Skype … once upon a time a VOIP application considered very secure and wiretap-proof, it was the common belief that no one could intercept such communications due a complex mechanism for the management of audio / video and text streams. One day, Microsoft decided to buy the product, according to many to catch a significant portion of users fond of Skype, but according many experts the company of Redmond wasn't interested only to acquire new market share.
The architecture of the popular VOIP infrastructure was improved according Microsoft, in reality it is common thought that it was implemented the possibility to intercept every conversation, as requested by US government to major service providers. The claim is that Law enforcement and intelligence agencies are today able to access the communications exchanged by Skype users and Microsoft has still not been adequately answered to various question on the matter.
The German associates to H security magazine at heise Security have been notified, and then independently confirmed, "that every HTTPS URL sent over Skype gets checked from an IP address registered to Microsoft headquarters in the U.S."
Microsoft assumed a defensive position declaring in good faith sustaining that the access to all messages sent via the chat is performed to remove spam and phishing links.
Obviously, the answer is unsatisfactory and inconsistent with what until now supported, in fact it is stated that Skype analyzes all conversations via chat officially purge them from malicious links.
"Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched,""Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content." The researchers pointed out.
Other independent researcher, including security consultant Ashkan Soltani who was hired by Ars Technica, conducted analysis of the case and confirmed that Microsoft access to some of URLs included in chat messages.
"The machines in question sends HEAD requests (meaning that it doesn't request the full web pages) to which the server responds with HTTP headers. "
Ed Bott, an award-winning technology writer, on ZDNet says that the IPs used to parse Skype chat are "reasonably certain" part of Microsoft's Smart Screen infrastructure a filtering system used to filter phishing messages, malware and spam. The infrastructure checks for message headers searching for malicious URLs.
Bott sustains that Smart Screen simply examines the host's reputation checking the HTTP headers to detect fraudulent and malicious links, he also added that the Smart Screen examines only links that haven't yet a reputation.
But it is obvious that the Skype encrypted communications must be decrypted to be analyzed and according to company Privacy Policy, "Skype can record and retain links and other content sent over Skype."
"There's a widely held belief—even among security professionals, journalists, and human rights activists—that Skype somehow offers end-to-end encryption, meaning communications are encrypted by one user, transmitted over the wire, and then decrypted only when they reach the other party and are fully under that party's control. This is clearly not the case if Microsoft has the ability to read URLs transmitted back and forth," commented Ars Technica's Dan Goodin.
Do Skype's users know about this?