One of the most exciting things about Skype is its encryption — when you use AIM or other IM and VoIP applications, chances are that your communications are in the clear and therefore easily eavesdropped-upon (especially on public WiFi networks).
Skype offers encryption by default, but the scrambling system has been a secret until now. It's a truism in security that a security system that is kept secret is a not secure. As Bruce Schneier says, "Anyone can design a security system so clever that he can't think of a way of breaking it," so public review of security (through which other skilled practitioners investigate the system for flaws and vulnerabilities) is critical to achieving robust security.
Now Skype has done a limited review of its crypto, paying an independent lab to review the security measures in place. The lab has given it a clean bill of health, which is encouraging news. Still, this seems to me to be only one step in the right direction.
After all, what if there is a flaw in the security that eludes both Skype and its sole evaluator? Previously, this has meant that attackers have been able to evade the crypto with impunity, without users or developers even knowing that there is a bug that needs fixing — a true fool's paradise.
A much better answer would be for Skype to disclose its code — either under a free software license or simply for peer-review. That way every interested party could review and verify Skype's security claims.
We're happy to report that the work is now complete and you can download the full report from Skype security center (PGP signature). There's also an executive summary available. Note that while the full report was compiled by Dr. Tom Berson from Anagram Laboratories, the summary is written in-house by Skype based on the full report.
In short, the conclusion of the report is that Skype uses standards-based methods and a sound design to secure its users, software and system, and does what it says — is secure. Of course, security is never "done", so security continues to be an important track in all Skype developments and operations.
(via Hack the Planet)
Update: OpenSSL maintainer Ben Laurie points out the thread that starts here in which cryptographers are reading the tea-leaves on the analysis very closely and suggesting that there's lots to worry about it you're relying on Skype crypto to keep your conversations private.
