In blog posts published earlier this week, the civil liberties group first took aim at Skype for ambiguity over encryption before revealing that internet service providers (ISPs) in the US and Thailand are “actively removing” encryption from customer data sent to email servers.
The EFF last week launched its Secure Messaging Scorecard which looked at which applications best protect messages by encrypting the message (at rest and in transit), verifying identities and reviewing and auditing code.
One of the main debates to come out of the review, however, was whether Skype's VoIP software uses end-to-end encryption so that the provider – which is now Microsoft following the £5 billion acquisition in 2011 - cannot read communications.
The group said that Skype launched back in 2003 on the secure P2P codebase and had emerged as one of the few communications software to encrypt users VoIP communications by default.
“Not only was the encryption present by default, but it operated end-to-end so that under normal circumstances, Skype would lack the keys to decrypt calls between its users,” the group said.
There was a caveat however, as earlier analysis from EFF showed that this protection was limited as Skype tells each client the public key to use for each other user. This can lead onto the spread of false keys, as well as man-in-the-middle (MiTM) or impersonation attacks.
Microsoft says of Skype encryption: “…For Skype your key is your Skype Name and password, hence the criticality of keeping that safe. Skype uses well-known standards-based encryption algorithms to protect Skype users' communications from falling into the hands of hackers and criminals.”
EFF's scorecard scores systems on whether they deploy ‘end-to-end' encryption so that the provider can't read communications, or whether they simply offer ‘some method of protection' against false keys and MiTM attacks, but where you get a check for ‘can verify your contacts' identities'.
In the case of Skype however, EFF - citing Snowden's leaks that revealed Microsoft could access Skype text, video and voice - questioned on if/how the firm's encryption could be compromised: “Was it a break against the RC4 cipher Skype used? Was it a method for compelling Microsoft to issue false keys to selected Skype users? Or was it some other flaw in the traditional Skype client?”
The issue is complicated somewhat but Microsoft moving Skype from RC4 to a new protocol which might give “Microsoft more visibility into Skype calls and /or messages.”
EFF says that it gave Skype ‘tentative credit' for end-to-end encryption but not for verifying contacts' identity.
“We did not give Skype credit in the third criterion – an ability to verify contacts' identity. We hypothesised that Skype may still have end-to-end encryption, though it certainly doesn't protect against man-in-the-middle attacks, and we asked Microsoft whether that analysis was accurate. Microsoft initially told us they would provide a prompt response, asked to schedule a meeting, but failed to do so before our launch deadline.