[IP] more on Skype security evaluation

[David Farber <dave@farber.net>]

Begin forwarded message:

From: Lauren Weinstein <lauren@vortex.com>
Date: October 23, 2005 6:56:50 PM EDT
To: dave@farber.net
Cc: lauren@vortex.com
Subject: Re: [IP] Skype security evaluation


Dave,

The cited report appears to confirm what we reasonably would have
expected -- that Skype has done a good job in their implemenation,
and that apparently nothing nefarious is going on.

However, the conundrum is represented by this very short excerpt:

   1.1 Caveats

   This report represents a four-month evaluation. A
   longer evaluation effort might uncover problems not yet seen.
   The Version 1.3 code base was evaluated.
   *** The code base continues to evolve beyond that snapshot. ***
   [emphasis added]

Naturally, the code is expected to continue its evolution.  But the
intractable problem with proprietary crypto systems is that even if
we know what they are doing today, we don't necessarily have any way
to figure out what they're doing tomorrow, either in terms of
accidental or purposeful weaknesses.

Yes, in theory Skype could release a new independent security
audit of their code to accompany each new release, but this is
hardly a practical solution.

This is why proprietary encryption systems should be avoided,
especially since high-quality, open alternatives now exist.

--Lauren--
Lauren Weinstein
lauren@pfir.org or lauren@vortex.com or lauren@eepi.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
  - People For Internet Responsibility - http://www.pfir.org
Co-Founder, EEPI
  - Electronic Entertainment Policy Initiative - http://www.eepi.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com


 - - -

> Begin forwarded message:
>
> From: "Steven M. Bellovin" <smb@cs.columbia.edu>
> Date: October 23, 2005 9:48:37 AM EDT
> To: cryptography@metzdowd.com
> Subject: Skype security evaluation
>
>
> Skype has released an external security evaluation of its product; you
> can find it at http://www.skype.com/security/files/2005-031%20security
> %20evaluation.pdf
> (Skype was also clueful enough to publish the PGP signature of the
> report, an excellent touch -- see
> http://www.skype.com/security/files/2005-031%20security%
> 20evaluation.pdf.sig)
> The author of the report, Tom Berson, has been in this business for  
> many
> years; I have a great deal of respect for him.
>
>          --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo@metzdowd.com


-------------------------------------
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/