October 2005

Yesterday, Skype reacted to reports of security vulnerabilities in its product by releasing software updates and widely circulating information about how to resolve the problem. Skype users may download the upgrade free of charge from Skype’s website, http://www.skype.com.

Continue reading "Responding to security vulnerabilities" »

Ever since Skype was launched, we have said it is, and will remain, secure. Your Skype-to-Skype calls, chats and other communications are end-to-end encryped.

What sometimes happens is that after claiming this, we get asked “you say you’re secure… so prove it”. That’s a valid question — anyone can claim anything about their own product. We have recognized that you want more assurance than we say ourselves. So we did a comprehensive external security review of Skype, focusing on its encryption methods.

We’re happy to report that the work is now complete and you can download the full report from Skype security center (PGP signature). There’s also an executive summary available. Note that while the full report was compiled by Dr. Tom Berson from Anagram Laboratories, the summary is written in-house by Skype based on the full report.

In short, the conclusion of the report is that Skype uses standards-based methods and a sound design to secure its users, software and system, and does what it says — is secure. Of course, security is never “done”, so security continues to be an important track in all Skype developments and operations.

Continue reading "Skype security and encryption review now available" »

We saw in the news today that there’s a Skype-related trojan, reported by MessageLabs. We haven’t seen it in our own inboxes yet, but it’s certainly something to worry about. It was no doubt “inspired” by a newsletter we recently sent to our users who have opted in to receive e-mail, to inform them about the release of Skype for Windows 1.4. As Skype grows in popularity, so does the chance of having more malicious content that use Skype’s name for evil purposes.

Let’s reiterate (and if your colleagues and grandma are on Skype, please tell them too):

Skype never sends software updates by e-mail. We do send information about your orders if you bought something from us, and we send newsletters and survey invitations, if you opted in to receive Skype e-mail when you registered your Skype Name, but that’s it. So if you receive a software update e-mail from Skype, please delete it, and tell others to do the same.

Skype uses digital signatures to help users ensure that its software releases are valid. You can verify the authenticity of Skype software by confirming that its digital signature is valid. Instructions for checking the digital signature of Skype’s software are described in the Administrator’s Guide to Skype, which may be downloaded from skype.com/security/.