Terrorists don't let terrorists use Skype
Well, I think Skype is also truly Peer to Peer, no? It doesn't go through some centralized switch or server. That means it can only be monitored at the endpoints, even when it's unencrypted. -Emory
From: Eugen Leitl <eugen@leitl.org> To: cypherpunks@al-qaeda.net Subject: Terrorists don't let terrorists use Skype Date: Thu, 27 Jan 2005 15:02:56 +0100
From: Adam Shostack <adam@homeport.org> Date: Tue, 11 Jan 2005 10:48:12 -0500 To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU> Cc: cryptography@metzdowd.com Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute From owner-cryptography+eugen=leitl.org@metzdowd.com Thu Jan 27 01:04:39 2005 User-Agent: Mutt/1.4.2i
On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote: | In article <41E07994.5060004@systemics.com> you write: | >Voice Over Internet Protocol and Skype Security | >Simson L. Garfinkel |
http://www.soros.org/initiatives/information/articles_publications/articles/ security_20050107/OSI_Skype5.pdf | | >Is Skype secure? | | The answer appears to be, "no one knows". The report accurately reports | that because the security mechanisms in Skype are secret, it is impossible | to analyze meaningfully its security. Most of the discussion of the | potential risks and questions seems quite good to me. | | But in one or two places the report says things like "A conversation on | Skype is vastly more private than a traditional analog or ISDN telephone" | and "Skype is more secure than today's VoIP systems". I don't see any | basis for statements like this. Unfortunately, I guess these sorts of | statements have to be viewed as blind guesswork. Those claims probably | should have been omitted from the report, in my opinion -- there is | really no evidence either way. Fortunately, these statements are the | exception and only appear in one or two places in the report.
The basis for these statements is what the other systems don't do. My Vonage VOIP phone has exactly zero security. It uses the SIP-TLS port, without encryption. It doesn't encrypt anything. So, its easy to be more secure than that. So, while it may be bad cryptography, it is still better than the alternatives. Unfortunately.
Adam
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
----- Forwarded message from Peter Gutmann <pgut001@cs.auckland.ac.nz> -----
From: pgut001@cs.auckland.ac.nz (Peter Gutmann) Date: Wed, 12 Jan 2005 05:00:29 +1300 To: daw-usenet@taverner.CS.Berkeley.EDU Cc: cryptography@metzdowd.com Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute
David Wagner <daw@cs.berkeley.edu> writes:
Is Skype secure?
The answer appears to be, "no one knows".
There have been other posts about this in the past, even though they use known algorithms the way they use them is completely homebrew and horribly insecure: Raw, unpadded RSA, no message authentication, no key verification, no replay protection, etc etc etc. It's pretty much a textbook example of the problems covered in the writeup I did on security issues in homebrew VPNs last year.
(Having said that, the P2P portion of Skype is quite nice, it's just the security area that's lacking. Since the developers are P2P people, that's somewhat understandable).
Peter.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net
[demime 1.01d removed an attachment of type application/pgp-signature]
participants (2)
-
Eugen Leitl -
Tyler Durden