Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The Sky(pe) is falling! Skype moves to the cloud, but what about security?

Glenn Fleishman | Aug. 3, 2016
Microsoft's move of Skype to the cloud comes with a continuing lack of disclosure on security and privacy.

Many network endpoints were (and still are) hidden behind network address translation (NAT), which allows a single public Internet address to be shared by any number of privately internally routed addresses. Nearly all home and business networks are set up this way, because a public Internet address can expose a system to more risk, and because the old-style addresses still in use are scarce and thus expensive to obtain. (Old-style addresses use IPv4, a decades-only standard; IPv6, developed almost 20 years ago, is still making inroads and will solve scarcity and other problems.)

Skype's inventors got around this problem with supernodes, which until 2012 were any Skype user's copy of the program that was on a publicly addressed network segment. (You can read this very detailed examination for more.) The supernodes would let Skype software that couldn't directly reach other software connect, but at least at times would also route portions of calls and files transferred. In areas with poor connectivity, peer-to-supernode connections could act like a smaller pipe connected to a bigger one, allowing communications where a direct route to a data center wouldn't have worked.

According to an analysis by a researcher in 2006, a supernode could carry up to about 100Kbps of data to route calls and file transfers, too, although the median use was 60Kbps when relaying data. (The researcher was then at Cornell University and collaborated with two Google researchers; now he's at Microsoft Research.)

Couldn't supernodes enable snooping? Not precisely, but it didn't hurt, either.

Look, up in the cloud! It's a supernode!

Skype was designed from the start with what was then robust end-to-end encryption. Data sent between two peers was encrypted so that only each recipient's software could unscramble it, making it essentially safe to pass through other supernodes. Supernodes, if monitored, could tap information about end points IP addresses and other details, but little else.

However, Skype has only ever revealed sketchy details about its system. On its site, there's only this thin page. Apple, often seen as very tight-lipped, has a 63-page PDF detailing iOS security, including iMessage. The Electronic Frontier Foundation (EFF) gave Skype an extremely poor score in evaluating messaging safety as a result; Apple's is much higher.

What's known is that each Skype client is issued a private/public key pair using public-key cryptography. If implemented well, communications between any set of clients all using Skype should be effectively impossible to listen in on. However, there's a flaw. Skype issues the digital certificates that validate legitimate access to an app's private key in such a way that it's possible for Skype to create any number of additional certificates that also pass muster.

 

Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.