While Skype use can create quite a bit of traffic on the network, and it
can allow unmanaged inside to outside communications, it is hardly a
high-risk application. The code has proven to be robust, more secure
than many of the other chat clients and more worm-resistant than many
attackers had hoped. The cryptography surrounding the voice and
authentication data seems to have resisted known attacks and is rated by
more than a few security researchers as highly effective. A quick check
of known vulnerability databases showed only nine issues in total, with
only three in the last year. All are patched in current versions.
Why the fear?
Most security folks I talk to say that they base their fears on a couple
of things. First, and this is a huge issue for some, they don't like the
fact that Skype is peer-to-peer. There have been many claims that this
could allow various forms of analysis and eavesdropping, but few
real-world attack examples (if any) have shown up. They're also wary
about the company that makes Skype -- Skype Technologies. Many of the
programmers working at Skype authored a popular (and some say infamous)
MP3 trading software application called Kazaa.
Other security folks dislike Skype because it is closed source, doesnt
use the SIP protocol and just generally feels less professional than
they think a VoIP application should be.
I am a Skype user, but I also accept the risks that come with it, as I
do with any software or technology. As an organization, my company has
not embraced Skype, but we do allow it on our public wireless and
untrusted network segments. We have learned to live with the traffic,
and in many cases, it has proven to be a useful tool for various work
and personal activities.
Skype isn't going away any time soon, so you can either love the tool or
hate it, ignore it or embrace it, but whatever you do, make sure your
reasons are valid and based in reality.
