With the wide adoption of Skype in the consumer market, it is not surprising that more and more company networks are finding Skype to also be a valuable tool for communication, But one hurdle that seems to confound many IT departments is the “is Skype secure?” question. In short the answer is “yes”. It is, in a few ways. Let me try and explain.
First when a user signs into his or her Skype account, all the information is sent over SSL. SSL encrypts all the information before it leaves user's computer and can only be decrypted by Skype servers. Skype also uses digital certificates to provide further assurance that the user is in the intended conference. These certificates are used when sending instant messages, audio/ video calls, or when sending files to other users. These certificates help to prevent “man-in-the-middle” attacks and help to ensures users are communicating with the right users on the other end. These certificates are validated each time a user logs into his or her Skype account.
First you have RSA certificates that are used when a Skype users logs into his or her account. These are user public keys that are certified by the Skype server at login using 1536 or 2048-bit RSA certificates. Next you have the actual media encryption. Like the traditional H.323 room video conferencing systems, Skype also uses AES (Rijndael) encryption. While Skype also uses the AES encryption standards, they actually encrypt up to 256bit, a higher level than that of the typical room system which uses 128bit. Additionally with Skype it is ALWAYS encrypted.
Here at Blue Jeans Network we have no capability to turn Skype encryption off. Users have no capability of turning off their encryption off on their Skype session to Blue Jeans either. All Skype connections are encrypted by default into our service.
Now there are some security concerns to take into consideration here. These are however no different than the typical measures that corporate IT teams would put in place for a user’s desktop and or laptop.
good antivirus program installed and kept updated on a regular basis
strong passwords used when setting up accounts
general common sense on suspicious links and contact requests from unknown parties
With these measures followed as a practice, company IT departments can avoid “hijacking” of user machines, and recording of any keystrokes, or media coming out of the workstation. After all the Skype media streams would not be decrypted, but the audio and video input/outputs of the machine could be compromised. This is a possibility without Skype. Again, the vulnerability in this instance relates to the machine/hardware if security practices are not followed.
Over all Skype is generally more secure than traditional H.323 Room systems from an encryption perspective. A user’s laptop or desktop is actually the security concern in most every case, and not the Skype application running on the system.