Skype’s security invalidated for 69 million users

Add eBay to the list of tech giants that have become complicit in Chinese government control and monitoring of its people.  Nart Villeneuve, a senior research fellow at Citizen Lab, a consumer advocate group in Toronto, has discovered that eBay’s Chinese partner, Tom Group, has modified the version of Skype they distribute to their customers. The Trojan version of Skype identifies key words like Falun Gong, democracy, milk, and earthquake.  It then encrypts the conversation containing those key words and sends them off to a central server within Tom’s network.  Source and destination of calls and text conversations are recorded as well.

  While it is no surprise that this type of surveillance occurs inside China what is disturbing is that  Skype is widely regarded as a secure way to communicate.  Millions of people depend on it for free and open conversation across the public Internet.  Even the much covered NSA/ATT wire tapping of the ‘Net cannot easily break the encryption techniques used by Skype.  Thanks to the built in security (described in detail here by respected independent researcher Tom Berson ) Skype is now associated with safe communications.

From Dr. Berson's evaluation:

Skype uses only standard cryptographic primitives to meet its ends, which is a sound engineering approach. These primitives include the AES block cipher, the RSA public-key cryptosystem, the ISO 9796-2 signature padding scheme, the SHA-1 hash function, and the RC4 stream cipher. I looked at the Skype implementation of each of these, and verified that each implementation conforms to its standard and interoperates with reference implementations.

For eBay to allow a Chinese company to abuse that trusted brand in this manner will do untold damage to Skype and eBay.

Update: Nart Villeneuve's report is here. 

• Security
• China eBay skype