Skype Eavesdropping Warning: A Security “Warning” So Backward it Hurts

The folks at The H Security blog have made much ado about nothing in warning that “Skype with care – Microsoft is reading everything you write”. It is inflammatory, factually stretched, and frankly it is poorly thought out.

First let’s get some definitions out of the way:

“Microsoft is reading”: No they’re not. Some automated program is following links.

“everything you write”: Again, no. It follows links. There is no evidence that any of the content read by a person or a program. It’s clearly parsed to extract links. There is no evidence of use of any other information sent across. Do they send texts to phone numbers? Call people? Send email / spam / solicitations to email addresses that are sent across? There isn’t a single piece of evidence for anything other than following URLs.

Four Major Misunderstandings

In four significant ways, they just misunderstand what is going on here.

You’re not allowed to be surprised

Skype tell you about this in their Ts & Cs. The only thing they could do more blatant would be to remind you each time you login. There are limits to how surprised you’re allowed to be when you discover that something allowed by the Ts & Cs is unappealing.

Trying to protect the masses

There is clear value in checking URLs that people send over Skype, because there is such an active community of fraudsters and malware distributors. Many URLs passed over Skype are dangerous and/or spam. The only way to protect novices from malware URLs, though, is to automatically scan the URLs on the users’ behalf. You can’t count on the clueless users to have their own anti-malware URL checkers on their PC/tablet/phone. In doing this, Skype is also protecting itself. The last thing they want to hear people saying around the Internet is “don’t use Skype” you’ll be bombarded with links to malware the whole time.” This is a sensible approach to protecting the brand and reputation of their service.

They fetch HTTPS requests with a GET, apparently, whereas they only fetch HTTP requests with a HEAD. The article argues that most spam/malware comes over HTTP, not HTTPS. So what? Does this mean there is little value in scanning the secure URLs? If that were the policy, malware distributors would simply set up HTTPS servers to distribute all their drive-by downloads, safe in the knowledge that Skype wouldn’t check them. So of course the HTTPS links have to be followed, regardless of the presence of parameters. Are the authors suggesting that a link like should not be followed? Again, if that is the rule, the malware/spam senders will just adapt their practices to take advantage of it.

HEAD Requests

This is simply an optimisation/heuristic. There are entirely too many URLs to check in realtime, and some of those are going to be links to massive PDFs, movies, images, etc. When you Skype a link to the 500Mb movie of your kids to their grandmother, Microsoft doesn’t want to download the whole 500Mb just to see if it’s malware. Ironically, if they DID download the whole thing, instead of using a HEAD request, this article would probably complain that Microsoft were archiving anything users send links to. Given the security-through-obscurity of things like Dropbox (where if you know the URL, you can fetch the file), it’s good that Microsoft only do a HEAD request.

Ironically, HEAD requests are an easily-fooled heuristic. That is, if malware/spammers respond with a 3XX redirect, Microsoft might follow the redirects to their final end and correctly identify the original link as a link malicious content. If the original link simply responds with a 200 OK to HEAD requests, then the malware/spam probably still works, but Microsoft’s scanning doesn’t catch it.

Moral of the Story

We cannot have built-in protections in Skype, like checking for malicious links, without losing some modicum of privacy. I think this is entirely unfair, though, to suggest that this bit of link checking is evidence of something larger. There would need to be more actual evidence than a couple GET requests and a couple HEAD requests. Whatever they might be doing, we have no public evidence that they do more than EXACTLY what they tell us they’re going to do anyways.