Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype Security and Privacy Concerns

Posted by Zonk on from the conversations-can-hurt dept.

CDMA_Demo writes "Scott Granneman at Security Focus is discussing the security and privacy issues thanks to eBay's acquisition of Skype. Says the help section on Skypke's website: 'Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.' Scott Granneman debates that since Skype is owned by eBay and is closed source, we have no way of verifying this claim. Further, from the article: 'At the CyberCrime 2003 conference, Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials: 'I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.' This raises interesting questions about how Skype and eBay together will try to avert cyber criminals from using security flaws in either system to their advantage.'"

11 of 128 comments (clear)

  1. 1.1 x 1077 keys? by TrevorB · · Score: 4, Funny

    All that new CSS and no superscripts?

  2. Isn't that the way ... by gregduffy · · Score: 5, Insightful

    [since it] is closed source, we have no way of verifying this claim

    isn't that the way with all closed source software?

    1. Re:Isn't that the way ... by DarkHelmet433 · · Score: 4, Interesting

      However, the real interesting thing is how does eBay, a US company, get around the US export restrictions? eg: it's been mentioned that 128 bit AES is the limit that you can get export approval for. Given skype's 256 bit AES, will eBay have to weaken it when they release it after the ownership transfer is complete?

      Or do they have wiggle room and claim that its produced offshore and therefore isn't exported from the US, even though its now owned by a US company? I doubt that will go down well with the powers-that-be, because (among other things) that will just encourage US companies to offshore all their products-with-crypto work to get around the regulations.

  3. OK, that's it by ObjetDart · · Score: 4, Funny
    I'm switching back to my regular phone.

    Oh, wait...

    --
    I read Usenet for the articles.
  4. Good encryption or not.. by lightyear4 · · Score: 4, Informative


    Good encryption or not, I'd be more worried about the recent moves of the FCC to allow law enforcement virtual wiretap access. Our freedoms have eroded enough as of late, and it is disconcerting to say the very least. Here is the relevant link from the article and from the eff

  5. Is there even a coherent thought here? by Ingolfke · · Score: 4, Insightful

    This post has to be one of the dumbest I've ever read. Because Skype's protocol isn't public and e-Bay shares information (whatever the hell that means) there's supposed to be some specific concerns because the two are now joined? I can see either point standing on its own as a potentially interesting topic, but how does verifying whether or not a piece of software actually uses the encryption schemes it says it does and a corporate policy to share information (note that would be information that is not encrypted and intended to be shared) tie together?

    1. Re:Is there even a coherent thought here? by Anonymous Coward · · Score: 5, Insightful

      Ok, well let me try to spell this out:

      Company A says they encrypt -- good for privacy. If anyone had data collected, it will be encrypted and thus a bit more meaningless. We cannot verify if Company A is telling the truth. Maybe there's encryption, maybe there's not. Not good for absolute privacy.

      Company B readily shares information with others. Not good for privacy at all.

      Company B purchases Company A -- so B, with its reputation to piss away your privacy now has a product that may or may not protect your privacy.

      With the way B has conducted business, it may be implied that A isn't trustworthy, regardless of wheter they do encryption or not...simply because at the hands of B, your data isn't sacred.

      Almost like a Microsoft buying Claria or something.

    2. Re:Is there even a coherent thought here? by temojen · · Score: 4, Interesting
      There are dual-recipient encryption systems. Scype could be using one to store the session key so Law Enforcement (with or without a warrant) can decrypt intercepted communications. Or just encrypting the session keys twice.

      It seems to me what the world (or at least tinfoil hatters and others, like lawyers and accountants, who handle confidential information) needs now is either
      1. A serverless, point-to-point, TLS with client key authentication Capable VOIP protocol, with multiple implementations, some of which are open source, or
      2. IPSEC protected SIP or H.323
  6. Skype vs eBay by lordsilence · · Score: 4, Interesting

    According to Zennström (co-founder of Kazaa and Skype) whose company skype recently got bought by eBay, Skype will still be run as a separate company by him as the head.

    So I kind of doubt he'll actively be doing stuff to endanger peoples privacy.
    It's worth mentioning that he left Kazaa BEFORE they became known as an adware-bloated software.

  7. Rub those elbows by MonGuSE · · Score: 5, Insightful

    Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials: 'I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.

    Another words we help you guys out in law enforcement alot when we shouldn't so please don't step in and bother us when you should. Its a win, win we can both screw the little people at the same time.

  8. 1024 bit is inadequate by cameldrv · · Score: 4, Insightful

    If you're actually worried about the government listening in, 1024 bit RSA is inadequate. Adi Shamir published a paper describing a device that for $1.1 million could crack 1024 bit RSA. You can bet that the NSA has a better device than that.