Simson Garfinkel analyses Skype - Open Society Institute

Ian G iang at systemics.com
Tue Feb 1 14:17:20 EST 2005 

Ian Brown wrote:

> I'd guess that many of the developing-world human rights groups funded 
> by OSI would have legitimate reason to worry about wiretapping 
> conducted by well-resourced opponents in their governments. They might 
> also discuss information on a secure communication facility that they 
> would avoid on a PSTN phone. So it's important they know where Skype 
> lies on the spectrum between the two.


That's correct.  www.cryptorights.org is a group that
specialises in dealing with that market.  Curiously,
they have found evidence of MITMs from those
attackers, although I only have anecdotal accounts,
so nothing firm to report.

If one is actually going up against governments
("ours" or "theirs") then one needs to take more
care.  Downloading just any crypto tool from the
net and using it without thought is a death warrant
with some of these use cases.  (That's not an
exaggeration, or so I've been told.)

Note however, that these users know to take more
care; in that OSI funded the report (presumably)
for that very use case.  The report may very well
accurately be read as "not suitable if your life
depends on it."

But, that has only limited bearing on those users
without a clearly identified life-threatening enemy.

What Skype aught to do - and clearly don't - is
list the limitations of the product clearly on their
website.  The main concern that people have is
that because they say it is secure, nobody trusts
them.  If they said it was insecure in X,Y,Z ways,
then people would trust them more (after verifying
that X,Y,Z was true).

But getting to a world where people will list the
security weaknesses honestly is a challenge that
we all face, on both sides of the crypto debate.

iang

-- 
News and views on what matters in finance+crypto:
        http://financialcryptography.com/


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list