In Depth

Security Risks: Can 9 Million Skype Users Be Wrong?

Skype is a great way to communicate. But security professionals should know that it also brings auditing and monitoring risks.

By Simson Garfinkel

Page 3

Because it's peer-to-peer, you can use Skype to exchange large files without worrying about any server-based restrictions. Although the protocol doesn't seem to recover gracefully from interrupted transmissions (it restarts the transfer in the middle of the file), it's completely reasonable to use Skype to send 100MB files from one end of the planet to the other. Skype's servers will do the user name/ password authentication, but the data packets will go directly from one user's computer to the other'spossibly passing through a Skype user or two.

The fact that Skype's user name/password combinations are validated by central servers gives Skype another big advantage over e-mail: authentication. The vast majority of e-mail on the Internet is sent without authentication. As a result, when you get a piece of e-mail, you never can be sure that the address listed on the message is where it was really sent from. But since every Skype user is validated before being allowed to join the network, you can have reasonable trust in the identities that flash through the Skype application. Such authentication helps build the business justification for Skype.

Two negatives are operating against Skype. The first is the fact that the Skype client running on your computer can and will relay calls between other network users without your knowledge. That can pose a problem on networks that have only a little bit of Internet connectivity. It makes sense that Skype would detect how much bandwidth you have for this kind of third-party altruism. But alas, the algorithm that Skype uses to determine how much of this relaying it is allowed to engage in is proprietary, so we can't know for sure.

The other drawback is that bad guys can, of course, use Skype to send worms and viruses. Obviously, the first thing to do is to block files transmitted by anyone you don't know. A better approach would be to integrate Skype with your computer's antivirus system so that all incoming files are automatically scanned. That's not currently a Skype feature, but it might be by the time you read this.

Probably the most important thing about Skype, however, is not the program's functionality today, but something much deeper about the whole Skype process. One year after Skype launched, it had more than 9.5 million users worldwide, with more than 1.5 million connections per day and, on average, 500,000 people connected at any given time. The software is available for Windows, Mac OS X, Linux and Pocket PC. The software has the capability of automatically updating and upgrading itself, allowing it to acquire new features at any timepotentially without the permission of the user. The software uses a secret protocol; all communications are encrypted. And Skype Technologies does its engineering in Tallinn, Estonia, has some business operations in London and registers its website in Amsterdam.