|
|
|
|
| |
| The report linked here is an analysis of the VoIP application Skype. One of the scopes in this report was to investigate whether the Skype application is secure enough to deploy in a corporate environment. |
| |
Credit:
The information has been provided by Dennis Bergstrom.
The original article can be found at: http://www.geocities.com/bergstromdennis/
|
| |
Introduction:
The conclusion must be that the Skype application is currently not suitable or secure enough to be deployed in a corporate environment. The reasons for this conclusion are:
1. It seems to be hard to confine the Skype application to a corporate network. At some point the Skype application clients inside the corporation must connect to external entities, both the centrally managed Skype back-end servers, but also to a arbitrary so called supernode which in most cases are some other Skype application end-user.
2. It seems equally hard to block the Skype application in a corporate network-environment. The Skype application will successfully work with a TCP-connection to port 80/tcp only and would probably traverse a corporate firewall with ease. Blocking outgoing traffic to port 80/tcp is usually not an option for a company and so the Skype application can work, albeit with reduced functionality.
3. A corporation would probably have little or no influence of the traffic pattern of the Skype application clients. Most of the logic behind the Skype network is handled either by Skype managed back-end servers or external supernodes and cannot probably be influenced by a corporation.
4. All file transfers between users in the Skype application are encrypted. Although the receiving Skype application users must accept a file before the transfer starts, this could be a possible path for virus or worms into a corporate network without ever being checked by a corporate anti-virus solution.
5. The Skype application End User License Agreement (EULA) has very peculiar demands and vague wording.
6. There is no documentation of how the link-encryption and key-exchange is done. As there are no documentation, it is unknown how serious the threats of intercepted conversations or traffic analysis are. There seems to be functionality in each and every Skype application client that transmits call-statistics to the centrally managed Skype server. This could probably have some impact on the privacy of the end-user if this mechanism also can be utilized for transferring the session-keys for a particular session, which would aid in the interception of the speech, instant messaging or file transfers. This alone will of course not cause any interception, but will probably aid an attacker that have the ability to sniff the traffic between two Skype end-users in decrypting the session-traffic.
The full documented can be found at: http://www.geocities.com/bergstromdennis/Skype_Analysis_1_3.pdf
|
|
|
|
|
|
|
