Skype's Server Upgrade Triggers Wiretapping Worries
Jul 24, 2012 4:18 PM PT
Fears have surfaced that Skype may be eavesdropping on communications over its service.
The concern is that supernodes Microsoft is introducing to Skype could make it easier to monitor calls, because they route the voice data in addition to initiating communications between parties.
"As was true before the Microsoft acquisition, Skype cooperates with law enforcement agencies as is legally required and technically feasible," Skype spokesperson Chaim Haas told TechNewsWorld.
However, the supernodes were being developed prior to Skype's being acquired by Microsoft, Haas said.
Skype developed the supernodes, which "can be located on dedicated servers within secure datacenters, as part of our ongoing commitment to continually improve the Skype user experience," said He Mark Gillett, head of Skype's product engineering and operations, in an earlier statement.
Just Another Eye in the Sky?
The fear is that Skype may be monitoring both voice and data communications.
Perhaps Microsoft's award of US patent 20110153809, which allows for legal interception, has fueled those fears.
The technology describes how data associated with a request to establish a communication is modified to cause it to be established via a path that includes a recording agent. Such modification could include adding, changing or deleting data.
However, "given how sensitive to latency voice -- and even more so video -- are, I find this to be implausible from an engineering standpoint," Vikram Phatak, CEO of NSS Labs, told TechNewsWorld.
Latency is behind the spotty voice conversations people experience when using a Voice over IP phone system. It's caused by delays in the transmission of packets of data over the network.
"Skype would lose users due to poor quality very quickly" if data were being intercepted at the supernodes," Phatak continued. "More likely, the handoff details are being shared with law enforcement, which is no different from what telephone carriers do today."
Further, communications can be -- "and in the case of international communications are already -- monitored by government servers," Jim McGregor, founder and principal analyst of Tirias Research, told TechNewsWorld. "This is already a reality and a result of the current state of the world."
The Mighty, Mighty Supernode
In Skype's supernode-based hierarchical peer-to-peer architecture, some ordinary nodes were previously selected to double as supernodes. The selection criteria appear to be reachability and spare bandwidth. The supernodes maintain an overlay network among themselves and take queries from ordinary nodes associated with them.
However, Microsoft appears to have taken over and installed its own supernodes instead, following its purchase of Skype earlier this year. Changes in Skype's supernode setup were reported in the Expertmiami blog in May.
Microsoft had trimmed the number of supernodes from about 48,000 to 10,000, the blog pointed out. Those 10,000 supernodes run on Linux boxes using GRSecurity.
Skype's introduction of its own supernodes hasn't changed the underlying nature of its P2P architecture, in which supernodes simply allow users to find one another, the company's Gillett said in response to the Expertmiami report. The move to supernodes improves scalability, performance and availability of the Skype service, and calls do not pass through supernodes.
Supernodes and Security
If Skype should move to a proxy model with all traffic flowing through supernodes, "it would make it easier for bad actors of all flavors," NSS Labs' Patak said. That's "not because the keys are easier to find [but] because all the targets would pass through a central choke point."
However, because this approach would probably cause "major performance problems," it's not likely the route Skype is taking, he added.
Further, "there's no reason to believe that some hackers can't already break in and intercept communications," Randy Abrams, director of research at NSS Labs, told TechNewsWorld. "If you're not acting with this assumption, then you aren't thinking about security properly."
The fuss over the supernodes possibly making it easier to monitor communications over Skype could be a tempest in a teapot.
"The real question is, should you really be concerned about this level of security?" Tirias Research's McGregor asked. "Are you and your company doing anything that would warrant this level of security? With the amount of proprietary or secure information that's being passed through open email channels today, voice communications over Skype should be the least concern of individuals or companies."