[FoRK] Skype insecurity, extra traffic, huge Javascript download

Stephen D. Williams sdw at lig.net
Fri May 27 18:52:19 PDT 2016

The pre-Microsoft version of Skype used integral encryption that was generally considered to be unbroken.

Here, SSL isn't broken per se, but if someone sneaks in a CA certificate at the system level, which is common for Enterprise 
situations, then Skype will quietly and automatically trust a man in the middle.  That's not the expectation of users, but exactly 
what Microsoft and people influencing Microsoft want.


Understandable, but not desirable by users.

On the other hand:


On 5/27/16 11:20 AM, Gregory Alan Bolcer wrote:
> If you use a localhost as the proxy which then handles the p2p encryption/decryption, it worked up until early 2k's. Encryptanet 
> was all about crazy interceptions and redirections and frictionless content access.
> Greg
> On 5/27/2016 11:16 AM, Stephen D. Williams wrote:
>> This is old, but still interesting.  This illustrates why Skype was so
>> much less usable, and less secure, as a Microsoft product.
>> https://www.bluecoat.com/security-blog/2014-01-02/exploring-encrypted-skype-conversations-clear-text
>> sdw

More information about the FoRK mailing list