Considering Skype’s Use of SSL
We all know that employees' use of Skype whether for personal or business use is exploding. The service reported an average of 145 million connected users per month in the fourth quarter of 2010, before the Facebook rollout of Skype-powered group video chat service to 750 million users worldwide by August 2011, or the Verizon 4G LTE mobile broadband network deal to integrate Skype on all phones took effect. Not to mention other Skype-empowered deals that have since emerged, like the OnStar Skype-enabled system on its GM cars.
Skype uses SSL and Advanced Encryption Standard (AES) hashed with the RSA security algorithm for its public key cryptography. The details of how this combination is dismantled as a security model are explained in Myth 3 and Myth 6 in our series on debunking SSL myths. Suffice it to say that Skype is not nearly as secure as people think. As we saw in Myth 5, the public key cryptography is susceptible to the infamous MITM attack. As a result of these revelations, Skype and Facebook users need to be very concerned about what they disclose in their personal and business conversations.
The net effect of attacks against the trust model for mobile certificates and use of Skype should leave CIOs and network security architects uneasy about SSL and using it to secure mobile devices and Skype within their network ecosystems. Employees are using them, and policies restricting mobile devices and Skype use are no longer effective or logical.
What do you think? Is Skype a secure communication channel for the enterprise?