In Depth

Security Risks: Can 9 Million Skype Users Be Wrong?

Skype is a great way to communicate. But security professionals should know that it also brings auditing and monitoring risks.

By Simson Garfinkel

Page 2

Unlike Vonage and other voice-over-IP systems, Skype is not based on session-initiated protocol or any other Internet standard. Skype uses a protocol that's both proprietary and secret. The company claims that all Skype communications are encrypted with a 256-bit advanced encryption standard and that keys are exchanged using the RSA encryption algorithm. I've looked at Skype's packets, and I can verify that they are in fact encrypted, but there's really no way to know how secure it is without considerable documentation and cooperation from the company.

These facts combine to make Skype an emerging problem for many CSOs. For organizationssuch as investment companiesthat are required by law to monitor communications between their employees and their customers, Skype is an untappable voice gateway. It's also largely unstoppable, because Skype can tunnel through, over or around most kinds of firewalls. And for organizationssuch as hospitalsthat are required by law to provide for secure communications between employees and customers, Skype gives the appearance of a secure communications channel, but it might not provide any security at all.

On the other hand, if neither monitoring nor secrecy of voice communications is a legal requirement for your organization, another perfectly reasonable approach is to embrace Skype and its peer-to-peer voice technology. Skype is certainly more secure than most cell phones, which have their encryption disabled, or landlines that don't have any encryption at all. Sure, there is a chance that your Skype conversation is going through another person's computer, and there's a chance that they've managed to crack Skype's algorithm and are listening in on everything you say. Even though there is certainly the potential for abuse, in most cases the actual chance of abuse is small.

Another important aspect of security is availabilitythat is, making sure that systems and backup systems are always available to serve your users' needs. And availability is where Skype really shines. No matter where you are, if you have some kind of connectivity to the Internet, you can use Skype to communicate with others. This is a huge benefit to the mobile worker, because you can just sit down in some cybercafé anywhere in the world, take out your laptop, andwham!you are in direct communication. (On the other hand, if Skype's creators decide to pull the plug on the company's servers, every Skype user on the planet will be suddenly dead in the waterunless, of course, an enterprising hacker can figure out how to patch the Skype executable so that it uses a different set of servers on the Internet.)