[IP] more on skype
Begin forwarded message:
From: Brad Templeton <btm@xxxxxxxxxxxxxx>
Date: August 13, 2005 4:21:55 PM EDT
To: David Farber <dave@xxxxxxxxxx>
Cc: Ip Ip <ip@xxxxxxxxxxxxxx>
Subject: Re: [IP] more on skype
What reason do we have to trust Skype's end-to-end encryption today?
Skype hasn't shown any inclination to describe either its protocol or
crypto implementation, much less release source code. Simson
Garfinkel's paper showed that Skype traffic is obscured, but his
findings give us no way to objectively assess actual security
provided. For all we know, Skype's use of crypto is as secure as
ROT13.
It bothers me how readily we forget WEP: An IEEE standards committee
concocted a system -- using fully buzzword-compliant crypto -- that
resulted in a standard that proved ineffective even against
lackadaisical attack.
If Skype cared about proving to its customers that its system was
secure, it would already have done so. Instead, it continues to
practice security through obscurity.
A false sense of security is worse than knowingly not having any.
Just because Skype says it offers encryption doesn't mean it provides
any real security at all.
Not only could this not be more wrong, it is this not uncommon view
that have given us the encrytion regime we have today -- namely almost
none of the world's traffic is encrypted, in the name of this concept
that somehow this is better than encryption of unknown quality.
It's not that I don't wish Skype's protocols were available for
scrutiny.
I do wish that, and I would have more faith in them if they were. But
that's _more_ faith, not a jump from 0% faith to 99% faith.
Skype's protocols have been examined by those skilled at cryptanalysis,
and so far no announced window into them has been found. This is not
everything but it is not nothing. And since I personally know Skype's
funders and know them to be men of honour, I have reasonable confidence
that there would not be deliberate backdoors in the system.
But in spite of the rant above, Skype has done more to deliver
encryption
into the hands of the masses than just about anybody. More than Phil
Zimmerman (which is not to say Phil's not a hero of this, but the
reality is that even he doesn't get very much PGP encrypted mail, and
most
people can be reasonably confident that Phil has a copy of PGP.)
Skype did this by doing ZUI encryption (Zero user interface.) Most of
the users of Skype are not aware or barely aware of the encryption.
And they encrypt by default. Frankly, today, use of PGP or other
encryption software singles you out as somebody who cares. Use of
encryption by you in Skype signifies nothing.
Encryption products should be strong, and should be subject to scrutiny
and verified. But they should also be used in the real world to encrypt
things!
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/