I’m appalled and amazed at the same time. I’m apmazed. It’s not even a word, but I think a situation like this requires the invention of new words, although harsher ones are probably more fitting. You see, after an amazing DjangoCon Europe, I arrived home to a few odd Skype messages from Guan Yang with a dead link to his blog (http://guan.dk/skypetest) and a comment saying “let’s see if they crawl this.”
Today, Guan explained the reason for the weird link; an alleged back door in Skype has been discovered, in which Skype or Microsoft will make an HTTP
HEAD request to any link exchanged in Skype chats. While both the author of the above mailing list post, Adam Back, and The H Security have confirmed the back door, I was still shocked when Guan later dumped the following from his access log:
184.108.40.206 - - [20/May/2013:13:04:11 +0000] "HEAD /skypetest HTTP/1.1" 404 - "-" "-" "guan.dk" "guan.dk"
Performing a reverse lookup of the requesting IP address returns an AS number, AS8075, which Microsoft have been the proud owners of since 1997. According to The H Security, Skype responded with the following explanation for the behaviour to the German security company, heise online:
“Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links.”
While the above legalese may indeed legally justify the request, I as a user feel absolutely violated that a large corporation like Microsoft will take links that I send in all privacy to my friends and make requests to the same URLs. Worst of all, under the pretence that all Skype communications are encrypted, I’m pretty sure that a fair number of sensitive URLs have been exchanged over the years. It wouldn’t be a far fetched thought for someone to have constructed a, say OAuth 2.0-esque URL which, when requested, would result in the deletion of a resource, as an example to a colleague. Many web servers do not distinguish between
GET or even
POST requests, so, Microsoft’s behaviour alone may actually wreck havoc. And I’m pretty sure, that this is even a way too complicated example of how this could be abused, especially considering how arbitrary tokens are thrown around these days. I know that you should always do things perfectly and securely, but, as the world has proven time and time again, no one ever does. Microsoft, of all people‚ should know this, which makes their actions even more apmazing and disgusting at the same time.
We all feared that Microsoft taking over Skype would have dire consequences. Yet, despite ever decreasing service quality, I’ve so far continued to use Skype, in the hopes that it was “just” pure neglect — something that is at times fixed with declining user numbers scaring executives into picking up the ball. But, as Microsoft has now proven, and has been pointed out by numerous rights movements in an open letter to Skype, our worst fears have become reality. Microsoft have absolutely no good intentions, or at least none which are backed by morals, and so they have now effectively ruined Skype.
My time as a Skype user is coming to a grinding halt as soon as I find a completely end-to-end encrypted alternative — and, for your own sake, I seriously hope that you consider going down the same path.