Security researcher Ashkan Soltani, along with ArsTechnica, sent four unknown URLs over Microsoft Skype and watched the server logs. Two of the four URLs, one of which was HTTPS, were accessed by 65.52.100.214, an IP owned by Microsoft. This is proof that Microsoft both has the ability and uses the ability to parse your Skype chat in plaintext, and subsequently may do things with it, like store the data and check relayed URLs. They can also not do things with your data, like not deleting it. There is no secure end-to-end encryption as you might have expected, and possibly might have needed, there to have been in place on Microsoft’s popular P2P chat service.

Whether or not this technically flies through their fine print and is legal everywhere Skype is used, I don’t know; but what I do know is that it is perturbing as Ars articulated well enough themselves (maybe read their article instead if this interests you further):

There’s a widely held belief—even among security professionals, journalists, and human rights activists—that Skype somehow offers end-to-end encryption, meaning communications are encrypted by one user, transmitted over the wire, and then decrypted only when they reach the other party and are fully under that party’s control. This is clearly not the case if Microsoft has the ability to read URLs transmitted back and forth. ‘The problem right now is that there’s a mismatch between the privacy people expect and what Microsoft is actually delivering,’ Matt Green, a professor specializing in encryption at Johns Hopkins University, told Ars. “Even if Microsoft is only scanning links for ‘good’ purposes, say detecting malicious URLs, this indicates that they can intercept some of your text messages. And that means they could potentially intercept a lot more of them.

So even if you trust Microsoft, note that they and Skype especially are very friendly with the Chinese and that Microsoft has revealed that its systems have been compromised presumably by the Chinese in grave capacities. So you also have to trust the likes of China, North Korea, Wikileaks and Anonymous with what you send through Skype. Parenthetically, if any of you can replicate this with Google Talk, you’d make my day.

If instant messaging security is a serious concern to you, or if you just want to use a good universal IM client, I recommend Pidgin with the Off the Record encryption plugin which works with many services, including one you can run on your own server if inclined and lower your cloud exposure a notch.

Doug Simmons

NO COMMENTS