Phil Zimmermann doesn't think much of Skype

Phil Zimmermann doesn't think much of Skype

Summary: Skype in one year introduced more people to the world of cryptography than all of the other cryptography implementations (including Zimmermann’s own PGP) in the last decade combined and they did it using PKI.

TOPICS: Security

Last week when I wrote this blog "Does Phil Zimmermann need a clue on VoIP", Zimmermann offered this passionate response.  In his response, Zimmermann discounts the success of Skype, slams PKI while praising PGP, and then distances himself from the VoIP product that he used for his Black Hat demonstration.  Not only did Zimmermann discount the success of Skype in cryptography, but he offered a blistering attack on PKI technology in general.  To keep this debate in the scope of the original topic, I'm going to do a separate response in defense of PKI and stick to the topic of Skype versus Zimmermann.

Zimmermann started off his rebuttal by discounting the success of Skype by saying:

The reason why they (Skype) can make a PKI work so seamlessly is because they have a proprietary closed system, where they control everything– the servers, the clients, the service provider (namely, Skype), the protocol, everything.  If I had that luxury, I could make a PKI work too.

It struck me that Zimmermann was actually acknowledging Skype’s success in creating a seamless and massive implementation of PKI for the purpose of building a secure VoIP solution, but was discounting Skype as a legitimate PKI solution.  It’s almost as if Zimmermann is arguing that Skype had some kind of an unfair advantage or "luxury" as he put it that wasn’t available to him.  My question to Zimmermann is: What "luxury" would that be?  A little over a year ago no one had ever heard of the word Skype while Phil Zimmermann and PGP was almost universally known in the computing world for more than a decade.  I somehow doubt that a Phil Zimmermann with his name recognition would ever have a problem in acquiring venture capital.

Skype in one year introduced more people to the world of cryptography than all of the other cryptography implementations (including Zimmermann’s own PGP) in the last decade combined -- and they did it using PKI.  The only difference was that Skype wrote user friendly software that seamlessly registered digital certificates with Skype’s own PKI Certificate Authorities.  If Skype can built such an exquisite and seamless cryptography implementation that defied conventional wisdom that PKI-based cryptography was fundamentally too difficult for the average Joe to ever grasp, are they to be discounted or is there a lesson to be learned?  Is it really fair to discount Skype as a legitimate PKI cryptography solution or is it just sour grapes?  Ironically, Zimmermann's complaints about Skype's success almost mirrors what the traditional SIP based VoIP companies were saying about Skype.

After his blistering attack on PKI based solutions, Zimmermann wrapped up by distancing himself from the VoIP telephony software that he used in the Black Hat demonstration explaining that it wasn’t his software to begin with and that he didn’t plan to use it for his final implementation.  Zimmermann promised to use a proven VoIP product that bypasses all the NAT and Firewall traversal issues.  Ironically, the only product that matches this description on the market right now is Skype which already has a massively successful PKI based cryptography implementation.  Zimmermann argued that his VoIP demonstration using an open source VoIP client with inadequate VoIP features wasn’t a fair way to judge his cryptography scheme, but I never correlated the deficiency in NAT and Firewall traversal with the failure of exiting PGP based solutions that have failed to gain any mass market penetration.

As much as I respect Phil Zimmermann the legend, I have to realistically evaluate the relevance of any secure VoIP solution in a post-Skype world.  Skype has set a new standard by proving that not only can VoIP be easy to use, but also prove that it is possible to painlessly deploy cryptography using PKI.  Traditional VoIP vendors and traditional cryptography vendors can scream all they like about Skype's methodology in achieving such massive success, but it doesn't change the market dynamics one bit.  Mr. Zimmermann response is always welcome and you can post your comments here and let us know your thoughts are on the whole debate.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Why skype is bad....

    Interestingly, George Ou likes proprietary software, I wonder about his motives, are they sponsoring him?
    Technology experts adopt open standards but George Ou just lives in his own world where he thinks he is the expert.
    Here is another article about why Skype is bad.... maybe George can read but does he understand?
    • You missed the point

      There are some legitimate complaints against skype in the link you posted, but it doesn't take away from Skype's accomplishments. That was the point of the blog.

