Skype isn’t secure anymore

Not many people understand that the original Skype was based on very similar peer to peer networking technology like that used by Napster – specifically a product inspired by Napster called Kazaa that allowed file sharing without any centralised servers.

Because of this, Skype was uniquely able to offer a better quality of service than other Voice over IP systems of the day, for multiple reasons:

  • No centralised servers meant that capacity of the network grew as the number of users grew, with no bottleneck.
  • The peer to peer networking backend could get around almost any firewall and squeeze the maximum amount of bandwidth out of any connection.
  • Because messages and audio did not pass through a centralised system, it was impossible to wiretap Skype communications, making it very secure and popular with enterprises. In theory your connection could be tapped but the exact route your data was taking, which would be constantly changing, would need to be known.
  • Skype was at the time the only safe chat protocol not vulnerable to snooping or blocking by the Great Firewall of China, the only way to intercept Skype messages being to have keyboard tapping software on the specific computers used by those under surveillance.
  • Only the login service for verifying usernames, passwords and skype credit was centralised at this time.

It was also the reason why you would get those odd delays – sometimes months long with infrequent users – with chat messages, where if you were offline when someone messaged you, you wouldn’t receive the messages until they logged in again while you were also online. Or if you were in a group chat, until at least one other person who had been in the chat when the messages were first sent, was also connected when you re-connected, allowing the messages to be relayed on to you. Because there was no central relay that stored and forwarded the messages.

In fact relay is a key word in Skype’s architecture – any computer running Skype that had an open internet connection, would automatically become a local relay or proxy, a so-called ‘supernode’ that would act as a relay server for every other Skype user on the network.

If you ever made the mistake of simultaneously tethering your laptop to a mobile phone to use it’s internet connection, while simultaneously having your ethernet connected to a private LAN, all while running Skype on your laptop – you would quickly find 100% of your bandwidth being soaked up by Skype connections. This would be happening completely invisibly to you unless you were using a traffic sniffer like Wireshark.

For this reason, Stanford University, where every student has their own dedicated IP address rather, had to ban the use of Skype as they were running some 20% of the world’s Skype supernodes and it was using up all their bandwidth.

The only real weak-point in the old system was mobile apps connecting to the Skype network. Since the peer to peer networking code didn’t run on mobile phone devices, mobile apps would talk to relays in data centres run by an Israeli company called iSkoot (since acquired by Qualcomm) and communications between the phone and the relays as well as the relays themselves were vulnerable.

But – you don’t have to worry about those anymore, because since Microsoft acquired Skype, it no longer uses a peer to peer system. All messages and calls are now routed via Microsoft’s controlled supernodes in a more traditional client-server architecture. Therefore the entire network is vulnerable because this was done so that Microsoft can comply with American intelligence agency laws for snooping on electronic communications. Skype CAN now be wiretapped, thanks to Microsoft. In fact, this happened as long ago as early 2012, and since then among other things you would notice messages sent when you were offline coming through immediately, but also that Skype can be blocked in China when it could not be before. Ironically Microsoft claims this makes it MORE secure because it means your communications traffic is not passing through strangers’ computers which might be compromised, which is bullshit because all internet traffic travels through strangers’ computers, that’s how the internet works. The difference is the traffic now takes a direct route through easy to wiretap backbone infrastructure, instead of circuitous and impossible to trace routes.

Our recommendation then, is that Skype is no longer fit for use by enterprises as a secure communications medium, and is not ISO27001 compliant.