The new age of information technology is strong in all corporations, and people understand that there are fast and easy methods of communication that haven't been available before. One of the most modern being the Instant Messaging tool, in any form possible. And the most popular form of the day is Skype.
Furthermore, the modern corporate employees view the ability to use Skype at work as their constitutional right, not a corporate privilege.But let's observe the pitfalls of Skype usage in corporate communication:
- Skype is designed to be an Internet communication tool - This means that each SkypeClient MUST connect to a SuperNode somewhere on the internet
- The Skype protocol is designed to enable communication between users via possibly blocking paths. It does this by using SuperNodes and Routing Nodes to transfer messages when direct client-to-client communication is impossible
- The Skype protocol is propriatery and encrypted, so there is no way to control or audit the content of the messages.
- Again through a characteristic of the Skype protocol, any Skype client can choose to become a Routing Node, potentially offering it's services to any client on the Internet.
- Skype is designed as internet telephony protocol, and the voice functionality cannot be blocked. Using the voice functionality can cause unnecessary bandwidth usage and potential problems on the data network
- The Skype client is closed source, and any claims of the encryption algorithms used in it have to be taken for granted, since there is no way to confirm them. So, nobody really knows whether Skype or anyone else can eavesdrop. Even if all claims are true, the usual problem is not with the algorithm, but with it's implementation. Bear in mind that one of iPhone hacker unlock mechanisms used a bug in the RSA encryption algorithm.
- The Skype binary is unnaturally large, most of it is encrypted, and it contains numerous controls and hooks that are designed to prevent an active debugging tool to reverse engineer it. Also, it contains intentional garbage code and padding designed to confuse any dissecting of the file. This mess of a binary is an excellent place to hide an undesirable element like backdoor, trojan or spyware tool, which would not be easily detectable through standard spyware tools.
- All passwords of the Skype users are kept on a centralized Skype Authentication Server. Skype claims that all passwords are irreversibly hashed. This fact as well as the hashing algorithm are impossible to confirm. This may not be a problem for private use, but in a corporate environment a large number of employees use the same password for all their business applications, so it is quite possible that they will use the same password for Skype, potentially releasing this password in the wild.
So, here is a summary of the pitfalls of using skype:
- All users must be allowed to connect to some servers on the internet to log on to the Skype network. This connection can be used to piggy-back an attack through the authenticated outbound session.
- No possibility to perform any audit on the communication - a corporate must!
- No possibility to block voice, thus opening the potential for bandwidth hogging
- No guarantees on what is within the Skype code
- No guarantees on Skype passwords
- No guarantees on Skype encryption
One must stress that these pitfalls mostly affect the organization as a whole (SysAdmins, NetAdmins, Security, Internal Audit et.c.), while the individual users are usually very happy to be served by Skype.
It is my strong opinion that the goal of easier corporate communication, is not well served by Skype
To address this goal, the corporation should implement an internal corporate messaging tool that has the following functions:
- Possibility for fine grained activation/deactivation of available services (text, voice, video, file transfer)
- Possibility for audit of both administrative events (logon, logoff) as well as messages
- Fully internal infrastructure, thus eliminating the requirement for internet access.
Also, with the advent of IP Telephony in the corporate world, the corporation should decide on a strategic selection of product that will complement the IP Telephony, not compete or conflict with it.