On 20/05/13 21:02 PM, Adam Back wrote:
The user, encrypted with their password. Its roamable but the keys were end2end encrypted with the user password. The independent audit skype paid for of their crypto design is probably still online.
By Tom Berson, 2005. I do not know the gentleman but I am told by at least one person (prolific contributor and very knowledgeable security guy) that Tom is the business.
http://download.skype.com/share/security/2005-031%20security%20evaluation.pdf (Though possibly no
longer valid).
Just on that point: An audit is always a point-in-time check. It is a reflection of the past, and not a prediction of the future. It is an indication that an external review found that what Skype said up until the end of the review was aligned with what they were doing internally.
So, the review is not "invalid". And, even when Skype changes its model, the review remains valid.
The public perception is that a review is some form of guarantee of future behaviour, but it is not. Auditors will engage in their own forms of deception by letting that public perception permeate the minds, but their TOS (again!) and other documentation will clearly state that it is always about the past.
Where it does effect the future is that it presents the company with a choice to get better from their record. Or worse. Which is precisely the place Skype finds itself in...
We dont know if they are uploading the urls over a side channel for anti-malware or pulling them out of the MITM stream on the server. I think you could tell simply without reverse engineering: just paste lots of long urls and sniff the traffic volume vs pasting lots of the same amount of text without urls. Someone want to try that before they take it down?
Good point. Facts are important. iang _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
