There is a lot of excitement about having a mobile Skype application that can now take advantage of the cellular network you are on. It had been recently only available for use over a broadband or other fixed wireless connection.
Will users gain the benefit of being able to make reduced price phone calls? Very likely.
Will they risk giving up some additional privacy in doing so? Also very likely.
Will most people care? Probably not.
I will disclose that I am not wearing my tin foil hat as I type this, but, as I see it, the limited benefits of Skype just don’t warrant the risk of its use.
My Skype issues short list:
- Skype communicates more like your computer than your traditional phone
- A basic Peer to Peer connection is made between you and whomever you call (the Peer). However some peers are “SuperNodes” and they are bad, bad, bad, bad, bad.
Let me break down my concerns with each of these:
1. Skype communicates more like your computer than your traditional phone
This happens to be part of my biggest concern with Skype from it’s inception. The Skype API is specifically written to “trick” firewalls to make it easier to use the application in environments with typical security controls in place.
For example, most businesses will have rules that only allow certain application to access the Internet. In most cases, a end user PC will not have direct access to the internet and will go through a proxy device. The trick used by VoIP software consists of persuading the firewall that a connection has been established, to which it should allocate subsequent incoming data packets. The fact that audio data for VoIP is sent using the connectionless UDP protocol acts to Skype’s advantage. In contrast to TCP, which includes additional connection information in each packet, with UDP, a firewall sees only the addresses and ports of the source and destination systems. If, for an incoming UDP packet, these match an NAT table entry, it will pass the packet on to an internal computer with a clear conscience. (full explanation by Jurgen Schmidt)
In my world, this is called a trojan or worm. However since the software is installed by the end user and (presumably) the terms are agreed to upon installation, then this is an infection that people are consciously welcoming to their PCs.
2. A basic Peer to Peer connection is made between you and whomever you call (the Peer). However some peers are “SuperNodes” and they are bad, bad, bad, bad, bad.
In simplest terms, a Peer to Peer connection is not as direct as most would initially believe. There are many devices in the path of your connection that intercept at least parts of your transmission. What makes this particularly alarming are two fold:
- Some Skype “peers” are actually “super-nodes.” When Skype is run on a computer that has a public IP address and is not otherwise behind a firewall, it can become a “super-node.” These computers are used as rendezvous points so that computers behind firewalls can receive connections from other Skype users. Although Skype refuses to explain the details of their protocol, it is likely that computers behind firewalls scan the Internet looking for super-nodes, then form and maintain long-term connections with these other computers. The super-nodes then proxy connections to the encumbered connections behind the firewalls.
- There are (supposedly) countries who are actively working with Skype (or parent company eBay) regarding the interception of their encrypted communications. For example:
- 2008 NYT Article – Canadian privacy group uncovers snooping of Skype and other forms of Internet communication in China. Not really surprised are we?
- SlashDot reveals German Govt Docs – Last year alot was made of comments from Germany’s Ministry of Justice. Documents were found that detailed costs regarding interception boxes, key forwarding trojans and anonymous proxies to hide police communications.
- In 2005 the New York Times ran articles on how post 9-11 security measures had also given the US Government powers to intercept IP communications.
While Skype clearly states that all communications are encrypted end to end, they seem to be playing a game of semantics there. Yes it is encrypted, but it is also decrypted in the middle and very likely made available to parties with enough governing power, influence, or money to influence it’s use.
But wait, there’s more…
Even if you don’t have the money or power of a large government to request/buy the proprietary encryption algorithms from Skype, there is new opportunity. Recent university papers sponsored by the National Sciences Foundation have found that the patterns of spoken words make breaking the encrypted traffic easier that traditional data encryption techniques. See Wright, Ballard, Coull, Monrose, and Mason of John Hopkins paper on ‘Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations’
So, will most people care? I still say probably not. However I expect that most corporations and government agencies will, especially their security departments. I would not want an executive of a company speaking to an oversees bank about work they are doing for a large acquisition over this technology. There are too many parties that could have competing interests that would want to overhear parts of those conversations.
- If you really want to use Skype on your cell phone, do so with the understanding that you conversation “could” easily be monitoring anywhere in the world.
- Do not use your Skype connection to conduct any business transactions
- Do not discuss any work related items over your Skype connection
- If you are an IT or Security professional, educate your users on the issues with utilizing the technology.
Of course I expect someone to email me about cell phone encryption and mobile tower surveillance that occurs quite often in the US. That will have to be another post when I’ve sufficiently stocked up on tin foil.