VoIP, the voice-over-IP communications technology that is slowly making POTS landlines obsolete. SIP providers, VoIP applications, and messaging platforms all utilize VoIP to provide voice calling on PCs, phones, and mobile devices. One of the most popular VoIP applications is the Skype messaging service. Skype uses a peer-to-peer network of internet nodes to route voice and/or video calls between users around the world. Especially in the case of consumer-grade VoIP, it is significantly cheaper than a traditional landline for voice calls, and it can potentially deliver better sound quality. Another area where VoIP services like Skype excel is as a communication medium for criminals. Thanks to the fast pace of technology and the use of a peer-to-peer connection, Skype is a decent platform to communicate without fear of others listening in, to an extent.

Of course, Skype is not a fully decentralized service because it uses so-called “supernodes.” The supernodes are basically servers that both the caller and recipient can connect to, and they use these mutually-known servers to make the initial introduction between the two clients. Reportedly, Microsoft is re-engineering these supernodes to make it easier for law enforcement to monitor calls by allowing the supernodes to not only make the introduction but to actually route the voice data of the calls as well. In this way, the actual voice data would pass through the monitored servers and the call is no longer secure. It is essentially a man-in-the-middle attack, and it is made all the easier because Microsoft -– who owns Skype and knows the keys used for the service’s encryption -– is helping.

As far as what this means for you, if you are not doing anything malicious then you don’t need to worry too much. Patriot Act exceptions aside, you would have to be acting suspiciously enough for a judge to grant a warrant before your conversations could be snooped. With that said, it is a bit disconcerting that it is possible to violate your privacy, especially when you aren’t doing anything to warrant such potential invasions.

Your best bet for securing your voice communications for the simple sake of privacy is to set up your own VoIP “softphone” with open source SIP software, and use end-to-end encryption and keys that you control access to. Such encryption includes ZRTP for the secure key exchange and SRTP for securing the voice (data) stream between you and the recipient. SRTP in particular is interesting because it uses, by default, a 128-bit key derived from a master key — exchanged using the ZRTP (or similar) protocol — that is further salted with a 112-bit key (which helps make the encryption key harder to brute force by making it more computationally expensive to do so).

The move by Microsoft is somewhat disheartening, but at the end of the day it will not affect the company’s userbase much. Yes, your conversations are potentially less private and secure, but Skype remains one of the easiest (and free) VoIP clients to use. Skype is now essentially equivalent to other traditional forms of communications like landlines and cellphones that are already capable of being tapped. From the perspective that it is a necessary evil to have to monitor and find malicious people, it is not a bad thing for Microsoft to do so long as it conforms to legal procedures and is not abused. That last part is, I think, what worries a lot of privacy conscious people, and if you do value security over convenience there are definitely better options out there than Skype.

Update – 3:33pm – Skype has contacted us to note that the changes were made in order to “improve the Skype user experience”, not to open the doors to tapping.

Regarding the supernodes Mark Gillett, Skype’s Corporate VP of Product Engineering & Operations noted:

As part of our ongoing commitment to continually improve the Skype user experience, we developed supernodes which can be located on dedicated servers within secure datacenters. This has not changed the underlying nature of Skype’s peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes). We believe this approach has immediate performance, scalability and availability benefits for the hundreds of millions of users that make up the Skype community.

And in response to that claim that the source code was leaked, Skype’s Chief Security Office, Adrian Asher, wrote:

Skype takes all necessary steps to prevent/defeat nefarious attempts to subvert the Skype experience. Skype takes its users’ safety and security seriously and we work tirelessly to ensure each individual has the best possible experience.

Of course a government wiretap is not something a corporation (or most people) would consider to be “nefarious”, but Skype has said to us that the changes were not made to help law enforcement.