---- Original message ---- >Date: Fri, 18 Nov 2005 11:14:22 +0800 >From: Lars Hansson <[EMAIL PROTECTED]> >Subject: Re: skype security? >To: misc@openbsd.org > >Skype was brought to you by the same people who brought you >Kazaa. Draw your own conclusions regarding ethics, security and >openness from that.
yeah, things like this make me worried about using skype. i also read throught the paper by dr. berson and he lists some possible MITM attack routes against skype. the one that really caught me eye (ow!) was this one: "A last scenario requires defeat of the security mechanisms at the Skype Central Server. As I pointed out above, digital certificates created by the certificate authority are the basis for identity in Skype." since the central server is a KDC of sorts, it would be the ideal place to put a backdoor. you could just "forge" the identity certificates that are stored in the central server's database and you have a very easy wiretap. i'm pretty sure this would easily facilitate hijacking session keys, but i guess we can't really know about that unless we look at the source. cheers, jake
