The Sky(pe) is falling! Skype moves to the cloud, but what about security?
Microsoft's move of Skype to the cloud comes with a continuing lack of disclosure on security and privacy.
Skype is moving to the cloud from its previous peer-to-peer (P2P) approach, and the sky is falling! Ok, not quite. It’s not a revolutionary move, given changes Microsoft already made in Skype’s infrastructure in 2012 after its acquisition of the service from eBay, which in turn bought it from its founders. Rather, it’s a technical and business change that lets Skype more rapidly roll out services that have a heavy reliance on back-end server elements, and which can be more reliable if handled centrally.
Centralization doesn’t have to reduce a user’s expectation of privacy. But because Skype has never provided substantive disclosure about how it encrypts data and exactly how much it gives governments of your private texts, voice calls, and video sessions, we have little information on which to make a judgment. Centralizing Skype makes it somewhat easier to tap conversations, although there’s no good reason to change architecture entirely for that purpose.
The Guardian newspaper reported in 2013, based on documents provided by NSA whistleblower Edward Snowden, that the NSA had dramatically increased its ability to collect data from Skype several months after the Microsoft acquisition. In response, Microsoft reiterated its policy about working with legal requests, but has never clarified or refuted whether it can tap into encrypted conversations.
I don’t suggest the move to the cloud is a reason to stop using Skype—that reason has been in place since any other option existed with greater transparency about how its end-to-end encryption works.
When the Internet was thinly spread and expensive
When Skype’s founders started to build the system in 2003, the Internet was much less resilient, and it was extremely expensive to buy and manage servers in data centers and carry huge amounts of traffic around the net. Rather than rely on centralization and a requirement of high-quality routes between data centers and end users, Skype used peer-to-peer (P2P) technology that let every other logged-in Skype user’s copy of the software share some of the load.
This was a revolution in the developing world, where network infrastructure has since substantially improved due to the rise of inexpensive cell phones, but at the time was stretched thin. Even in highly industrialized nations in the early 2000s, it was often unbelievably expensive to make non-local calls. I traveled briefly through Europe in 2000 and Costa Rica in 2002, and every tiny storefront had some kind of national or international calling service advertised. Many used low-speed dial-up phones and voice over IP relays.
Skype was built like a series of tin cans with string stretched between them, and had extremely efficient voice-compression algorithms (codecs) and a lot of tolerance for dropped packets and loss of latency. A villager in South America could go to an Internet café and pay for a relatively affordable slice of time compared to other methods and make a call to a relative in the United States that probably sounded not much worse than long-distance phone service.
Many network endpoints were (and still are) hidden behind network address translation (NAT), which allows a single public Internet address to be shared by any number of privately internally routed addresses. Nearly all home and business networks are set up this way, because a public Internet address can expose a system to more risk, and because the old-style addresses still in use are scarce and thus expensive to obtain. (Old-style addresses use IPv4, a decades-only standard; IPv6, developed almost 20 years ago, is still making inroads and will solve scarcity and other problems.)
Skype’s inventors got around this problem with supernodes, which until 2012 were any Skype user’s copy of the program that was on a publicly addressed network segment. (You can read this very detailed examination for more.) The supernodes would let Skype software that couldn’t directly reach other software connect, but at least at times would also route portions of calls and files transferred. In areas with poor connectivity, peer-to-supernode connections could act like a smaller pipe connected to a bigger one, allowing communications where a direct route to a data center wouldn’t have worked.
According to an analysis by a researcher in 2006, a supernode could carry up to about 100Kbps of data to route calls and file transfers, too, although the median use was 60Kbps when relaying data. (The researcher was then at Cornell University and collaborated with two Google researchers; now he’s at Microsoft Research.)
Couldn’t supernodes enable snooping? Not precisely, but it didn’t hurt, either.
Look, up in the cloud! It’s a supernode!
Skype was designed from the start with what was then robust end-to-end encryption. Data sent between two peers was encrypted so that only each recipient’s software could unscramble it, making it essentially safe to pass through other supernodes. Supernodes, if monitored, could tap information about end points IP addresses and other details, but little else.
However, Skype has only ever revealed sketchy details about its system. On its site, there’s only this thin page. Apple, often seen as very tight-lipped, has a 63-page PDF detailing iOS security, including iMessage. The Electronic Frontier Foundation (EFF) gave Skype an extremely poor score in evaluating messaging safety as a result; Apple’s is much higher.
What’s known is that each Skype client is issued a private/public key pair using public-key cryptography. If implemented well, communications between any set of clients all using Skype should be effectively impossible to listen in on. However, there’s a flaw. Skype issues the digital certificates that validate legitimate access to an app’s private key in such a way that it’s possible for Skype to create any number of additional certificates that also pass muster.
Apple’s system for iMessage and FaceTime is designed so that Apple creates private keys and can’t access them later or spoof new ones. The same is true for all systems that rely on the Signal protocol developed by Open Whisper Systems, which includes the Whatsapp messaging system’s software.
Adding to concerns, Microsoft eliminated peer-based Skype supernodes in 2012 and moved all supernodes to the cloud. At the time, some speculated that was to allow easier “wiretapping,” although that ability already existed. Shifting to the cloud makes it easier still, though not much more. Skype will also support a Web-based app, which by its nature will have less ability to provide strong end-to-end encryption.
Cloud cuckoo land
Microsoft put out a statement about the latest move: “The changes to Skype’s architecture will not impact our current privacy statement. We are committed to delivering a secure experience for our users and Skype software applies highest industry standard encryption to all Skype audio and video calls. It is an important part of our security strategy now and as we make the transition over to a cloud infrastructure.”
This answers zero questions about what that secure experience is and how it’s implemented. With options like iMessage for Apple ecosystem users, WhatsApp for nearly every platform, and extremely strongly protected additional offerings like Signal from Open Whisper and Silent Circle’s hardware and apps, there’s no reason to settle.
If you want to have the most robust and most protected communications, regardless of the reason, Skype isn’t it. The move to the cloud makes it worse at privacy than it was before, but without a full, independent, and released report on the apps, algorithm, and infrastructure, we can only assume they don’t meet the high bar set by so many other apps and systems.