A secure alternative to Skype?

silentrust

In light of the scandals related to PRISM, it would seem that the proprietary program Skype hasn't escaped scrutiny.

While Skype calls may be encrypted end to end, there's nothing to prevent Microsoft logging calls and handing over the decryption keys to the authorities in the US. In fact there is some credible evidence to believe this may already have happened.

Anyone taking even a passing interest in privacy will know this is an inherent risk in using proprietary software and encryption standards, and I don't want us to start a thread trashing Skype as there's no doubt it's very popular and a convenient way to place calls if you don't mind taking the risk they'll be recorded and/or monitored.

Yesterday though I installed a free, open source program named Jitsi. Jitsi makes use of the ZRTP protocol , invented by the legendary Phil Zimmerman, creator of PGP.

Anyway at least on paper this sounds very impressive. Two people using Jitsi can create an account e.g with Jabber using the software and then have their conversation automatically encrypted, allegedly in such a way that the encryption keys never leave their own computers. There's even a small code in the chat window you can read out to make sure you're connected to the right person.

So, this all sounds very impressive and I am now using this to communicate with my loved ones, who I've been able to bully into installing it as well on the basis that Jitsi also supports Facebook chat and Google Talk.

Has anyone else had experience with this program? I'm happy to know that the US government won't casually be snooping on my conversations but perhaps I am being lulled into a false sense of security? The ZRTP protocol itself certainly seems sound enough and indeed, it's not married to Jitsi, I just like the way this program uses it as a matter of course with no extra tweaking.

Khannie

Sounds pretty decent. Two things are putting me off jitsi:

1) It is not in the default ubuntu repositories. This is a warning sign to me. Historically it has been for one of two reasons - either the software is sh*te or there is some license based reason for it (e.g. not open source (which jitsi is) or has some other restrictive licensing, like truecrypt).

2) Yoyo was bad mouthing it in the other thread.

yoyo

Jitsi is akin to trying to shout across to someone in a noisy train station on the far platform, with a train coming in. It is really that bad :pac: . Both have UPC connections so it's the service, not the connection

Nick

silentrust

Khannie wrote: »

Sounds pretty decent. Two things are putting me off jitsi:

1) It is not in the default ubuntu repositories. This is a warning sign to me. Historically it has been for one of two reasons - either the software is sh*te or there is some license based reason for it (e.g. not open source (which jitsi is) or has some other restrictive licensing, like truecrypt).

2) Yoyo was bad mouthing it in the other thread.

Thanks Khannie - well, there's no reason to be married to Jitsi I suppose, the ZRTP protocol is apparently compatible with pretty much every open source VOIP program, so there's no need to obsess over this particular one - I just liked it because I'm lazy and don't want to have to install and configure it separately.

Not really sure why it isn't in the Ubuntu repository although when my girlfriend and I tried to use it yesterday we got awful feedback as we both just use our laptop microphones, but the same problem doesn't occur on Skype. We don't mind investing in a headset for the sake of privacy but perhaps others might have just given up there and then and gone back to Skype.

yoyo

silentrust wrote: »

Not really sure why it isn't in the Ubuntu repository although when my girlfriend and I tried to use it yesterday we got awful feedback as we both just use our laptop microphones, but the same problem doesn't occur on Skype. We don't mind investing in a headset for the sake of privacy but perhaps others might have just given up there and then and gone back to Skype.

Trust me, that "awful feedback" is Jitsi, not the laptops mic that Skype confirms. It's akin to talking on a loud train platform as I mentioned earlier, the program is just rubbish.. It's a pity as my m8 won't use Skype but Jitsi was too sh!t so I just dumped it :rolleyes::rolleyes:

Nick

silentrust

Just checked and SFLPhone which is available directly from Ubuntu Software Center can also make calls protected with ZRTP too. Anyone who is interested in their privacy, I'd strongly recommend reading up on ZRTP to see why it's better than the proprietary methods Skype use to protect calls -also all that protection is no good if Microsoft is simply providing the government with a readymade back door!

syklops

While working for a certain well known open source company, the InfoSec team did a security review of skype and based on those findings it was banned through out the company. This was before the MS acquisition.

