Universities section

One of Skype's main goals is to protect our users' from unauthorized eavesdropping. Along these same lines, we want to prevent the kind of impersonation that fraudsters often use over e-mail to trick users into giving up valuable personal information.

To achieve these goals, Skype issues every user of Skype a "digital certificate" that any user of Skype can present in order to establish the identity of the person placing or receiving a Skype call or chat. These digital certificates form the core of Skype's online directory, which permits users to find one another over the Internet without needing a central list of who's online.

What is a Digital Certificate?

A digital certificate is an electronic credential that can be used to establish the identity of a Skype user, wherever that user may be located. Just like a physical identity document, such as a driving license, a digital certificate must have certain properties in order to be used as a form of identification. In particular, it must:

• Name the specific account being identified;
• Be issued by an authority that can revoke the certificate at any time;
• Be difficult to counterfeit; and
• Contain the countersignature of the issuing authority, which, in this case, is Skype.

Authentication

Because Skype users all possess digital credentials, it is possible for any Skype user to verify the identity of any other Skype user. This process is called authentication: the proving of each party's true identification to the other.

Authentication is a critical step in ensuring secure communications. Imagine having a chat conversation with someone who claimed to be a business partner, but who is actually an impostor. The chat conversation could be as highly encrypted as possible, yet the divulging of private information could still occur.

Encryption

Communications networks, such as the Internet, can be monitored by criminals and hackers at any number of points. This is one of the reasons why e-mail and many Internet chat programs are considered unsafe from a security point of view. In other words, because there are so many ways for unknown persons to monitor users' communications, users must take positive steps to protect themselves from this type of intrusion.

Encryption is the process of encoding a message, using principles of mathematics, in such a way that it is readable only by the intended recipient. Many kinds of encryption techniques have been developed over the centuries, but they all tend to resemble a lockbox and key: Once a secret message is put into the lockbox and secured with the key, it can only be read again by someone possessing the same key.

Skype uses well-known standards-based encryption algorithms to protect Skype users' communications from falling into the hands of hackers and criminals. In so doing, Skype helps ensure user's privacy as well as the integrity of the data being sent from one user to another.

Independent security review

This review of Skype's encryption (PGP signature file) provides a detailed review of the security framework that is incorporated into Skype products. Skype provides its users with protections against a wide range of possible attacks, such as impersonation, eavesdropping, man-in-the-middle attacks, and the modification of data while in transit.

The report describes the general protective mechanisms that are in use throughout Skype's infrastructure as well as the general security policy that defines the basis for all designs within Skype's operational framework.

Skype uses peer-to-peer communications in order to allow users to find one another. Consequently, a small percentage of our users will hold a record reflecting the online presence of other users. When one user holds a record concerning the presence of other users, the former is called a "supernode", or directory node.

Even though the traffic sent to supernodes is negligible, some institutions are interested in preventing users on their network from becoming supernodes and, thereby, answering directory enquiries for other users.

There are several ways to prevent Skype from becoming a supernode:

• Beginning with Skype 3.0, an explicit switch is provided in the registry settings to allow the disabling of supernode functionality.
• Any computer hosted on a network that is behind a network address translation (NAT) device or restrictive firewall will disable supernode functionality.
• Skype clients behind an HTTP or SOCKS5 proxy will not serve as supernodes.

Enterprises typically opt for using the registry setting technique for turning off supernode functionality, simply because it is very straightforward to deploy a Windows GPO that contains the appropriate registry key setting. However, universities often find this more problematic because the computers may not be owned or operated by the host institution, making it difficult or impossible to ensure that registry keys are set properly.

In these cases, it may be more useful to set up a SOCKS5 proxy. Skype can be configured to use a SOCKS5 proxy, regardless of whether the client finds itself on a network with a public IP address or on one with a private IP address.

While the use of a SOCKS5 proxy still requires manual intervention by the user, the use of a proxy allows the economical "shaping" of Skype traffic. It has the additional positive side-effect of reducing supernodes on the network, reducing false-positive intrusion prevention system alarms and allowing for accurate measurement of Skype usage on the proxied network.

Security for your computer

• Learn how to protect your computer from online threats
• Follow the "best practices" for protecting your PC

Security response

• Read Skype's security blog
• Skype's security bulletins
• Contact Skype to report any suspected security vulnerabilities