A latest skype test report

A latest skype test report named under “Clear Choice Test” at Dec.5 claimed that Skype is safe enough so it’s not necessary to worry about its security. See the detailed message at Network World.

本文作者认为Skype通信非常安全,这体现在:

  • 1 软件通信协议很安全,都加密了
  • 2 文件共享带来的病毒和蠕虫可以通过桌面防病毒系统来解决
  • 3 现在还没有什么实质上的漏洞暴露出来
  • 4 很快就有相应的IPS/IDS来检测控制Skype
  • 5 其实对于Skype的担心主要集中在管理员无法控制Skype,而不是Skype到底带来了多少直接的安全威胁

这些观点供您参考,并不代表本人观点。该测试并没有深入到技术细节,作者声称将会有后续报告继续发布。

What should concern IT departments about Skype is not so much the danger to security but the fact that it can’t be controlled. Our testing shows that:

*Skype works through firewalls and symmetric NATs (where a unique external IP address is associated with each internal user). We tried a number of commercial firewalls, configurations and even IPSs, which work based on many higher-level traffic-analysis techniques, and we could not prevent Skype from successfully establishing quality VoIP phone calls.
*When Skype users download the software, they must consent to the usage agreement that includes a provision allowing Skype to commandeer their PC and its resources. The big fear is that the PC – ostensibly an enterprise node with private company files and communications stored on it – could become a Skype SuperNode. A Skype SuperNode is a commandeered PC that plays a kind of proxy role in Skype call setup. We saw no evidence of any attempted takeover or use of any of the Skype-loaded PCs or laptops we tested. Conventional wisdom is that a SuperNode takeover occurs only on nodes that maintain a long-term presence with the same public IP address.
*The main Skype executable program is about 15MB. The installation puts an icon on a user’s desktop. A user must explicitly launch Skype to place calls. Whenever a laptop user launches the application, there is a dialog with the Internet-based Skype controllers. Portions of that dialog were reliably detected by at least one IPS we tested-from a vendor we agreed not to name.

technorati tags: , , ,

2 Responses to A latest skype test report

  1. SIP is best says:

    管理员无法控制这一条就足够了。如果Skype真的成了标准,将来大家都来开发拼命占用带宽的软件。不还是不够用?

  2. […] At recent Blackhat Europe, Philippe BIONDI and Fabrice DESCLAUX published their latest investigation on Skype titiled “Silver Needle in the Skype“. Previously a test by Network World studied the cryptography algorithm underneath Skype and drew a conclusion that Skype is security enough for end users.  Another whitepaper by Tom Berson expressed the similar viewpoint.  But, with heavy reverse engineering of Skype, Philippe and Fabrice investigated deeply how Skype operates and exchange information. The following is their conclusion: Good points       Skype was made by clever people       Good use of cryptography Bad points       Hard to enforce a security policy with Skype       Jams traffic, can’t be distinguished from data exfiltration       Incompatible with traffic monitoring, IDS       Impossible to protect from attacks (which would be obfuscated)       Total blackbox. Lack of transparency.       No way to know if there is/will be a backdoor       Fully trusts anyone who speaks Skype. […]

%d bloggers like this: