Re: [ml] Skype

Su cryptography@xxxxxxxxxxxx 
(http://www.mail-archive.com/cryptography%40metzdowd.com/)
la discussione su Skype continua, e sembra andare di male in peggio. 
Allego un commento di Peter Gutmann, ma il consenso sembra essere che 
1. gli sviluppatori hanno ben poche cognizioni di crittografia e 
   sicurezza
2. si affidano a 'security through obscurity' ed al fatto di avere un 
   protocollo segreto e che continuano a cambiare
3. con l'uso diffuso, soprattutto da parte di giovani 'entusiasti', 
   presto ci potrebbe essere un reverse engineering del tutto, e se 
   questo succede si vedrà veramente come stanno le cose

d'altra parte chi di noi cifra le proprie telefonate?

Andrea

----- Forwarded message from Peter Gutmann <pgut001@xxxxxxxxxxxxxxxxx> -----

From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute
Date: Wed, 12 Jan 2005 05:00:29 +1300
To: daw-usenet@xxxxxxxxxxxxxxxxxxxxxxxx
Cc: cryptography@xxxxxxxxxxxx

David Wagner <daw@xxxxxxxxxxxxxxx> writes:

>>Is Skype secure?
>
>The answer appears to be, "no one knows".  

There have been other posts about this in the past, even though they use known
algorithms the way they use them is completely homebrew and horribly insecure:
Raw, unpadded RSA, no message authentication, no key verification, no replay
protection, etc etc etc.  It's pretty much a textbook example of the problems
covered in the writeup I did on security issues in homebrew VPNs last year.

(Having said that, the P2P portion of Skype is quite nice, it's just the
 security area that's lacking.  Since the developers are P2P people, that's
 somewhat understandable).

Peter.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@xxxxxxxxxxxx

----- End forwarded message -----