btw even if its a side channel its still extremely bad. Consider SSL urls
with passwords in them, the privacy of the url visited (including path
inside the domain) often reveals a lot itself. How well is skype/microsoft
securing this db? What if some hackers break in and steal the db. Its
probably got quite a few passwords in it. Is skype/microsofts HEAD issuing
server doing proper cert validation and pinning? Probbly not. You can see
in some jurisdictins the interest in places with bad censorship records -
Iran etc they are actively hacking into peoples web mail, social media
accounts. Clearly its not going to be that successful to get passwords as
often a password would not go in the path, using POST arguments. But
leaking SSL & HTTP URLs via a side channel is a significant privacy invasion
even if that is the extent. Probably its more and they have MITM the
connection. Anyone want to check using the below method so we can put that
part to bed?
Adam
On Mon, May 20, 2013 at 08:02:26PM +0200, Adam Back wrote:
The user, encrypted with their password. Its roamable but the keys were
end2end encrypted with the user password. The independent audit skype paid
for of their crypto design is probably still online. (Though possibly no
longer valid).
We dont know if they are uploading the urls over a side channel for
anti-malware or pulling them out of the MITM stream on the server. I think
you could tell simply without reverse engineering: just paste lots of long
urls and sniff the traffic volume vs pasting lots of the same amount of text
without urls. Someone want to try that before they take it down?
Adam
On Mon, May 20, 2013 at 10:46:11AM -0700, Jonathan Thornburg wrote:
On Mon, 20 May 2013, Jeffrey Walton wrote:
The original Skype homepage (circa 2003/2004) claims the service is
secure: "Skype calls have excellent sound quality and are highly
secure with end-to-end encryption."
(http://web.archive.org/web/20040701004241/http://skype.com/).
But who had (has) the keys to that encryption?
--
-- "Jonathan Thornburg [remove -animal to reply]"
<jth...@astro.indiana-zebra.edu>
Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
on sabbatical in Canada starting August 2012
"Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
-- quote by Freire / poster by Oxfam
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
