Security Questions Dog Skype

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

A very well-done piece in The Register describes serious problems with Skype security.


In fact, there are two issues. The first is that people's accounts are being hijacked and nobody understands precisely what is going on. The second, and perhaps even more problematic, since it often is possible to eliminate a problem by changing a procedure or patching a vulnerability, is that the company is being almost totally unresponsive. This can either be because staff is so overwhelmed that they can't respond or they don't care. Needless to say, either reason should get the attention of current or prospective subscribers.


Longtime VoIP observer Andy Abramson reacts to the story, which he calls "very, very disturbing" by noting a "dramatic" worsening in service by the company as it has grown. PayPal and Skype both are owned by eBay, so the technical issue may start with the parent system. Abramson suggests that the issue may be a product of the unsuccessful marriage of Skype and eBay. He says the integration began with the installation of eBay executives and the exit of the VoIP provider's existing executives. More executives were hired but, the blogger says, the problems persist.


Claims of not adequately caring for subscribers are not Skype's only problem. Network World reports that there are suspicions that Skype is building backdoors into its software and keeping keys that enable it to decrypt calls. The piece links to a Heise Online story about industry suspicions about a backdoor. Network World notes that Skype has taken inordinate care to craft software that cannot be reverse engineered to determine whether backdoors are present. The company wouldn't comment on whether it keeps encryption keys.


Skype's networking structure is changing as well. As a peer-to-peer service, Skype eschews central servers in favor of "supernodes." By becoming a subscriber, people -- usually unknowingly -- give Skype permission to use their device and bandwidth as a type of mini-server network controlling a small group of other users. This raises security and bandwidth allocation questions, especially when the subscriber is in a corporate network.


This XLM Networking blog post does two things: It reposts an older item with a very clear description of how supernodes work and provides an update to changes Skype has instituted. The news is good: It is now possible to opt out of being used as a supernode. In addition, the supernodes now are used only for call setup, not the call itself. This cuts bandwidth use.


Skype security is risky. Indeed, PromiseSec's recently launched Internet Threat Encyclopedia rates it as "extremely critical." The bottom line is simple: Businesses must think twice before using the platform.