[VOIPSEC] Soft Phone Vulnerabilities

Randell Jesup rjesup at wgate.com
Thu Jun 15 07:14:45 CDT 2006 

Craig Southeren <craigs at postincrement.com> writes:
>I know from personal experience that Skype is far from being as reliable
>as the PSTN, and it's got nothing to do with the reliability of the
>boxes that Skype is running on.
>
>I expect users within the continental US don't see the problems that we
>get here out here in the back-blocks, but try calling between (say)
>Australia and Turkey via Skype. You can do it anyway you like - Skype to
>Skype-Out, Skype to Skype, and in either direction. You'll get a
>connection no more often than one in two call attempts, and when you do
>get a connection, the latency will be about 3-4 seconds. And that's with
>an ADSL broadband connection at both ends. Of course, calling to and
>from the US works just fine on both those endpoints.
>
>But PSTN, or even cellphone, will get a connection over the same route
>nearly every time.

It sounds as if Skype either isn't selecting proxies ("supernodes") based
on (network) distance from one of the endpoints, or all supernodes near
one of the two endpoints were already overloaded.  This is an expected 
type of problem with a relay-based system.  It may be more prevalent
with a p2p system that relies on users to happen to be on high-bandwidth,
fairly open connections to provide good hosts for supernodes.

Non-relay systems (which may have issues with some networks/NATs; see
ICE/TURN) are more deterministic and generally have low delay.  The worst
I've seen on our phone is circa 400ms.

>All of this not withstanding, the fact still remains that Skype is a
>highly useful service, and has managed to acheive many objectives that
>previous attempts to monetise the VoIP space have failed to do. And I
>have no doubt that the people behind Skype are nice and enthusiastic
>people with all of the best intentions and motives.

Agreed.

>But none of these are reason to gloss over the hard technical facts that
>it is still a closed system, and as such, cannot be assumed to be any
>more secure than any other closed system. No amount of straw-man
>comparisons with other failed closed source and open source systems will
>change that fact. 
>
>Experience shows that security comes from interoperabilty with devices
>written by third parties to a documented standard, and from the ability
>to withstand attacks (either on paper or in real-life) by parties that
>are knowledgable about the internal design of the system. This applies
>to both the design and the implementation of the components.
>
>Neither of these conditions apply (yet) to Skype.

Also agreed.

-- 
Randell Jesup, Worldgate (developers of the Ojo videophone), ex-Amiga OS team
rjesup at wgate.com
"The fetters imposed on liberty at home have ever been forged out of the weapons
provided for defence against real, pretended, or imaginary dangers from abroad."
		- James Madison, 4th US president (1751-1836)

More information about the Voipsec mailing list