Scorecard Update: We Cannot Credit Skype For End-to-end Encryption | Electronic Frontier Foundation

thomwithoutanh's bookmarks 2016-08-11

Summary:

n the Scorecard, we try to capture these two questions in different columns: systems which are end-to-end encrypted get a check mark for "encrypted so the provider can't read it"; systems which offer some method of protection against false keys and man-in-the-middle attacks get a check mark for "can you verify your contacts' identities." We know from the leaked Snowden documents that the limitations in the protocol or implementation were such that by 2013, Microsoft was capable of accessing the content of Skype textvideo, and voice communications, at least in some circumstances for some users. But we didn't know how that capability worked: was it a break against the RC4 cipher Skype used? Was it a method for compelling Microsoft to issue false keys to selected Skype users? Or was it some other flaw in the traditional Skype client?

 

n an attempt to reconcile what we know from media reporting with what Microsoft says publicly, we gave Skype tentative credit for end-to-end encryption based on an interpretation of Microsoft's statement. We did not give Skype credit in the third criterion – an ability to verify contacts' identity. We hypothesized that Skype may still have end-to-end encryption, though it certainly doesn't protect against man-in-the-middle attacks, and we asked Microsoft whether that analysis was accurate. Microsoft initially told us they would provide a prompt response, asked to schedule a meeting, but failed to do so before our launch deadline.

In the case of Skype, we can't tell whether Skype lacks end-to-end encryption, or if it includes an implementation of end-to-end encryption that Microsoft is able to silently compromise in certain circumstances. Given the gulf between Microsoft's public statements, its statements to us, and reports in the media of what Microsoft's capabilities appear to be, we're removing Skype's check mark for end-to-end encryption. We invite Microsoft to publicly clarify the status of Skype's implementation of encryption.

Link:

https://www.eff.org/deeplinks/2014/11/scorecard-update-we-cannot-credit-skype-end-end-encryption

From feeds:

Messaging Apps » thomwithoutanh's bookmarks

Tags:

skype encryption

Date tagged:

08/11/2016, 12:59

Date published:

08/11/2016, 08:59