[liberationtech] NYT report on Obama admin's wiretap plans

[Jack Lloyd]

On Mon, Sep 27, 2010 at 04:50:55PM -0400, Thomas Smyth wrote:
> Wouldn't tapping Skype-to-Skype calls be tantamount to tapping any SSL
> encrypted digital communication?

As far as I know the full details of the Skype encryption protocol
have never been publicly released, but I have never seen anything that
suggests they use SSL/TLS/DTLS anywhere in the system.

> That is, breaking public key encryption?

While the NSA probably has some impressive abilities in this regard,
it does not seem necessarily a required ability to break Skype. An
error in the protocol design seems more likely; earlier versions of
SSL, SSH, and most other crypto protocols have at least one fairly
major error which makes an attackers job much easier. And these were
protocols which were published; the history of secret
protocols/systems (GSM, CSS, KeeLoq, to name three examples) is much
much worse.

> Unless that is there is a bug in the Skype client software, which would
> surely be quickly patched..

Because software vendors always patch bugs as soon as they are found
and exploited? The recently announced Linux vulnerability
(CVE-2010-3301) was supposedly known in some circles and being
actively exploited for almost two years before it was fixed.

-Jack