Skype is getting more and more famous and the among of users is rapidly increasing. Mainly because it is the first well working VoIP software where one can make free phone calls over the Internet. Even video conferencing is available on Windows and MacOSX, and recently added to the Linux port.

But not only in the private environment Skype gets more and more famous. Even companies use the software to hold meetings via video conference and have a company wide communication platform. This is a reason to look at the security of Skype.

Skype uses for communication and speech forwarding the ports 80 and 443 (http and https). If these ports are prohibited Skype has no problem to work behind NAT routers or to drill holes into the corporate firewall. This is done by the STUN protocol and tricky procedures to allow UDP packets passing Statefull Firewalls.

Generally Skype works as a peer-to-peer network. Data is not only transferred directly with the communication partner, but also over other Skype nodes. And not only communication, also the contact list for Skype is distributed to many computers of other Skype users.

If the user has a fast Internet connection (>256k upload) and is long-term connected; he will become automatically a Supernode. Then, not only contact data of others is stored in the computer, also telephone calls are routed through these Supernodes. Until now this behaviour can be disabled.

To protect the privacy of their users Skype uses encryption with AES-256. Everything which can be found about the security implementation of Skype is a study which is paid from Skype itself! This document states that the AES implementation is standard conform and well done.

However, Skype is closed source and nobody can have a look into the source code. Skype even has techniques to avoid debugging and reverse engineering.

The fact that this implementation is not as compliant as proposed shows a document which appeared in the German press. In this document the German company DigiTask offers to the German government a product to sniff and decode Skype VoIP traffic.

Generally one should consider using alternatives like wengo or gizmo which provide the same functionality like video conferencing and encryption with AES – the main difference is that they are Open Source and everybody can verify the proposed security.

Clemens Kurtenbach
S21sec Labs

Deja un comentario