Wednesday, March 22, 2006

Is Skype Secure?

Is Skype Secure?We all know the advantages of Skype, but what about the disadvantages that we all don't know?

Is Skype secure? Is the program safe to use? Is Skype more secure than a telephone call made with an analog or ISDN telephone? How does the security of Skype compare with other VoIP-based systems?

Skype binds to three ports on the user's computer and directly manipulates Windows XP's built-in firewall to accommodate these network bindings..

Skype's file transfer function does not contain any built-in anti-virus protection that scans programs as they are downloaded..

Skype accesses the hard disk several times per minute..
Although those accesses are small, extremely fast and safe in the short term, they can be harmful in the long term..

Niklas Zennstrom, co-founder of Skype, has admitted that the current security model would not open-source:
Would he make Skype open-source? No, that would make its strong 1024 bit encryption and security vulnerable: "We could do it but only if we re-engineered the way it works and we don't have the time right now."

In cryptography and computer security, security through obscurity (sometimes security by obscurity) is a controversial principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to ensure security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them..

A few people will give up a "normal" phone for a PC-linked Skype connection. New products, such as standard phone handsets with USB connectors, help blur the line separating Skype from the rest of the telephone world, but that line remains..

Is Skype's completely proprietary nature. Open source fans don't appreciate Skype's rejection of open source values and standards. Large companies don't appreciate Skype's way of worming through corporate firewalls..

Skype do not follow standards, two major computer-based phone products that do follow standards, SIPphone and FreeWorldDialup, have tiny market share compared to Skype but have the weight of internet standards on their side. Their limited market share will not threaten to overwhelm Skype but may grow large enough to push Skype to involvement with the standards community. That probably won't happen until at least 2008, and will likely depend on how Microsoft implements Voice over IP support in Windows Vista..

The integrity of the data, i.e. data modified while traveling though peers, even if encrypted, is unknown and undocumented..

Skype provides an uncontrolled registration system for users: registration requires no proof of the identity of the user at all. This works two ways: you can use the system without revealing your identity to other users of the system, but on the other hand you have no guarantees that the person you communicate with is the one they say they are..

Skype is a proprietary software program using undocumented protocols, and laws prohibit reverse-engineering it..

Skype implements some kind of "peer-to-peer" network over client machines, with clients on fast connections becoming major exchange points; since research centers typically have very high speed connections, machines running Skype in those centers may generate very high traffic; some networks were reportedly nearly saturated by Skype traffic..

The information flow implemented by Skype is unknown; though encryption is used, it is unknown where traffic goes..

Skype claims that its system uses the RSA encryption algorithm for key exchange and 256-bit AES as its bulk encryption algorithm. However, Skype does not publish its key exchange algorithm or its over-the-wire protocol and, despite repeated requests, refused to explain the underlying design of its certificates, is authentication system, or its encryption implementation. Therefore it is impossible to validate the company's claims regarding encryption. It is entirely possible that the data is both encrypted and not secure..

Skype could also be an infection vector for spyware. Although the program's creators promise that their program does not come with spyware or adware, it is possible that they are not being truthful or that their policy will change in the future. Skype could have security vulnerabilities that a third-party could exploit..

Finally, it must be remembered that the security of the Skype system also depends entirely on the good will of Skype’s programmers and the organization running Skype’s back-end servers. It is possible that there are back doors in the system allowing the Skype organization or others to record Skype conversations, turn on a computer's microphone and record the room's noise..

<.adjuster />


  1. Wonderful article, well done pal.

  2. it's nice to read ur comments agains Tarek..

    i saw ur gr33n data..

    ur blog is awesome..

    <.adjuster />

  3. What a nice post. I really love reading these types or articles. I can?t wait to see what others have to say.

  4. My Skype account was hacked into today. I'm guessing it was either a brute force attack or sniffing Wi-Fi packets. The first method could be stopped if their system would freeze the account after a certain number of attempts, emailing the account holder that possible unauthorized activity was taking place. I believe the second method would be possible if the connection from the Skype client to their server is not truly secure as they say. In either case, Skype is not secure. The hacker was able to use the auto-billing I had setup for a low balance to charge up $120 to my PayPal account.

  5. Just want to say what a great blog you got here!I’ve been around for quite a lot of time, but finally decided to show my appreciation of your work! Thumbs up, and keep it going!.

  6. I recently came across your blog and have been reading along. I think I will leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often...