Think your Skype messages get end-to-end encryption? Think again | Ars Technica

thomwithoutanh's bookmarks 2013-05-20

If you think the private messages you send over Skype are protected by end-to-end encryption, think again. The Microsoft-owned service regularly scans message contents for signs of fraud, and company managers may log the results indefinitely, Ars has confirmed. And this can only happen if Microsoft can convert the messages into human-readable form at will.

With the help of independent privacy and security researcher Ashkan Soltani, Ars used Skype to send a four Web links that were created solely for purposes of this article. Two of them were never clicked on, but the other two—one beginning in HTTP link and the other HTTPS—were accessed, by a machine at 65.52.100.214, an IP address belonging to Microsoft. For those interested in the technical details, the log line looked like this:

'65.52.100.214 - - [16/May/2013 11:30:10] "HEAD /index.html?test_never_clicked HTTP/1.1" 200 -'

The results—which were similar but not identical to those reported last week by The H Security—prove conclusively that Microsoft not only has ability to peer at the plaintext sent from one Skype user to another, but that the company regularly flexes that monitoring muscle.

Read 9 remaining paragraphs | Comments