It was found to do this weird, "smart" routing. One of the things they found was if Bob wanted to call Alice, and the Skype servers detected that the fastest route was via Mallory's connection, it would route the call through her machine, meaning she could sniff the traffic.

I also read that a researcher, I think on the Metasploit project sent some shellcode to another researcher over skype, but the recipient never got the message. They found that skype wasn't sanitising the input and was instead trying to execute the shellcode.

I need secure sip for a project in work and will be testing sip over ssh tunnel. I can let you know my findings.

silentrust

syklops wrote: »

While working for a certain well known open source company, the InfoSec team did a security review of skype and based on those findings it was banned through out the company. This was before the MS acquisition.

It was found to do this weird, "smart" routing. One of the things they found was if Bob wanted to call Alice, and the Skype servers detected that the fastest route was via Mallory's connection, it would route the call through her machine, meaning she could sniff the traffic.

I also read that a researcher, I think on the Metasploit project sent some shellcode to another researcher over skype, but the recipient never got the message. They found that skype wasn't sanitising the input and was instead trying to execute the shellcode.

I need secure sip for a project in work and will be testing sip over ssh tunnel. I can let you know my findings.

Thanks Syklops I'll be interested to hear how it turns out. I like the idea of ZRTP on the basis it's easy to set up and might work with an Android phone but agree SSH would also be ideal.

Khannie

SSH is far from ideal IMO. Anyone who is not technical is immediately screwed.

I just installed CSipSimple on my phone and signed up for a free VOIP account there. It uses zrtp (and / or TLS). I haven't used it yet, but I'll report back when I do.

hooplah

Eva Galperin is a researcher for the EFF. She has posted good bit over the recent months about spyware and encryption, especially in relation to activists use of tech in Syria and throughout the Arab Spring.

http://newsle.com/person/evagalperin/4753787

https://www.eff.org/about/staff/eva-galperin

i have a feeling that she has previously said there isn't really a privacy compatible alternative to Skype. I can't find the post I am thinking of now but she says here that she would advocate Syrians using Google Hangout instead. Maybe there are restrictions on using other options in Syria ...

I see that on the EFF Surveillance Self Defence page they don't currently have a reccomendation for VOIP.

The guardianproject have reccomend Jitsi for use with their Open Secure Telephone Network (OSTN) ...

silentrust

hooplah wrote: »

Eva Galperin is a researcher for the EFF. She has posted good bit over the recent months about spyware and encryption, especially in relation to activists use of tech in Syria and throughout the Arab Spring.

http://newsle.com/person/evagalperin/4753787

https://www.eff.org/about/staff/eva-galperin

i have a feeling that she has previously said there isn't really a privacy compatible alternative to Skype. I can't find the post I am thinking of now but she says here that she would advocate Syrians using Google Hangout instead. maybe there are restrictions on using other options in Syria ...

I see that on the EFF Surveillance Self Defence page they don't currently have a reccomendation for VOIP.

The guardianproject have reccomend jitsi fo use with their Open Secure Telephone Network (OSTN) ...

Many thanks for this Hooplah, since we chatted about this earlier today I was able to find this Mashable article c/o the EFF where it says that Skype's official position seems to be unclear but that Google do release regular transparency reports viz. what information is shared and what isn't.

A few things to take into account when talking about Syrian activists etc. is that Skype is blocked in a number of countries. Others still block VOIP altogether. This is probably why our mutual friend Ms. Galperin didn't recommend it's use in Syria.

Moreover, although the revelations about Project Chess are shocking, there's no evidence as of yet that access to this backdoor was given to anyone but US law enforcement. Quite a cosy arrangement for Skype if you think about it, stay quids in with the feds back home but also refuse to share the backdoor with dictatorships so everyone believes that their security is perfect.

The EFF's lack of recommendation re: VOIP software is probably down to the fact that in practical terms it's currently very difficult to have both call privacy and anonymity at the same time, Tor, I2P, Freenet etc. would be too slow to support a video call.