By Michael Gough
March 06, 2007
There's been a lot information -- and misinformation -- available about
whether Skype is dangerous to corporate networks and individual users.
How dangerous is it? In this article, I'll separate the truth from the
myths when it comes to Skype vulnerabilities.
Understanding Skype's basic architecture
Skype is a peer-to-peer (P2P) application, meaning that users connect to
one another directly and not through a central server for communication.
Skype initially uses Internet-based servers to authenticate users when
they log in and to track their status, but when a "chat" or instant
message, "voice call" or "file transfer" is initiated, the parties
involved in the communication do so in a P2P direct connection. If one
or both of the users are behind a typical corporate Network Address
Translation (NAT) firewall, the communication can be relayed through a
Supernode because a direct P2P can't be established behind a NAT. In the
case of a file transfer, you will see a message indicating your transfer
is being relayed.
One of security professionals' primary concerns about Skype are it's so
easy for a Skype client to find a way around a secure corporate firewall
configuration. Skype does this by using ports 80 and 443, which are open
in most firewalls to allow Web browsing. In addition, Skype may reroute
traffic if the initial port assigned during the Skype installation isn't
available. This makes blocking Skype at a firewall more difficult since
the ports Skype uses can change as needed.
Skype also encrypts each communication with a unique AES 25-bit
encryption key, meaning each communication will use a different key each
time you communicate, making eavesdropping communications almost
One more thing to keep in mind about Skype security is its Supernodes,
which route Skype traffic. A Supernode is a computer with a specific
configuration that must have a direct connection to the Internet and
can't be behind a firewall using NAT. And they must have a "real" public
routable IP address. Beyond those restrictions, these Supernodes can be
any Skype user computer that meets the minimum hardware and
There's a lot more you can learn about Skype's security architecture.
For details, visit the Skype Security Resource Center.
Now that you have an understanding of how Skype works, we can look at
whether it's dangerous. There are a lot of misconceptions floating
around about Skype. Here are the five most common:
1. Skype uses a lot of bandwidth on a network.
2. Any computer can be a Supernode.
3. Skype is like any other IM application and susceptible to IM worms
4. Skype is hard to stop on my network.
5. Skype is encrypted so I cannot archive IM messages.
Let's take a look at each of them in turn:
Myth No. 1: Skype uses a lot of bandwidth on my network
Skype actually uses very little bandwidth, approximately 30Kbit/sec. per
voice call. If a user's computer becomes a Supernode, then yes, a
Supernode will consume a tremendous amount of bandwidth. But remember
you must be on a system directly connected to the Internet in order to
become a Supernode, and in most corporate configurations PCs aren't
directly connected to the Internet, so this is normally not an issue.
Myth No. 2: Any computer can be a Supernode
We've already learned that a system must have a routable IP address and
sit directly on the Internet to become a Supernode. If a computer
resides in a typical company network protected by a firewall that
provides NAT, using a 192.168.x.x or 10.x.x.x private IP address scheme,
then it's impossible for it to become a Supernode. NAT firewalls and
even home routers prevent many systems from becoming Supernodes.
Myth No. 3: Skype is susceptible to IM worms and viruses
Last year, there were 1,355 virus or worms that affected IM clients
through early December, according to Akonix Systems Inc., and not one of
those affected Skype. Though Skype did have two security alerts in 2006,
four in 2005 and one in 2004, none of these has been exploited.
The main vulnerability of IM applications is their file transfer
feature, which can be exploited to allow anyone to send a file that
contains possible malware. To protect against this, Skype file transfers
can be scanned with any antivirus application that is up to date and
current and running in "auto-protect" mode. In addition, many antivirus
applications have specific IM-scanning options. So if you have a
current, up-to-date antivirus application that runs in "auto-protect"
mode, you have little to worry about. You can also disable Skype's file
Myth No. 4: Skype is hard to stop on my network
Skype is only hard to block if you don't know what is on your network or
if you don't have good configuration management of your clients. There
are many ways you can block Skype, ranging from scripts to using network
management software, to blocking Skype at the network layer. For
details, see this article.
Myth No. 5: Skype is encrypted, so I can't archive IM messages
This one's not really a myth. Skype sessions are encrypted, so yes, you
can't capture or archive Skype communications. The same is true of many
IM applications, though, so it's not less secure than other IM programs
that can use encryption.
So far, Skype hasn't suffered from the ills that bedevil most of the IM
applications regarding viruses and worms. But it's most likely only a
matter of time before a vulnerability is discovered and exploited. Any
application that allows file transfers, IM or voice that can't be
monitored, archived or recorded, has some level of risk.
However, Skype's architecture is more difficult to crack than other IM
applications open to the Internet, and so it's the safest of those, but
there are non-Internet applications like Jabber that are even safer for
internal-only IM communication. But if asked if Skype is safer than MSN
Messenger, Yahoo Messenger, AIM or ICQ, the answer is "yes" for now.
For more information:
Skype Slips into business
Skype aims to meet more business needs
Skype Security Blog
Skype - Wikipedia, the free encyclopedia
Michael Gough is host and webmaster of SkypeTips.com and
Visit the InfoSec News Security Bookstore