Skype publishes security white paper
Finally we have the word of a third party security consultant Tom Berson, who has reviewed the Skype source code and encryption system.
His bottom line:
The designers of Skype did not hesitate to employ cryptography widely and well in order to establish a foundation of trust, authenticity, and confidentiality for their peer-to-peer services. The implementers of Skype implemented the cryptographic functions correctly and efficiently. As a result, the confidentiality of a Skype session is far greater than that offered by a wired or wireless telephone call or by email and email attachments.
Get the full report here.
I met Tom last month and we chatted about his work. He is a really great guy.
I will follow up next week with some interviews of security staff at some fortune 500 companies who have wanted to deploy Skype, but were waiting for a report such as this. Will this report satisfy their requirements? Watch this space.
Comments
I know they got a new President, did they also get someone intelligent woring in their marketing department!?
This is a very good move by Skype, emphasising the security of the system will balance some of the non-standards-based criticisms. I hope Mr Berson has sufficient 'gravitas' to carry the day.
I have always felt that the security aspects, particulary PKI, was one of Skype's stronger points, yet it was being misrepresented by many so-called experts in the IT press.
Posted by: Paul Jardine | October 21, 2005 10:41 AM
Skype was and is closed source, and its security by obscurity must therefore be seen as potentially unsecure. Reliable cryptography is open source, so why doesn't Skype make its source public?
Posted by: M. | October 21, 2005 11:15 AM
Hey Paul!
Welcome back. I agree with you this is a very good move by Skype. About a month ago I met Kurt Skype's head of security. Another real gentleman! They need more like him in Skype.
I thinks Tom has the 'gravitas' to carry the day. We will soon find out. There are 3 Fortune 50 companies who are waiting for this report. If they deploy Skype then Tom's report card will carry the day.
Thanks for stopping by...
Regards, Bill
Posted by: Bill Campbell | October 22, 2005 06:06 PM
I do not believe this report will negate concern much, as it is incomplete at best. More on this here:
http://forum.skype.com/viewtopic.php?t=38123
Posted by: MuppetMaster | October 24, 2005 06:32 AM
I will be waiting for a killer report written by an external independant entity, trying to prove that certain feature skype are not safe.
I have always had trouble believing what the inhouse "independant" analyst had to say on a product.
It's a nice report yes. It is also good public relations.
Did somebody forgot to mention the dual.triple and so on logon feature and the fact that on the harddisk you can easily retrieve the email - address of any skype account that runned on a computer, followed by the fax that the emails with the password still get send in clear text.
Apart from that all is perfect.
Posted by: Jan Geirnaert / Tropicaljantie | October 24, 2005 09:17 AM
Ah, the timing could not be more appropraite. Indeed, this entirely invalidates the so called 'security' report:
http://forum.skype.com/viewtopic.php?t=38499
Posted by: MuppetMaster | October 26, 2005 09:22 AM