foobar on computers, software and the rest of the world


Backdoor in Skype? We need an open-source replacement

, posted: 25-Jul-2008 08:40

A backdoor in Skype?

It has long been speculated that there might be a backdoor built into Skype, something that would allow Skype (the company) or the police to easily monitor Skype conversations. Skype is closed software and can therefore not be examined on the source level. In fact, the Skype executable code has been deliberately obfuscated to resist any attempt of analysis.

Skype claims that it uses strong encryption and that therefore your conversations are secure. But new indications have now emerged that it might not be quite as secure as they would like us to believe. According to this article here, police in Austria recently claimed that listening to Skype conversations is not a problem for them anymore. And Skype refused to comment on this or deny it.

Skype supposedly uses the AES encryption algorithm, which is open, has been thoroughly analysed and is generally found to be very secure. However, claiming to use an algorithm is different from actually implementing it. And besides, during setup of the conversation there is a key exchange phase, which is handled by an entirely different proprietary algorithm, which has not enjoyed the scrutinty of security experts.

Deliberate or just flawed?

So, assuming for a moment that the claim of the Austrian police is correct, there are two possibilities now: (a) Either Skype made a mistake somewhere in the implementation of their encryption algorithms and thus allowed a successful attack on their protocols. Or (b) they have deliberately provided a backdoor for law enforcement or other agencies.

By accepting the convenience of the easy install and painless operation of Skype (double-click to install and be done, no firewall configuration and fiddling - it just works) we have now been thoroughly locked-in to a fundamentally flawed communication platform.

With open-source this wouldn't have happened

Again, a story like this serves as a reminder of the dangers that come with closed-source software, specifically when it deals with your data or your communications. Both are very personal and valuable things and we trust them to software for which we have no idea of what exactly it is doing? That is just wrong.

If Skype were open-source, we would have had a chance to examine it for security vulnerabilities long ago. And if there is a backdoor built in, we would have found and eliminated that as well. If the company would have wanted to keep the backdoor they couldn't have done so, since a fork of the project would have been made with the problematic code removed.

But that's the problem with closed-source software: You can't fix its bugs, you can't find out how it works or what it does with your data, your communications, your social contacts and your life. Proprietary software provides anti-features, such as backdoors or DRM, which we cannot remove due to the closed nature of the code.

Software runs our lives, if we like it or not. It governs every aspect of it. We shouldn't allow corporations to wrest control over our lives away from us to further their profit margins. As Lawrence Lessig said: Free software is the answer to a world built in code.

So far, the open-source community has failed

The open-source community is called to provide an alternative to Skype. I am a very big fan of open source, but I have to say, as far as offering a Skype alternative, the open source community so far has failed. Sure, there are SIP soft-phones (Ekiga, etc.), which are all well and good. But can grandma install and use them? No. As long as those alternatives fail the "grandma test" they are not any serious competition to Skype. And of course, Skype is ubiquituous. If you want to talk to people, you need to use what they are using. And everyone is using Skype.

What does the open source community need to do?
  1. Provide a communication alternative for chat, voice and video. Ekiga and other packages show us that all the basic tools for this are present: We have the free codecs, which allow high quality voice and video. We know how to render voice and video smoothly and in high quality. We know how to design good GUIs and interfaces.
  2. Provide this in an easy to install package for all major OS platforms. Firefox is an example of an easy to install cross-platform open-source product.
  3. Most controversial: Come up with something else besides SIP. Skype works as well as it does because they decided to design something different from the ground up, even willing to bend some rules. Something that was optimised to make it easily work for ordinary home users. SIP was not designed for it and requires too much fiddling. We know how Skype does it: Fake TCP connections, using ports that are generally always open, a couple of super-nodes, etc.
None of this is rocket science. The open-source community that has done great work with Ekiga and other projects just needs to come out of its purist ivory tower that is SIP. For ordinary home users SIP is not the ticket. Make something that "just works" and we will have a fighting chance at least.

Other related posts:
Skype surveillance: You can't trust closed-source software
Fake popup study: Users are idiots? I don't think so...
Google anonymises IP addresses in their logs? Not really...








Comment by ChriS, on 11-Aug-2012 12:38

Jitsi looks nice even though it is still developing fast. Hopefully it will be ready for the "grandma test" soon!


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and placed in the moderation queue for the blog owner's approval.

Your name:

Your e-mail:

Your webpage:

foobar's profile

 
New Zealand


  • Who I am: Software developer and consultant.
  • What I do: System level programming, Linux/Unix. C, C++, Java, Python, and a long time ago even Assembler.
  • What I like: I'm a big fan of free and open source software. I'm Windows-free, running Ubuntu on my laptop. To a somewhat lesser degree, I also follow the SaaS industry.
  • Where I have been: Here and there, all over the place.




Google Search


Recent posts

Attack on net neutrality right...
Munich already saved millions ...
Iceland's public administratio...
More Apple madness (follow up)...
Apple demonstrates: With great...
Smooth sailing with the Karmic...
Censorship in New Zealand: Wid...
Image roll-over effects withou...
How about: Three strikes and Y...
UK government supports open so...


Top 10

How to write a Linux virus in ...
(11-Feb-2009 06:33, 457812 views)
Follow up: How to write a Linu...
(12-Feb-2009 08:10, 64312 views)
A truly light-weight OS: Writt...
(3-Feb-2009 10:39, 46486 views)
The 'Verified by Visa' fiasco ...
(20-Jun-2008 09:59, 32251 views)
EEE PC with XP is cheaper than...
(9-May-2008 06:50, 20195 views)
11 reasons to switch to Linux...
(4-Feb-2009 09:24, 20109 views)
Would you use Google App Engin...
(8-Apr-2008 20:02, 19387 views)
Censorship in New Zealand: Wid...
(16-Jul-2009 12:11, 18839 views)
Django Plugables: Tons of plug...
(11-Apr-2008 03:24, 16794 views)
Slow file copy bug in Vista: A...
(21-Dec-2007 12:18, 15918 views)