12

I use Skype a lot. With all of my clients, staff, contractors and friends, however, the acquisition by Microsoft worries me, as two of my clients are direct MS competitors, and I often work on long projects which are in development for over a year before they are launched to the public and are therefore pretty sensitive.

It's most likely paranoia, but I started wondering if there was a way to easily encrypt the chat so that the server wouldn't see anything useful.

Does this kind of thing exist?

If not are there any alternatives people can think of?

Ilmari Karonen
  • 4,386
  • 18
  • 28
Alex
  • 305
  • 1
  • 3
  • 7
  • From a person that I know who works with security a lot I've also heard this. He says that because Microsoft is much bigger, authorities already have contact with them, and it's much easier to submit such snooping requests for governments. Don't get me wrong, small companies are just as easy to threaten and get data from, but authorities don't give it much of a priority. It seems Skype is relatively hard to snoop though, changing encryption key every day... I don't know the details. – Luc Apr 18 '13 at 19:49
  • // , Consider Tox.im, the safe Skype alternative. It is open source, Peer to Peer, and encrypted by default. – Nathan Basanese Jun 09 '15 at 22:47
  • // , Tox encryption is "End to End", meaning that it isn't stored on a server, decrypted, somewhere, as an intermediate step. – Nathan Basanese Jun 10 '15 at 05:38

5 Answers5

8

There have been several suggestions that skype is indeed backdoored and evesdroppable. If your concerned about it because Microsoft is now the owner, there are plenty of other alternatives to Skype which I would suggest as the easiest and cleanest solution (besides, if MS is your competitor, why would you buy their services). Some of the alternatives like Jitsi document their security quite well and are open source which lets you check if they're doing anything sus.

To answer your question about the chat. I came across this guide which is a plugin for pidgin that allows for encrypted chat messaging and Skype functionality, but I don't think it improves the security of the calls made. The other party will obviously need the plugins installed as well but if your serious about improving the security then it should be worth while.

As a side note, @TildalWave pointed out in the chat Microsoft brags about an independent Skype security review however the paper they brag about is dated 2005 from before Microsoft bought Skype and before they implemented changes to encryption protocol from peer-to-peer key distribution to centralized public key distribution.

NULLZ
  • 11,426
  • 17
  • 77
  • 111
5

That Skype might be backdoored has long been a concern. See link below.

https://ultraparanoid.wordpress.com/2007/06/19/why-skype-is-evil/

I also noted in a past review I did that the official, independent crypto review and the description gained by a reverse engineering team differed significantly. The latter had design flaws and working exploits. Also, Skype's network controls the encryption keys so it must be assumed they have access to your calls.

The acquisition by Microsoft isn't a huge risk, I don't think. I do say, though, why take the chance if there's alternatives to Skype? Some are listed below.

Zfone. The ZRTP protocol underlying this protects end-to-end and has better security outlook than most others. This can work with (compatible) VOIP clients. (Jitsi supports it, for instance.)

Softphone with built-in crypto. It may or may not be very strong. However, if it's end-to-end, it's still more private than skype. (PhonerLite, TiviPhone, OctroTalk are examples)

Redphone on Android or similar free/commercial option for encrypted voice on mobile.

One of the earlier methods of protecting Internet voice was simply running it over a VPN or link encryptor. So, you might be able to work out a VPN setup with server/host on your network and a simple client for them to use. Then, they can connect and run voice call through it. Above options sound easier, though.

Nick P
  • 667
  • 4
  • 4
  • 1
    Another one is SilentCircle's SilentPhone – NULLZ Apr 18 '13 at 01:05
  • Yeah they have a nice solution. I probably forgot to mention it b/c I got into it with the company over their marketing. They kept implying their hiring Navy SEALs meant something about their product's security. I slammed them for it. – Nick P Apr 18 '13 at 02:12
  • 1
    Before the MSFT acquisition, Skype had a much more peer-based model. Microsoft added centralization to its network design for performance reasons. Just something to keep in mind. – Chris Ballance Sep 06 '15 at 15:13
  • I think you meant eBay acquisition because it was weird, overly obfuscated, and insecure way before Microsoft acquisition. Anyone wanting to copy the better P2P architecture can use the document below. Anyone wanting to see why they shouldn't trust it can look at the document below that. It's only more true post-Microsoft. – Nick P Sep 13 '15 at 18:44
  • http://www1.cs.columbia.edu/~salman/publications/skype1_4.pdf – Nick P Sep 13 '15 at 18:45
  • https://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf – Nick P Sep 13 '15 at 18:45
3

If you like to chat in a secure way: Use any XMPP service (e.g. jabber) and overlay them with OTR. A List of supported programs can also be found on the wikipedia.

Videochatting is not supported...

Dr.Ü
  • 1,029
  • 8
  • 16
2

https://prism-break.org/en/all/#video-voice

This is a list of alternatives to Skype, all of which are encrypted.

user64441
  • 21
  • 1
0

You can use the open-source Linphone to place secure calls. It supports:

HD Audio and video call

Secure communications (TLS, SRTP, zRTP)

You would need to use a free SIP service that supports authenticating and transporting traffic through TLS (not all do), like Linphone SIP service or Ostel.

For detailed instructions on how to set up secure calls with Linphone see:

Community
  • 1
landroni
  • 164
  • 7