At least we know beyond a shadow of a doubt that Skype has a backdoor now. Not really surprising although they did have some security people analyze the protocol and state that it was e2e secure.
FTA: "According to a separate “User’s Guide for PRISM Skype Collection,” that service can be monitored for audio when one end of the call is a conventional telephone and for any combination of “audio, video, chat, and file transfers” when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms."
I'm not sure when the security people you are talking about did their audit, but when Microsoft bought Skype a few years ago they changed it from P2P communications to routing everything through a central server. After that it would be child's play to put in a backdoor.
Microsoft now runs the supernodes instead of them being random high bandwidth Skype users. Your computer uses a supernode to find the address of the user you want to reach, but you still connect directly to that user to communicate. People misunderstood this change to mean that call traffic traversed Microsoft servers.
That said, it has been shown that at the minimum China has keys to decrypt peer to peer communications, likey the NSA does as well. The NSA doesn't need Microsoft to route call traffic via their servers, because they already have taps at all the major exchange points.
How does Skype's key exchange work? If the supernode hands out an address for a server that intercepts the call, would the Skype client still accept it and connect?
The protocol itself is highly obfuscated, but from my understanding of what has been published it works something like this: (lots of disclaimers here that nobody outside of Microsoft/Skype really knows for sure)
When logging in an RSA public/private key pair is generated and the public key is sent up to the server. The username to public key mapping is seeded to supernodes and inserted into the global address book.
A calling party looks up the username on a supernode and receives the public key of the answerer as well as some magic to help them establish a direct connection even if both are behind NAT.
The caller generates a single use AES256 key for the session, encrypts it N times where N is the number of other parties on the call plus a number of built-in "observer" certificates. These encrypted keys are all sent over the wire to the other parties, whom are each able to decrypt 1 of the N encrypted payloads.
Each party encrypts traffic to the others using the session specific AES key.
If you are a government agency with a private key that matches one of the observer public keys (Russia, China, and India have openly claimed to have these), and you are able to record the setup for the call, you are effectively another party in the group chat and have access to the session key.
>If you are a government agency with a private key that matches one of the observer public keys (Russia, China, and India have openly claimed to have these
I am not calling bullshit, I just want to know more.
>If you are a government agency with a private key that matches one of the observer public keys (Russia, China, and India have openly claimed to have these
>I'm not sure when the security people you are talking about did their audit
The security audit was done in 2005 by Tom Berson of Anagram Laboratories. This was well before Skype was bought by microsoft but Skype links to it off their home page http://www.skype.com/en/security/#review
Not to be too conspiracy theorist but maybe just maybe this was why Skype was bought by Microsoft in the first place? The thought crossed my mind at the time of purchase but I sent it away skuttling because I deemed it too tinfoil hatty. My main regret at the time as a Linux enthusiast was that Skype's Linux offering was sure to suffer, so I had that angle more on my mind than government aiding and abetting.
This is widely misunderstood; it's possible that Skype is end-to-end secure and everything flows through MS servers. It's possible that there were backdoors in the old pre-MS versions. One really has little to do with the other.
FTA: "According to a separate “User’s Guide for PRISM Skype Collection,” that service can be monitored for audio when one end of the call is a conventional telephone and for any combination of “audio, video, chat, and file transfers” when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms."