Privacy International wades into Skype

Free Voice-over-IP outfit Skype has been blasted for being insecure by the advocacy outfit Privacy International.

In a press release, Privacy International claims that the phone outfit’s security problems could put the lives of those using it in repressive regimes in danger.

One thing it did not like was the use in the Skype interface of names rather than unique IDs, meaning that people can be impersonated.

Skype software downloads are not made through a secure connection which means that other sites can masquerade as the main site and offer compromised versions of the software.

Another problem is that the audio compression system used in Skype allows phrases to be identified with an accuracy of between most of the time even with encryption applied.

Privacy International’s human rights and technology adviser Eric King said that if Skype cannot address and resolve these issues for those who are seeking secure communications, then vulnerable users will continue to be exposed to avoidable risks.

He said that Skype gave misleading security assurances continue to expose users around the world to unnecessary and dangerous risk. It’s time for Skype to own up to the reality of its security and to take a leadership position in global communications.”

Skype said that it is having a look at the report and says it will take some time to read and digest it. However it would look into the points they have raised.

Skype has known that it was possible to filter Skype chats since 2006 when it was revealed that a partner in China was filtering text in Skype chats. This had meant that some words would not be displayed and although Skype insisted it would not affect the security and encryption systems, but it did indicate that the app could be interfered with.

The the lack of SSL for downloading means that a “man in the middle” attack is possible for someone who thinks they are downloading Skype. We would have thought that was easy to fix.

Privacy International also does not like the VBR audio compression codec which it says is an “extremely specious and vulnerable means of protection”. While it is encrypted recent research at the University of North Carolina suggests that phrases can be identified with a high degree of confidence, the report said.