Experts debate Skype's enterprise security

 Two Skype experts have an interesting debate about Skype security up on the NetworkWorld website.The debate is entitled, "Is Skype enterprise-ready?
Written by Russell Shaw, Contributor

Two Skype experts have an interesting debate about Skype security up on the NetworkWorld website.

The debate is entitled, "Is Skype enterprise-ready?"

James Gaskin says yes:


"Skype allows for encrypted messages while keeping a clear text history of chats on each local PC for compliance, a security upgrade over other public IM options. Simply put, there are bigger security battles inside most commercial networks that require attention before Skype needs to be put at the top of the security concern list."


Gaskin also says that as an eBay property, Skype will get more U.S. Government security scrutiny than when it was a foreign-based stand-alone. 


Rodney Thayer says no:


"The likelihood of an attacker successfully reverse-engineering either Skype's cryptography or its underlying communications protocol is high. Skype uses a proprietary encryption scheme on top of a proprietary communications protocol. There are no public specifications, no multiple interoperable implementations and no publicly available security reviews of the protocols that vet the potential vulnerabilities. There is one Skype-funded review of the cryptography (see DocFinder: 1227), but it doesn't cover the protocol or the implementation. Furthermore, Skype implements peer-to-peer communications, thus facilitating unauthorized use of bandwidth.
"From a hacker's perspective, the potential to compromise Skype clients on the Internet and conduct zombie or direct-endpoint system attacks is appealing. Skype is architected with ease of use, not security, in mind. It's very difficult to avoid configuring the client for automatic logon, thus immediately announcing itself to the Internet. Skype is designed to share too much information in the form of contact details.






Editorial standards