Pierluigi Paganini
May 25, 2013
Microsoft intercept Skype conversations, the topic is at the center of a heated discussion. Before Microsoft acquisition the popular VOIP application was considered very secure and wiretap-proof, it was officially recognized that was impossible to intercept Skype conversation due its complex architecture and mechanism for the management of audio / video and text streams.
The situation changed when Microsoft acquired Skype for $8.5 Billion and its architecture was changed, officially for maintenance ameliorative. Just one month after the acquisition Microsoft obtained a patent for “legal intercept” technology specific for VOIP services such as Skype. This is pure randomness? Does Microsoft intercept Skype conversation?
Many security experts sustain the Skype architecture has been modified to enable “lawful interception” of calls and chat messages to respond to requests of the US Government. Of course Skype refused the charges justifying the modifies as a necessary upgrade, denying any surveillance purpose, anyway Skype PR man Chaim Haas, referring “company policy,” and industrial secrets wouldn’t confirm or deny, declaring about chat service
“[it] co-operates with law enforcement agencies as much as is legally and technically possible.”
The German researchers at heise Security have been notified, and then independently confirmed, “that every HTTPS URL sent over Skype gets checked from an IP address registered to Microsoft headquarters in the U.S.”, confirming that Microsoft is able to intercept Skype conversation.
Microsoft denied to intercept Skype conversation sustaining that the access to all messages sent via the chat is performed to remove spam and phishing links.
Microsoft provided a questionable answer declaring that Skype analyzes all conversations via chat officially to detect and block malicious links.
“Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched,””Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.” The researchers pointed out.
Other independent researcher, including security consultant Ashkan Soltani who was hired by Ars Technica, conducted analysis of the case and confirmed that Microsoft access to some of URLs included in chat messages.
“The machines in question sends HEAD requests (meaning that it doesn’t request the full web pages) to which the server responds with HTTP headers. “
The technology writer Ed Bott wrote on ZDNet says that the IPs used to parse Skype chat messages are “reasonably certain” part of Microsoft’s SmartScreen system used to filter phishing messages, malware and spam. The infrastructure checks for message headers searching for malicious URLs.
Bott sustains that SmartScreen simply examines the host’s reputation checking the HTTP headers to detect fraudulent and malicious links, he also added that the SmartScreen examines only links that haven’t yet a reputation.
But it is obvious that the Skype encrypted communications must be decrypted to be analyzed and according to company Privacy Policy, “Skype can record and retain links and other content sent over Skype.”
Following an interesting excerpt from Skype’s privacy policy that reiterates that the company is able spy on user communications authorizing authorities access under explicit request.
Under Section 3 of the privacy policy, it is stated that
“Skype, Skype’s local partner, or the operator or company facilitating your communication may provide personal data, communications content and/or traffic data to an appropriate judicial, law enforcement or government authority lawfully requesting such information. Skype will provide all reasonable assistance and information to fulfill this request and you hereby consent to such disclosure..”
Under Section 12 it stated that
“Your instant messaging (IM) communications-content may be stored by Skype (a) to convey and synchronise your messages and (b) to enable you to retrieve the messages and history where possible. IM messages are currently stored for a maximum of 30 days unless otherwise permitted or required by law. Voicemail messages are currently stored for a maximum of 60 days unless otherwise permitted or required by law. Skype will at all times take appropriate technical and security measures to protect your information. By using this product, you consent to the storage of your IM communications as described above.”
Dan Goodin commented on Ars Technica
“There’s a widely held belief—even among security professionals, journalists, and human rights activists—that Skype somehow offers end-to-end encryption, meaning communications are encrypted by one user, transmitted over the wire, and then decrypted only when they reach the other party and are fully under that party’s control. This is clearly not the case if Microsoft has the ability to read URLs transmitted back and forth,” .
Do Skype’s users know about this?
Pierluigi Paganini
(Security Affairs – Privacy, Skype)
