[FoRK] Skype insecurity, extra traffic, huge Javascript download

Stephen D. Williams sdw at lig.net
Fri May 27 18:52:19 PDT 2016


The pre-Microsoft version of Skype used integral encryption that was generally considered to be unbroken.

Here, SSL isn't broken per se, but if someone sneaks in a CA certificate at the system level, which is common for Enterprise 
situations, then Skype will quietly and automatically trust a man in the middle.  That's not the expectation of users, but exactly 
what Microsoft and people influencing Microsoft want.

http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

Understandable, but not desirable by users.

On the other hand:
http://www.latimes.com/business/technology/la-fi-tn-google-allo-20160523-snap-story.html

sdw

On 5/27/16 11:20 AM, Gregory Alan Bolcer wrote:
> If you use a localhost as the proxy which then handles the p2p encryption/decryption, it worked up until early 2k's. Encryptanet 
> was all about crazy interceptions and redirections and frictionless content access.
>
> Greg
>
> On 5/27/2016 11:16 AM, Stephen D. Williams wrote:
>> This is old, but still interesting.  This illustrates why Skype was so
>> much less usable, and less secure, as a Microsoft product.
>>
>> https://www.bluecoat.com/security-blog/2014-01-02/exploring-encrypted-skype-conversations-clear-text
>>
>>
>> sdw



More information about the FoRK mailing list