leveraging an https (URI_introduced) session requires the client using the uRI (e.g. Microsoft) having access to the sessionid of the legitimate client. This is normally not possible, since clients rarely share session id databases
Correctly, one comments that sensitive data is present in the (cleartext) URI, that happens to have an https scheme component. Since the data is in the clear, it was obviously not deemed sensitive by the party citing the Https URI.
The analysis and implied conclusions are bogus.
That Microsoft scans https (but not http) uris in Skype streams in realtime is interesting - from the perspective of trap and trace public policy.
Posted by peter williams at May 16, 2013 03:38 PMFYI; I tested an http (non-ssl) link and got the standard HEAD ping on it in <3 hours
Posted by Jon C at May 16, 2013 03:45 PMFrom Full Disclosure list:
http://kirils.org/skype/stuff/pdf/2011/ms_thesis_analysis.pdf
Analysis and detection of Skype network traffic by Luboˇs Pt ́aˇcek
Abstract
This thesis deals with traffic identification of the Skype application. Payload
and flow based analysis of the standby traffic and voice calls is done. Skype
flow patterns are used to create a plugin for NfSen to detect UDP voice calls
in the network.
There is absolutely no reason that users should expect privacy nor security from Skype, under Microsoft ownership or otherwise!
The solution to the concerned is simply a couple of clicks away! In other words, switch from Skype to Jitsi or Pidgin-OTR! From proprietary software to open source, from privacy by policy to privacy by design.
Unfortunately its not only “all your skype” that belongs to them, but rather all your communications (phone calls, emails, skype, instant messages, facebook, twitter, and pretty much everything cloud). Unless its properly encrypted/decrypted locally and adhering to proper security procedures, you can pretty much assume it belongs to everyone.
Putting it all together presents a gloomy outlook, ECHELON to the power of a hundred or Ratehon's “pre-crime” RIOT program. Is it our fault that users are negligent and careless for their privacy and security?
The same issue has plagued emails, after all PGP encryption has been out since 1991. Over 20 years later, how many people use it today?
Posted by Yazid at May 21, 2013 12:40 AMQuote: Elsewhere in his interview with Lake, Greenwald explained that one potential lapse almost led to the loss of the intelligence.
“When I was in Hong Kong, I spoke to my partner in Rio via Skype and told him I would send an electronic encrypted copy of the documents,” Greenwald said. “I did not end up doing it. Two days later his laptop was stolen from our house and nothing else was taken. Nothing like that has happened before. I am not saying it’s connected to this, but obviously the possibility exists.”
Posted by Skype being used to track Snowden journalist? at June 28, 2013 05:10 AM