isn't snakeoil :) It is snake oil until proven otherwise.
Yup. They say they use AES, and that they use RSA to set up session keys. The main issue is that they don't document their protocols or crypto, and of course the usual failures are bad protocol design, which can break systems that do include strong crypto. The use of RSA for session key setup instead of Diffie-Hellman is a strong sign that they don't really have a clue... If you're in the SF Bay Area, Skype is having a developer get-together in Palo Alto on Thursday 9/22. http://www.skype.com/campaigns/skypenightpaloalto2005