Adventures of a foreigner in the south of Brazil.

Friday, July 25, 2008

VoIP and Security (aka governments may snoop on skype)

It appears that there is a backdoor in skype that allows interested parties, such as governments, to snoop on your calls. That hardly comes as a surprise in a closed network that has been trying very hard to resist all scrutiny of its encrpytion and security mechanisms. If true - and that seems to be very likely - it is still dishonest business practices.

So...how to defend against it? Drop skype. Discontinue its use. There are a number of applications out there that use open standards and protocols such as SIP/RTP and IAX. The call is of better quality than skype calls, too. There are free phone registries and calls and video can be encrypted. In short, you can have better quality, good security and actually even better convenience without skype at all.

Here's how:
  1. Register with an SIP service, such as Free World Dialup. That will give you VoIP telephony, dial-in/dial-out, and an online registry. There are many more out there with various service offerings. Google will help.
  2. Get a VoIP softphone. Often providers will offer freely downloadable software; there is also open source software available on the net. For Linux you can use software such as Twinkle (with built-in encryption). Twinkle and some others should be available through your distribution's installer.
  3. If your software has built-in encryption you should enable it (in Twinkle this is in the profile under the security tab, enable ZRTP). Alternatively get Phil Zimmerman's zPhone that encrypts your connection for a number of applications and providers.
  4. You're ready to roll. Your VoIP number will look similar to sip:123456@myvoipproivder.net. Give your number to your friends, maintain your application's buddy list for greater convenience and chat in privacy.
And if you're a webcam freak: That also works. Not every application has it but some do.

Remember: This whole thing is independent of application and provider. It's one network. It's an open standard. You pick what you like, your friends pick what they like and it works. If you'd like to get my numbers feel free to ask. And don't expect me on skype.

For your other instant messaging needs I would strongly recommend a Jabber client such as Psi, since the Jabber protocol also features end-to-end encryption and is completely open. One of the more well-known Jabber services is offered by Google. Here, too, software and provider do not matter, and fred_flintstone@gmail.com will be able to have malcolm_x@someotherprovider.com on his buddy list, chat, send files etc. without any problems.

The setup takes a few minutes each, call it half an hour in total if you've never done it before. So if you value your privacy: What are you waiting for?