Skype Security and Privacy Concerns

CDMA_Demo writes "Scott Granneman at Security Focus is discussing the security and privacy issues thanks to eBay's acquisition of Skype. Says the help section on Skypke's website: 'Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 10⁷⁷ possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.' Scott Granneman debates that since Skype is owned by eBay and is closed source, we have no way of verifying this claim. Further, from the article: 'At the CyberCrime 2003 conference, Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials: 'I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.' This raises interesting questions about how Skype and eBay together will try to avert cyber criminals from using security flaws in either system to their advantage.'"

Skype vs eBay

[lordsilence]

According to Zennström (co-founder of Kazaa and Skype) whose company skype recently got bought by eBay, Skype will still be run as a separate company by him as the head.

So I kind of doubt he'll actively be doing stuff to endanger peoples privacy.
It's worth mentioning that he left Kazaa BEFORE they became known as an adware-bloated software.

Re:Is there even a coherent thought here?

[temojen]

There are dual-recipient encryption systems. Scype could be using one to store the session key so Law Enforcement (with or without a warrant) can decrypt intercepted communications. Or just encrypting the session keys twice.

It seems to me what the world (or at least tinfoil hatters and others, like lawyers and accountants, who handle confidential information) needs now is either

1. A serverless, point-to-point, TLS with client key authentication Capable VOIP protocol, with multiple implementations, some of which are open source, or
2. IPSEC protected SIP or H.323

Re:Isn't that the way ...

[DarkHelmet433]

However, the real interesting thing is how does eBay, a US company, get around the US export restrictions? eg: it's been mentioned that 128 bit AES is the limit that you can get export approval for. Given skype's 256 bit AES, will eBay have to weaken it when they release it after the ownership transfer is complete?

Or do they have wiggle room and claim that its produced offshore and therefore isn't exported from the US, even though its now owned by a US company? I doubt that will go down well with the powers-that-be, because (among other things) that will just encourage US companies to offshore all their products-with-crypto work to get around the regulations.

Simple answer to this one

[FishandChips]

Simple answer: don't use Skype if security is an issue. Plenty of other providers. Now that Ebay have got their hands on Skype, chances are it will be sent right downmarket anyway.

Verifying it

[SamMichaels]

Scott Granneman debates that since Skype is owned by eBay and is closed source, we have no way of verifying this claim.

With all the talented people out there, I'm sure SOMEONE (dvd jon?) could easily test out the encryption strength. I doubt anyone would even notice if you do it to your own account and your own friends on the other side of the call.

Re:Is there even a coherent thought here?

[Antique Geekmeister]

PGPPhone had this high level of end-to-end security almost 20 years ago. It used on RSA, which still had a valid patent, but the PGP web of trust is pretty good and you can always generate your own new PGP keys and publish only the public part.

A modest re-write to operate on TCP instead of modems should be quite straightforward.

Re:Concerns?

[Anonymous Coward]

Umm ... what? How does it raise questions? If some cyber criminal is plotting something with his buddies over Skype, I don't care WHAT eBay does or HOW they do it -- it's criminals we're talking about.

Think about this: eBay now has access to personal info of Skype users. SOMEONE faxes a fake request for info from eBay and given the ease with which they give away personal info, someone's personal details from Skype are disclosed. That "SOMEONE" is the cyber criminal we are talking about! Skype's security is questionable in the first place, but now that eBay is involved, things may get worse. In case you read the article eBay can gladly hand over the following info to anyone:

• Full name
• User ID
• Email address
• Street address
• State
• City
• ZIP code
• Phone number
• Country
• Company
• Password
• Secondary phone number
• Gender
• Shipping information (including name, street address, city, state, ZIP)
• Bidding history on an item
• Items for sale
• Feedback left about the user
• Bidding history
• Prices paid for items
• Feedback rating
• Chat room and bulletin board posts

Of course, this just seems like another classic case of Slashdot-entitlement: "Waah, waah, I'm a criminal, I steal credit card numbers, I trade child pornography ... BUT DAMNIT I STILL DESERVE THE RIGHT TO UNMONITORED E-MAIL/IM CONVERSATIONS!1!11!!~"

Read the article.

Re:Isn't that the way ...

[m50d]

Or do they have wiggle room and claim that its produced offshore and therefore isn't exported from the US, even though its now owned by a US company? I doubt that will go down well with the powers-that-be, because (among other things) that will just encourage US companies to offshore all their products-with-crypto work to get around the regulations.

That's been happening already, lots of multinational companies do their crypto work in Europe and then send the finished product to the US division, because once it's in the US you can't get it out again.