survey of instant messaging privacy

[Marcos el Ruptor]

> Interesting.  Of course, with the possible exception of Skype, only  
> the over-the-network part of the communication is protected.  The  
> IM providers can still give the contents of your communications to  
> third parties.

As far as I can tell after having reverse engineered its protocol,  
Skype is actually very well made with a few exceptions that would  
still be next to impossible to exploit for a street hacker (and with  
only one suspicious thing that looks like a backdoor exploitable only  
by the server and only by whoever knows the preimages to some hard- 
coded MD5 values - "it looks like a backdoor, it smells like a  
backdoor, it gotta be a duck"). Other than that, peer-to-peer AES-256  
with randomly generated RSA keys is good enough for me.

> As OTR has shown, it's not hard to do end-to-end crypto even if you  
> don't have direct client connectivity.  Makes one wonder why the  
> default clients don't have the functionality :)

Way too much hassle for them having to deal with the government  
agencies demanding access to intercepted communications. It goes for  
all the products developed by large corporations. The general  
attitude is "honest people have nothing to hide" aggravated by the  
encryption export controls and the Wassenaar Arrangement. While Skype  
was made by Estonians who simply didn't care about any such nonsense.  
So the cheapest way for the NSA to obtain all the Skype's secret keys  
giving them at least some access to the servers and traffic  
obfuscation algorithms was to have a US company pay $4bln for it...  
Well done!

Marcos el Ruptor
http://www.enrupt.com/ - Raising the bar.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com