[VOIPSEC] So who is SKYPE listening to?

Simon Horne s.horne at packetizer.com
Fri Jun 23 05:05:44 CDT 2006 

Michael

To be honest, adding PKI peer-entity authentication to SKYPE does not 
really "improve" security since the network is already closed. As was 
discussed previously with respect to current vendor specific VoIP islands 
in SIP, the real power of peer-entity authentication is when calling 
parties identify themselves in inter domain (inter VoIP Island) connections 
across an open internet, where there is no centralized "network" control 
and the trust is derived from a common third party. This is much more 
suited to the standard based protocols where businesses control their own 
networks.

I think you are going to have a hard sell trying to convince businesses 
that the best solution is to buy a server and donate it and all the 
bandwidth (at your expense) to SKYPE so it can be run into the ground 
proxying other (not related to your business) SKYPE users traffic.

Simon

At 09:56 PM 22/06/2006, you wrote:
>Here is some suggested 
>reading: 
><http://www.well.com/~theek/skype4e.pps>http://www.well.com/~theek/skype4e.pps
>
>This is the talk I gave last week at their devcon. It's for public 
>consumption.
>
>Regards
>
>M
>
>
>On 6/22/06, Simon Horne 
><<mailto:s.horne at packetizer.com>s.horne at packetizer.com> wrote:
>
>Saw this on our Industry news feed.
>
>Skype to address identification concerns
><http://news.com.com/Skype+to+address+identification+concerns/2100-7352_3-6086360.html?tag=fd_nbs_ent&tag=nl.e433>http://news.com.com/Skype+to+address+identification+concerns/2100-7352_3-6086360.html?tag=fd_nbs_ent&tag=nl.e433
>
>Quote
>One security concern for IT managers is that while Skype uses an encrypted
>public key infrastructure, it automatically authenticates users itself.
>This means that users cannot authenticate the identity of the people they
>are communicating with.
>"Skype is a public key infrastructure, which means nothing if you don't
>know who you are identifying at the other end," Sauer said.
>End Quote
>
>It seems even though some people have difficulty understanding the
>importance of caller (peer-entity) authentication, it appears that is has
>not been lost at SKYPE.
>
>Simon
>
>
>
>_______________________________________________
>Voipsec mailing list
><mailto:Voipsec at voipsa.org>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list