German Govt. Skype Interception Trojans Revealed 172
James Hardine writes "Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press. The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications."
It's NOT the german gov,... (Score:5, Informative)
http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102375/;words=Skype [heise.de]
http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102485/;words=Skype [heise.de]
Skype is not securely encrypted. (Score:5, Informative)
It is less likely that thieves and spies, etc, will be able to eavesdrop on your Skype conversations than with a plain old phone. But don't treat it as secure communications.
http://en.wikipedia.org/wiki/Skype [wikipedia.org]
Re:Man-in-the-middle against SSL? (Score:3, Informative)
Re:The classic /. question..... (Score:2, Informative)
Re:Man-in-the-middle against SSL? (Score:1, Informative)
Usually this can be detected because the certificate is not going to match the remote site. However, it depends on how Skype is implemented. Skype may not check that the cert matches or maybe if the snoopers were somehow able to get a valid cert from one of the trusted CA's then the user would never know.
Generally speaking most developers implement their crypto poorly and it wouldn't surprise me if Skype has problems.
In this case it sounds like they are doing stuff locally on the client machine (via trojan) so they pretty much have free reign to do anything. I don't even know why they would need to do a man-in-the-middle attack.
Maybe, but... (Score:3, Informative)
Re:Skype is not securely encrypted. (Score:3, Informative)
It's nice that Skype is at least smart enough not to use DES, or ROT-13. AES is good encryption.
I couldn't agree with you more.
You put "independent" in quotes. After reading the pdf you linked to, I could see why. From the pdf:
Skype thinks they are hiring an independent evaluator? I wonder how many independent evaluators they had to go through before they found one who was confident in Skype's security, so that they could display how secure they are.
So to summarize, we have:
+ Skype uses a good, open, proven (no exploits yet) cryptographic algorithm
+ No security flaws have been found in Skype
+ Some guy who works for Skype testifies that Skype is good, solid code (it's worth something)
- The implementation is closed-source. Skype even goes so far as to obfuscate their code
- No independent evaluations have been done on Skype's source code
- Skype does not know what an independent evaluation is
I would recommend against using Skype if security is an issue.
Re:Skype is not securely encrypted. (Score:3, Informative)
However, before everyone rushes to judgment -- the guy who did the evaluation appears to have impressive credentials for assessing the effectiveness of implementation of encryption algorithms.
Check out his page: http://www.anagram.com/berson/ [anagram.com]
In my opinion, as a crypto dilettante, this guy Tom Berson is the real deal.
Of course, Skype showed him selected parts of the code, which may or may not be in the final product. I think the more rational among us who are interested in secure communications will generally sacrifice convenience (which Skype clearly offers) for security, and use another product which may be peer reviewed. It's also interesting to follow the money -- perhaps we could look into why eBay paid US$2.6 billion for Skype, then two years later wrote off US$1.43 billion -- one wonders if there is some US government interest served by a large USA corporation having control over the closed-source Skype code.
Having said that, I am still a heavy Skype user, and will continue to use it, as it is sufficient for my needs.