Wednesday, July 30, 2008

a (false) sense of security

Most of the time you use a service/product in confidence with the vendor's claims/guaranties/PR, but how many times do you think about and inspect their promises versus the technical side? Not very often, right? :-)

Do people trust Skype as safe? Yeah, sometimes. But if you read a bit about it, you'll be worried. FaceTime's GEM product can see/filter urls from your Skype IMs; WoW, what a feat! (why stopping at urls?) They are doing GEMs in partnership with Skype.com, so you can safely RIP the security/privacy of your Skype messages.

What about the Skype calls? What about them?! If your IQ representation takes 3 digits, you can figure it out easily: your user/pass is the only way to authenticate to Skype; take them to another computer, type them in, wua.la... you're in. If you let Skype online a bit longer on a few computers you'll notice some nice side effects: IMs are broadcasted to all instances. (what a) nice feat! (again).

If IMs are broadcasted, why voice/voip shouldn't inherit the same property? Yeah, just because this guy security reviewed an ancient version of Skype it doesn't mean it's safe forever after. In his paper you'll get to know the jargon about public/private keys, complicated mathematics that are basically rendered useless by the front door: user authentication with nickname & password. If they/Skype would have used public/private keys from the beginning/front door (by letting an open source tool to manage the keys and the encryption/decryption/signing process) they would have angried a lot of 3 letters nicknamed organizations, worldwide. (not to mention the corporate world). But that didn't happened. Instead, they choose the downside of closed source software. Now, presuming that Skype.com would have followed (somehow) the open source road, what would you have done next? Embarking on the next trip...

Generating the public/private keys. Going to Thawte.com for it will reinforce your (false) sense of security. Thawte is well known for their SSL certificates, but they have also this other nice feat: free personal certificates for email. You generate the public/private keys (on their site), you download them, you use them. The catch? At all times your secret/private key is with them. Try this: your encrypted email lands in the hands of some 3 letters named org, they send their regards to Thawte, which in turn gives them your secret key. Security/Privacy? ("at its best")

So, I guess your're left (again)... with your open source friends :-)

Some other service I was promoting to you here, was... wua.la - some p2p brother of skype who plays with your backup/files. Again, their service would have been great it they would have managed to let the open source tools do the encryption/decryption and public/private key handling. Unfortunately, they don't... (and most likely, won't). Why providing security/privacy/protection to your user base when you can channel you dev efforts to the next big thing, web gui?


Note to self(s):

+ use open source
+ transparent SSH your way out (or in, :big grin: )
+ for (some) privacy in (small) companies (who might not afford GEMs), use skype
+ in big corporados, be open source only (pidgin + pidgin.encryption plugin might* do wonders :-)
+ if forced against the wall, use https://mail.google.com and its integrated gtalk client (it should* be able to do wonders as well :-)


* - needs some further testing; a fight to be fought some other day...

0 comments: