[VOIPSEC] Soft Phone Vulnerabilities

Craig Southeren craigs at postincrement.com
Wed Jun 7 19:13:45 CDT 2006 

On Wed, 7 Jun 2006 08:02:37 -0500
"Henry Sinnreich" <henry at pulver.com> wrote:

> > This is why people worry about Skype being used in the workplace,
> 
> I am afraid this is just sour grapes. Skype has been attested as being
> secure, enhances the productivity in the enterprise, supports communications
> worldwide with customers and partners and may become the AT&T of VoIP. 
> And is profitable as well, which is an exception to the rule in the VoIP
> provider world.

And exactly who has has done this "attesting" that you speak of? Only
Skype themselves can make any such claim, and of course, we know that
all claims made by software companies and telcos are always true :)

While this comment is more than a little sarcastic, for me it
encapsulates the entire "Skype is secure" discussion. Skype claim their
product is secure (see link 1 below for their statement), but nobody can
verify this claim because their protocol is closed and not subject to
independent verification. 

Skype's claims about security may turn out to be be true, but history
shows that security systems designed behind closed doors are more likely
to have flaws than those subject to vigorous peer review. I see no
reason to expect that Skype's engineers are any better (or worse) than
anyone else's in this regard.

Given this, any claims of security by Skype should be discounted until
proven by an open and fair review of the algorithms and techniques in
use. This is why peer reviewed open standards are always going to have
the advantage over closed standards - the "many eyes make light work"
argument.

Many, if not most, Skype users are not knowledgeable in the area of
cryptography, VoIP technology or even computer usage. Given the
excellent job that Skype has done in delivering and advertising an easy
to use product and reliable, these same users will tend to believe the
rest of Skype's claims, including the ones about security. If you don't
believe this, then remember how many people every day beleive a far less
likely story about receiving millions of dollars from a deposed general
in Nigeria :)

Link 1
http://support.skype.com/index.php?_a=knowledgebase&_j=questiondetails&_i=144

   Craig

-----------------------------------------------------------------------
 Craig Southeren          Post Increment – VoIP Consulting and Software
 craigs at postincrement.com.au                   www.postincrement.com.au

 Phone:  +61 243654666      ICQ: #86852844
 Fax:    +61 243656905      MSN: craig_southeren at hotmail.com
 Mobile: +61 417231046      

 "It takes a man to suffer ignorance and smile.
  Be yourself, no matter what they say."   Sting

More information about the Voipsec mailing list