[VOIPSEC] Soft Phone Vulnerabilities

Henry Sinnreich henry at pulver.com
Thu Jun 8 08:00:55 CDT 2006 

>I think SKype will eventually address this issue of security 
>through obscurity.

Skype would also have to embrace and contribute to the SIP P2P standards 
or face a shrinking market share IMHO.

Thanks, Henry

-----Original Message-----
From: Medhavi Bhatia [mailto:medhavib at gmail.com] 
Sent: Wednesday, June 07, 2006 7:52 PM
To: Craig Southeren
Cc: Henry Sinnreich; Jacobs, Marcia; Martyn Davies; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] Soft Phone Vulnerabilities

Hi Craig,

I think Skype may be on the right track at this point. Consider the
alternatives: say Skype were to use HTTPS between peers. You would
probably be more comfortable than when there was no security, but it
still doesnt compare with the web security model where HTTPS is used
on managed web servers. I think it is probably easier to hack HTTPS in
a P2P network and gain the identity of another user (especially w/o
PKI).

I think SKype will eventually address this issue of security through
obscurity. They have done a very very good job though till this point,
given Tom Berson's analysis. Here is another report from a Black Hat
conference which should help folks on this list:

http://www.secdev.org/conf/skype_BHEU06.pdf

-Medhavi.

On 6/7/06, Craig Southeren <craigs at postincrement.com> wrote:
> On Wed, 7 Jun 2006 08:02:37 -0500
> "Henry Sinnreich" <henry at pulver.com> wrote:
>
> > > This is why people worry about Skype being used in the workplace,
> >
> > I am afraid this is just sour grapes. Skype has been attested as being
> > secure, enhances the productivity in the enterprise, supports
communications
> > worldwide with customers and partners and may become the AT&T of VoIP.
> > And is profitable as well, which is an exception to the rule in the VoIP
> > provider world.
>
> And exactly who has has done this "attesting" that you speak of? Only
> Skype themselves can make any such claim, and of course, we know that
> all claims made by software companies and telcos are always true :)
>
> While this comment is more than a little sarcastic, for me it
> encapsulates the entire "Skype is secure" discussion. Skype claim their
> product is secure (see link 1 below for their statement), but nobody can
> verify this claim because their protocol is closed and not subject to
> independent verification.
>
> Skype's claims about security may turn out to be be true, but history
> shows that security systems designed behind closed doors are more likely
> to have flaws than those subject to vigorous peer review. I see no
> reason to expect that Skype's engineers are any better (or worse) than
> anyone else's in this regard.
>
> Given this, any claims of security by Skype should be discounted until
> proven by an open and fair review of the algorithms and techniques in
> use. This is why peer reviewed open standards are always going to have
> the advantage over closed standards - the "many eyes make light work"
> argument.
>
> Many, if not most, Skype users are not knowledgeable in the area of
> cryptography, VoIP technology or even computer usage. Given the
> excellent job that Skype has done in delivering and advertising an easy
> to use product and reliable, these same users will tend to believe the
> rest of Skype's claims, including the ones about security. If you don't
> believe this, then remember how many people every day beleive a far less
> likely story about receiving millions of dollars from a deposed general
> in Nigeria :)
>
> Link 1
>
http://support.skype.com/index.php?_a=knowledgebase&_j=questiondetails&_i=14
4
>
>    Craig
>
> -----------------------------------------------------------------------
>  Craig Southeren          Post Increment - VoIP Consulting and Software
>  craigs at postincrement.com.au                   www.postincrement.com.au
>
>  Phone:  +61 243654666      ICQ: #86852844
>  Fax:    +61 243656905      MSN: craig_southeren at hotmail.com
>  Mobile: +61 417231046
>
>  "It takes a man to suffer ignorance and smile.
>   Be yourself, no matter what they say."   Sting
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list