A latest skype test report named under “Clear Choice Test” at Dec.5 claimed that Skype is safe enough so it’s not necessary to worry about its security. See the detailed message at Network World.
- 1 软件通信协议很安全，都加密了
- 2 文件共享带来的病毒和蠕虫可以通过桌面防病毒系统来解决
- 3 现在还没有什么实质上的漏洞暴露出来
- 4 很快就有相应的IPS/IDS来检测控制Skype
- 5 其实对于Skype的担心主要集中在管理员无法控制Skype，而不是Skype到底带来了多少直接的安全威胁
What should concern IT departments about Skype is not so much the danger to security but the fact that it can’t be controlled. Our testing shows that:
*Skype works through firewalls and symmetric NATs (where a unique external IP address is associated with each internal user). We tried a number of commercial firewalls, configurations and even IPSs, which work based on many higher-level traffic-analysis techniques, and we could not prevent Skype from successfully establishing quality VoIP phone calls.
*When Skype users download the software, they must consent to the usage agreement that includes a provision allowing Skype to commandeer their PC and its resources. The big fear is that the PC – ostensibly an enterprise node with private company files and communications stored on it – could become a Skype SuperNode. A Skype SuperNode is a commandeered PC that plays a kind of proxy role in Skype call setup. We saw no evidence of any attempted takeover or use of any of the Skype-loaded PCs or laptops we tested. Conventional wisdom is that a SuperNode takeover occurs only on nodes that maintain a long-term presence with the same public IP address.
*The main Skype executable program is about 15MB. The installation puts an icon on a user’s desktop. A user must explicitly launch Skype to place calls. Whenever a laptop user launches the application, there is a dialog with the Internet-based Skype controllers. Portions of that dialog were reliably detected by at least one IPS we tested-from a vendor we agreed not to name.