Should Skype, the free, peer-to-peer VoIP service, be persona non grata on corporate data networks? As we saw in the first in this two-part series, Info-Tech Research Group, an analyst firm based in Canada, stirred the pot in the Internet community recently by suggesting that enterprises should ban Skype outright. Not everybody we talked to agreed.
When we asked the usually diplomatic Joe Laszlo, a research director with Jupiter Research, about the Info-Tech release, he didn’t mince words. “It sounds like the worst kind of fear mongering to me,” Laszlo said. “It’s a ridiculously overly strong position to take.”
Andrew Parker, Chief Technology Officer at UK-based Cache Logic Ltd., a firm that sells systems to Internet service providers to help them manage peer-to-peer traffic on their networks, said much the same—though being British, was more polite. “I find it a little bit sensationalist,” Parker says. “It’s somewhat over the top.”
On the other hand, well-respected analyst Frank Dzubeck, president of Washington, DC-based Communications Network Architects Inc., recently told us that Skype had “horrendous” security concerns, although he didn’t elaborate.
Patches: Indicators of vulnerability?
Ross Armstrong, the senior research analyst who authored the Info-Tech position, justifies his concerns about the network security risks by noting that Skype has recently issued security patches. Although he admits he hasn’t heard of viruses or worms in the wild that exploited Skype, he believes it’s “only a matter of time” before they emerge. In the meantime, enterprises must take the threat seriously.
“If you’re an IT manager whose job depends on making sure your network is secure, do you really want an unknown and unknowable service running on it,” Armstrong asks? “It behooves us to warn [our clients] of the possible risks.”
Others were quick to point out that Skype being non-standard and closed source was at best irrelevant, and possibly misleading. Many other programs accepted in the enterprise—most of Microsoft’s, for example—are also non-standard and closed source. Nor does being non-standard and closed source make them inherently less secure, says Laszlo.
Butler Group research analyst Richard Edwards and others note that one of the reasons Skype is so popular is that it’s easy to use, and one of the reasons it’s so easy to use is that it’s non-standard. Says Cache Logic’s Parker, “IT managers complain that they can’t control [Skype], but if it was as popular as it is but difficult to use, you’d have them complaining that it was a technical support burden.”
Michael Jackson, Skype’s vice president of operations, also notes that in fact Skype uses SIP (Session Initiation Protocol), very much an industry standard. “So it’s actually a bit of a misconception in that way,” he says. In fairness, though, SIP is just one component in Skype, which is in most other respects proprietary and closed source.
As for the security patches, Jackson points out that other software providers routinely do the same thing—again, notably, Microsoft. Furthermore, Skype adheres to the principles of FIRST (Forum for Incident Response and Security Teams), an industry organization headed by Cisco and Sun Micrososystems that advocates complete transparency. “They’ve looked at the way we handled these incidents to see if we did it in a good way and they concluded that we did,” Jackson says. Nobody took advantage of the vulnerabilities before they were fixed, he adds.
Cryptic encryption debate
The argument that Skype’s encryption may be vulnerable conveniently overlooks the fact that many other kinds of communication routinely used in enterprises, including conventional telephony, instant messaging, and e-mail, are typically not encrypted at all, Laszlo and others point out.
The question of the strength of Skype’s encryption comes down to a philosophical debate in the cryptology community, Jackson says. Some believe the best way to ensure continued strength is to make encryption source code public and expose it to a barrage of attempts at breaking the keys. Others –Skype included—believe it’s better to closely guard the technology and submit it for peer review, which Skype has done.
“Tom Berson [founder and owner of Anagram Laboratories, an information security consultancy] had access to our source code and he showed that the encryption is done according to well-known implementations of standard algorithms,” Jackson says. Berson’s report is available at the Anagram site.
Armstrong’s concern is that Anagram is not an approved testing laboratory under a program run by the National Institute for Standards and Technology (NIST). “One thing that would really help Skype mature into a good corporate citizen is to submit [its encryption technology] to [a NIST-approved lab],” he says. “A lot more companies would feel comfortable with accepting Skype if it got that seal of approval.”
The issue of Skype use in companies subject to strict regulations about recording and archiving business discussions and transactions may be the one concern raised by Info-Tech that most others we talked to agreed on. “I don’t think it’s well proven out that Skype’s encryption is vulnerable,” Laszlo says. “But I would be concerned if I was in a field such as health or finance [that was heavily regulated.]”
Even Jackson says Skype probably doesn’t belong in such organizations, but notes that most have such strict security around IT that client PCs are probably locked down to prevent installation of unauthorized programs such as Skype anyway.
The threat of corporate client machines being commandeered as Super Nodes—Skype’s term for user computers that help route calls—is perhaps more difficult to evaluate. Certainly some are used as Super Nodes. Signing off on the Skype client software license agreement gives the company tacit permission to do this. Indeed, the whole enterprise depends on being able to exploit such resources, since Skype has little network infrastructure of its own.
Edwards says he has seen reports on the Web of performance on gamers’ machines being crippled because they were being used as Skype Super Nodes. One university client told him it was resorting to tools for blocking Skype transmissions because it at least suspected outside Skype traffic was congesting its routers.
Jackson says this is mostly nonsense. There was also a rumor going around the Internet that one user’s computer was carrying all of Skype’s North American traffic, he points out. For one thing, it doesn’t work that way, he says. Super Nodes don’t “carry” traffic, they just help route it.
How Skype selects Super Nodes is something of a trade secret, but one of the requirements is that the machine must have direct access to the Internet. For this reason, it’s unlikely a corporate user’s PC could ever serve as a Super Node. Most get an IP address from a LAN router. Skype chooses powerful computers with clear access to the Internet and then only uses a tiny percentage of their CPU and bandwidth resources, Jackson says.
“The selection algorithms are designed to keep [usage of Super Node resources] at an acceptable level. Even if a corporate machine was selected, I really doubt whether the user would notice any difference.”
Still, he says Skype may implement a measure Edwards proposes, which is to make it possible for corporate network managers to select which machine on their network is used as a Super Node. They could even dedicate a machine for this purpose, Edwards suggests.
“It’s probably one of those things, those tweaks we would consider to make [Skype] more suitable [for corporate use],” Jackson says. “That’s the kind of thing that makes people happy—not that materially it makes any difference.”
It boils down to this: analysts like Armstrong and Edwards want Skype to make an effort to, as Armstrong says, “evolve to become a good corporate citizen” and issue a version of the product that responds to the concerns of enterprise IT managers. But Jackson says, Skype has it’s hands full addressing the much larger—and more lucrative?—consumer and small business market and isn’t likely to do this.
So for the foreseeable future at least, corporate IT managers will have to allow use of Skype, if at all, at their own risk.