X
Tech
Home Tech Security

Skype security chief defends their PKI model

 On the Skype corporate website, Skype chief security officer Kurt Sauer has kicked off his new Skype Security blog.For his first post, Sauer explains why Skype has designed their PKI (Public Key Infrastructure) into the program in a way that is transparent to Skype users and precludes more user-generated precautions against hacking of Skype sessions (such as the demonstration conference call illustrated at the top of this post).
Written by Russell Shaw, Contributor
skypeconferencecall.jpg
 

On the Skype corporate website, Skype chief security officer Kurt Sauer has kicked off his new Skype Security blog.

For his first post, Sauer explains why Skype has designed their PKI (Public Key Infrastructure) into the program in a way that is transparent to Skype users and precludes more user-generated precautions against hacking of Skype sessions (such as the demonstration conference call illustrated at the top of this post).

"We didn’t do anything particularly revolutionary in terms of designing the PKI, but what was an important step forward was to design the PKI into every aspect of the Skype product, from the user interface right down to the underlying session layer," he writes. "Yet, I don’t think anyone could claim that Skype’s PKI is hard to understand or hard to use. It takes no particular technical prowess to use Skype, to make a new account, to search its directory, or to figure out who you’re talking to."

Sauer appropriates blogger Brad Templeton's view of the Skype PKI as ZUI, or Zero User Interface. 

Last August, Brad wrote:

Skype does what I call ZUI — Zero User Interface. And the result is millions encrypting. ZUI requires some cryptography compromises. You are a bit more subject to the “man in the middle attack” if somebody can make all your internet traffic go through them. But it turns out anybody who can do that usually has a lot of other ways to get at you, so this is not as much of a compromise as some people think.

Many cryptographers, paid to design security for banks or spy agencies, assume a much too large “threat model” in designing their systems. Because they can design a system that can protect a bank or spy, they ask why you wouldn’t. And by asking that, I think they have caused more and more systems to have no crypto because the programmers don’t have the resources, or won’t muck up the UI as might be needed to have the best.

Skype’s crypto might have a flaw, but none has been publicised yet. I wouldn’t trust it as well as a more scrutinized system, but in fact it’s not an all or nothing game as some cryptographers would have you believe. I think you can put a decent amount of confidence in Skype if your “threat model” is the script kiddie sniffing the wireless network at your Starbucks. For that threat, it is a lot better than talking on an unencrypted system, which is what you will get from everybody else unless you go to a lot of trouble.

 Is Skype secure enough for you? Post a TalkBack and let us know!

Editorial standards
Show Comments

Related

Linux Mint 10

I've tried a zillion desktop distros - it doesn't get any better than Linux Mint 22

Samsung Galaxy Z Flip 6 inner display next to Android figurine.

One of the best foldable phones I've tested is not from OnePlus or Motorola

TCL Tab 10 Nxtpaper 5G

One of the best budget Android tablets I've tested is not made by Samsung or Google