-Emory
From: Eugen Leitl <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Terrorists don't let terrorists use Skype Date: Thu, 27 Jan 2005 15:02:56 +0100
From: Adam Shostack <[EMAIL PROTECTED]> Date: Tue, 11 Jan 2005 10:48:12 -0500 To: David Wagner <[EMAIL PROTECTED]> Cc: cryptography@metzdowd.com Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute From [EMAIL PROTECTED] Thu Jan 27 01:04:39 2005 User-Agent: Mutt/1.4.2i
On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote:
| In article <[EMAIL PROTECTED]> you write:
| >Voice Over Internet Protocol and Skype Security
| >Simson L. Garfinkel
|
>http://www.soros.org/initiatives/information/articles_publications/articles/
security_20050107/OSI_Skype5.pdf
|
| >Is Skype secure?
|
| The answer appears to be, "no one knows". The report accurately reports
| that because the security mechanisms in Skype are secret, it is impossible
| to analyze meaningfully its security. Most of the discussion of the
| potential risks and questions seems quite good to me.
|
| But in one or two places the report says things like "A conversation on
| Skype is vastly more private than a traditional analog or ISDN telephone"
| and "Skype is more secure than today's VoIP systems". I don't see any
| basis for statements like this. Unfortunately, I guess these sorts of
| statements have to be viewed as blind guesswork. Those claims probably
| should have been omitted from the report, in my opinion -- there is
| really no evidence either way. Fortunately, these statements are the
| exception and only appear in one or two places in the report.
The basis for these statements is what the other systems don't do. My Vonage VOIP phone has exactly zero security. It uses the SIP-TLS port, without encryption. It doesn't encrypt anything. So, its easy to be more secure than that. So, while it may be bad cryptography, it is still better than the alternatives. Unfortunately.
Adam
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
----- Forwarded message from Peter Gutmann <[EMAIL PROTECTED]> -----
From: [EMAIL PROTECTED] (Peter Gutmann) Date: Wed, 12 Jan 2005 05:00:29 +1300 To: [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute
David Wagner <[EMAIL PROTECTED]> writes:
>>Is Skype secure? > >The answer appears to be, "no one knows".
There have been other posts about this in the past, even though they use
known
algorithms the way they use them is completely homebrew and horribly
insecure:
Raw, unpadded RSA, no message authentication, no key verification, no replay
protection, etc etc etc. It's pretty much a textbook example of the problems
covered in the writeup I did on security issues in homebrew VPNs last year.
(Having said that, the P2P portion of Skype is quite nice, it's just the
security area that's lacking. Since the developers are P2P people, that's
somewhat understandable).
Peter.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net
[demime 1.01d removed an attachment of type application/pgp-signature]