      I'm not stuck on Skype and I'm open to Gizmo and I'm keeping a close eye on them. We'll have to wait and see how well they implement everything.
    • open source is the new religion

      i dont see this as george being "for" or "against" open source software, which is as it should be.

      open source zealots commit the offense of judging software solely on whether or not it's "open" or not. which is just not a good metric.

      the metric should be "does it fit my need and do what i need it to do for the price i can pay?"

      for me personally, whether a software package is open or closed doesn't enter into the equation at all. the only question is, does it do what i need, and can i afford it.

      based on THAT metric, skype is WONDERFUL. been testing it for a couple of months, and using it's SkypeIN which is in beta. price is a fraction of a landline, does everything i need it to do (call phones), quality is beyond that of a cell phone, and i have no compaints thus far.

      the only dropped calls or bad call quality i've experienced while using skype so far has been due to the cell phone user on the OTHER end of the call.

      Valis Keogh
      • religion or smart?

        If it is a religion, it's good. At least there is still hope that IT will be based on Open Standards.
        It's not about Zealots, It's about smart experts making intelligent choices. After all, Microsofties, Monkeys, MCSEs or whatever they are called now, don't know much. They are a dime a dozen, and afraid of Linux because Linux makes them obsolete.
    • no, this is why skype is bad

      <a href="
      cucs-039-04.pdf">skype is eviil</a>
      • Why are you rewriting their conclusions?

        I looked at the link you posted at

        It is a very technical paper. This is what they concluded:
        "Skype is the first VoIP client based on peer-to-peer technology. We think that three factors are responsible for its increasing popularity. First, it provides better voice quality than MSN and
        Yahoo IM clients; second, it can work almost seamlessly behind NATs and firewalls; and third, it is extremely easy to install and use. We believe that Skype client uses its version of STUN [1] protocol to determine the type of NAT or firewall it is behind. The NAT and firewall traversal techniques of Skype are similar to
        many existing applications such as network games. It is by the random selection of sender and listener ports, the use of TCP as voice streaming protocol, and the peer-to-peer nature of the Skype
        network, that not only a SC traverses NATs and firewalls but it does so withhout any explicit NAT or firewall traversal server. Skype uses TCP for signaling. It uses wide band codecs and has
        probably licensed them from GlobalIPSound [10]. Skype communication is encrypted."
        • i don't want to be a supernode

          as you wuld expct ffrom the folks who earler brought you
          kazaaa, skype decdes whther to make yuor comuter a
          supernode, and there is not a *** thing you can do abou it.

          after reading the columbia report, i delted skype from my har

          somday all you skype-lovers will pay the price and suffer the
          same assault on your time and energy as kazaa-lovers did
          before you, as sure as the sun rises in the morning. this is the
          real argument in favor of opne source voip.

          sory about the typos -- drniking and blogging don't mix. in
          fact,you can prety much ignore nything i say after about mid-
          afternoon -- my ex-wife and kids lerrned this teh hard wya.
          • Do you know what it takes to be a super node?

            You can't be a super node if you have all inbound ports blocked. This is the default setting on a consumer router.

            I've been running Skype for a year now, and I have yet to ever become a super node.
          • kaZaa kaZaa kaZaa kaZaa kaZaa

            well, i guess you know a lot more about skype than me, but my
            understanding is:

            "Super-nodes appear to "volunteer" to perform the function. Or
            put another way, they are nodes that are not under the control
            of Skype, but they perform all the routing functions necessary to
            discover a user and exchange information with the user. Super
            nodes run on any machine running the Skype program and the
            machines under Skype control have no way to determine if the
            super nodes are running unmodified Skype code."


            "The question is why Skype chose to implement an
            undocumented and unqualified proprietary encryption scheme at
            considerable expense rather than use one of the many existing
            schemes that are well known, well characterized, and free for
            the taking. "


            "Skype client running on your computer can and will relay calls
            between other network users without your knowledge. That can
            pose a problem on networks that have only a little bit of Internet
            connectivity. It makes sense that Skype would detect how much
            bandwidth you have for this kind of third-party altruism. But
            alas, the algorithm that Skype uses to determine how much of
            this relaying it is allowed to engage in is proprietary, so we can?t
            know for sure."

            i guss google can take you to the sourcse, since i am obviously
            incabable of posying a url around theze parts.

            put it this way: supose they called it kazzaspeak insted of skype.
            would you let it anywere near your hardrive?
          • It's not kazza

            Skype installs very clean. There is no spyware bundled with Skype.

            You still seem to be stuck on the super nodes. Like I said, I've never been a super node and I've been using Skype for a year.