[liberationtech] Debate brewing on @Liberationtech Twitter
Daniel Margolis
dan at af0.net
Sat Mar 5 12:09:59 PST 2011
The ambiguity of the word "safe" makes this a very difficult question to
answer. It seems clear to me that Skype poses more of a risk of backdoors or
intercept systems than some popular software (like the user's operating
system) and less of a risk than others (e.g. most webmail providers, which
have of course an established and undeniable intercept capability, barring
the use of end-to-end cryptography like PGP).
Focusing on the "black box" aspect to Skype can be a little misleading.
Skype *nominally* (as opposed to with verifiable correctness) uses
industry-standard encryption (RSA and AES, etc--see
http://www.anagram.com/berson/skyeval.pdf). Whether they do so *effectively* is
of course unknown, but no more so than in most other situations we are
willing to accept--even open source code can easily fail to implement
cryptographic routines correctly, simply by accident (as with the well-known
Debian OpenSSL entropy issue). So while there's a large discussion to be had
here about the relative transparency of documented vs. undocumented
protocols and open vs. closed source programs, I find it difficult, off the
cuff, to believe that source and protocol transparency really lend much
value to the security of the average users (who typically are unable to do
such necessary tasks as evaluate whether a downloaded executable comes from
a trusted or untrusted source, over a trusted or untrusted channel, let
alone evaluate code security or look for the presence of backdoors in a
crypto implementation--if users are downloading open source, peer-evaluated
binaries over HTTP, are they better off than if they download Skype over
HTTPS?).
For those on the list who may not be familiar with it already, some
perspective on just how far our paranoia can (or should!) stretch is lent
from Ken Thompson's classic: http://cm.bell-labs.com/who/ken/trust.html.
Realistically, Skype is (as I said above) less safe than some commonly used
software and more safe than others. There's little evidence (aside from
unsubstantiated rumors, see e.g.
http://www.h-online.com/security/news/item/Speculation-over-back-door-in-Skype-736607.html
, http://www.theregister.co.uk/2008/07/25/skype_backdoor_rumours/) that
Skype actually has an intercept capability, and some evidence to the
contrary (Skype has rather vociferously resisted efforts by the FBI to have
CALEA extended to so-called "unmanaged" VoIP networks, and has risked
banishment from certain countries for *not* allowing intercepts, see
http://www.voip-news.com/feature/skype-calea-compliance-061206/).
One view is that Skype has such an intercept capability and publicly argues
against a broader CALEA only to keep up this ruse. I cannot disprove such a
hypothesis.
As a software engineer, I have very little confidence in the output of
software engineers, so of course I would never choose to risk anyone's life
on the trustworthiness of Skype (or anything else). But it is not clear to
me that Skype presents anything resembling an extraordinary risk above and
beyond that carried by the rest of the computing base. This is in part an
indication of the sad state of affairs in software security (as I said
above, far more basic trust decisions that are necessary to protect oneself
are beyond the reach of all but the savviest of non-expert users).
I don't mean to say that anyone is wrong in declaring Skype "unsafe"--to the
contrary, I wish merely to refine, in more practical terms that ordinary
users can understand, exactly what "unsafe" means.
Dan
(Regarding the more technical questions, Skype's design--in particular the
by-design use of anonymous "supernodes" to enable NAT traversal--does mean
that traffic could be redirected through some government intercept node
without it being immediately obvious to the user. Of course, most users are
unable to look for this, but a few are, and so Skype stymies what analysis
might otherwise take place. But in comparison, *hosted* services can
intercept by design. The main criticism of Skype seems to be that it might
be as weak as hosted services, not that it's any weaker. I think there's a
good argument here that Skype is advertised as encrypted end-to-end when
there's a (slim, I think) chance that it may not be, but it's important for
lay users to understand that when a geek says "Skype is unsafe" he does not
mean "as distinct from GMail, which is A-OK!")
On Sat, Mar 5, 2011 at 4:53 AM, <liberationtech at lewman.us> wrote:
> On Fri, Mar 04, 2011 at 04:56:58PM -0500, the.magical.kat at gmail.com wrote
> 3.5K bytes in 90 lines about:
> : The short answer is no. The long answer is that it depends on who you
> want to
> : be safe from.
>
> To back up Katmagic's thoughts with some published research into the
> security of Skype:
>
> For general results:
> https://encrypted.google.com/search?q=skype+security+analysis
>
> For academic analysis:
> http://scholar.google.se/scholar?q=skype+security+analysis
>
> And then there's the simple attack of a parabolic microphone across
> the street. Understanding your adversary matters.
>
> --
> Andrew
> pgp key: 0x74ED336B
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110305/6c3353f3/attachment.html>
More information about the liberationtech
mailing list