back to article Privacy group demands answers from Skype

Lobby group Privacy International is demanding Skype improves its VoIP service to properly protect the privacy of its users. PI said it had reviewed Skype's security and had specific concerns including the VoIP service's use of full names on the contact list, which makes it easy for people to impersonate others. The lack of …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Really?

    Does the group really have a grasp on security?

    You can hide your full name from the contact list, and it has little to do with impersonation.

    You can make HTTPS downloaders which download from your own server, which is a doddle, especially for somebody interested in making malicious software.

    Codecs fair enough.

    1. The Original Ash
      FAIL

      Grok fail

      Full names being displayed isn't the issue they are referring to. The issue is that I can set up a Skype account *with your name* and others can search for it. Unless there's some other authentication vector, that's it; I am you to that person, and I am you to anybody listening in to the conversation.

  2. Gordon 10

    I'm confused

    Are PI saying that phrases are identifiable AFTER skypes encryption is added?

    If the encryption is a integral part of the codec then this is a major fail for skype.

    If PI's tests were based on a pre-encrypted stream it seems like a non-argument.

    Will be interesting to see which.

  3. Steve Potter
    WTF?

    why are they concerned

    I thought Skype was used to connect you with family and loved ones across the world for free?

    or am I wrong?

    If it is for secure communications, wouldn't terrorists use it, to avoid wire tapping etc after all a few phones from 3 have skype onboard...so calls are both free and secure... blimey!

    Better to have no encryption me thinks, I personally couldn't care if anyone listened in to my sunday morning chats to my daughter in Australia, they would soon get bored.

    1. The Original Ash
      Thumb Down

      Re: why are they concerned

      Skype is "used to connect you with family and loved ones across the world for free" in the same way that BitTorrent is used to distribute Linux ISOs, VCRs are used to record TV shows for later viewing and personal use only, and the road network is used by properly licensed drivers with tax-paid vehicles either below or at the speed limit.

      The technology is separate from the use; Don't make the mistake of Big Media and confuse the two.

  4. Liassic
    Stop

    Reach out?

    Any company that "reaches out" to people needs a kicking.

  5. Steve 53

    Re Gordon 10

    "Are PI saying that phrases are identifiable AFTER skypes encryption is added?

    If the encryption is a integral part of the codec then this is a major fail for skype.

    If PI's tests were based on a pre-encrypted stream it seems like a non-argument."

    I think what they're trying to say is that because a variable bitrate compression algorithm is used, you'll get variable bitrates of the ciphertext (ciphervoice?). you can then analyst when it was at low levels (Quiet) vs high rates (speaking) and try and use the length of the words to identify phrases.

    I don't believe codecs generally used by more standard compliant SIP solutions tend to use variable bitrate, eg g.711 certainly doesn't, so if a good crypto wrapper (Eg TLS with a decent cipher) is applied around this codec then the same sort of attack wouldn't be possible

    Interesting attack vector.

  6. K. Adams
    FAIL

    "lack of HTTPS D/L service ... [could] [trick] ... people [to install] ... Trojan..."

    Huh...?

    One has nothing to do with the other.

    If Skype's download repository (or, for purposes of discussion, any other download site offering the Skype client) is compromised, and the real version is replaced with a Trojan-ized copy, HTTPS won't matter a hill-o'-beans...

    As always, the best defence is to download software from trusted sites only, and to examine the URL of the download link in the browser Status bar (if possible) to see if it directs you to somewhere suspicious.

    1. Buzzword
      Boffin

      China, dodgy internet cafes

      HTTPS doesn't protect you from a compromised download repository. What it protects against is a man-in-the-middle attack. If you travel to China and want to download Skype while you're there, how do you know that www.skype.com in China isn't being secretly redirected to their own spyware-infected variant?

      Think what happens when you try to connect to the internet in an airport or in Starbucks. You connect ok, no wifi password needed. Then you go to www.google.com and hey presto you're redirected to the hotspot payment page. Worse still, you might think you're connecting to the internet in Starbucks when in fact you're connecting to the wifi network provided by the C.I.A. van parked outside. Before you know it you've downloaded a bugged copy of Skype and your terrorism plans / freedom-fighting plans are ruined.

      Looking at the URL doesn't protect you if you can't trust the network operator. The operator can serve up whatever they want, without telling you. Only HTTPS can protect against this kind of attack.

      1. K. Adams
        Boffin

        @Buzzword: "What it protects against is a man-in-the-middle attack."

        It depends on the "kind" of man-in-the-middle attack.

        If you inserted yourself between a bunch of downloaders' machines and the HTTPS site in question, and sent forged a certificate in response to their HTTPS requests (which would very likely set off alarm bells in the downloaders' browsers), I expect a fair proportion of the downloader population would click "Go Ahead Anyway" in their bewilderment.

        Some browsers, especially Firefox, actually do try to make browsing an HTTPS site with an invalid cert more "difficult" by requiring users' express acknowledgement. The problem, though, is that ** explaining to average users what's actually happening ** (and in "plain" language) when their browsers warn them about invalid certificates takes a fair amount of linguistic finesse, which many of us (myself included) often do not have...

      2. Mark 65

        Re:dodgy internet cafes

        "HTTPS doesn't protect you from a compromised download repository. What it protects against is a man-in-the-middle attack."

        Doesn't that tend to rely on the trusted certification authorities certificates installed on the machine? If one happens to be Govt of China will that not make man-in-the-middle possible unless you inspect every certificate?

  7. lglethal Silver badge
    FAIL

    Interesting comment at the end...

    "Privacy International has not been in touch with us..."

    So Privacy International are getting all worked up about, and complaining to the media without even contacting Skype first???

    Surely the first thing you would do is contact Skype, tell them your concerns and see what they say. For all we know, Skype could have turned around and gone "My god your right, we need to fix this!" or they cuold have turned around and gone "Get nicked! We dont care about privacy!" Depending on the answer you get there, maybe then go and talk to the media. But going to the media first, really stinks of attention-seeking media whoring to me!!!

    1. Anonymous Coward
      Flame

      @lglethal

      And obviously we should believe Skype when they say they haven't been contacted by PI. Felt more like a "we know already what they've said but as it potentially embarrasses us we're gonna feign ignorance at this time" statement

This topic is closed for new posts.

Other stories you might like