Security section

One of Skype's main goals is to protect our users' from unauthorized eavesdropping. Along these same lines, we want to prevent the kind of impersonation that fraudsters often use over e-mail to trick users into giving up valuable personal information.

To achieve these goals, Skype issues every user of Skype a "digital certificate" that any user of Skype can present in order to establish the identity of the person placing or receiving a Skype call or chat. These digital certificates form the core of Skype's online directory, which permits users to find one another over the Internet without needing a central list of who's online.

What is a Digital Certificate?

A digital certificate is an electronic credential that can be used to establish the identity of a Skype user, wherever that user may be located. Just like a physical identity document, such as a driving license, a digital certificate must have certain properties in order to be used as a form of identification. In particular, it must:

• Name the specific account being identified;
• Be issued by an authority that can revoke the certificate at any time;
• Be difficult to counterfeit; and
• Contain the countersignature of the issuing authority, which, in this case, is Skype.

Authentication

Because Skype users all possess digital credentials, it is possible for any Skype user to verify the identity of any other Skype user. This process is called authentication: the proving of each party's true identification to the other.

Authentication is a critical step in ensuring secure communications. Imagine having a chat conversation with someone who claimed to be a business partner, but who is actually an impostor. The chat conversation could be as highly encrypted as possible, yet the divulging of private information could still occur.

Encryption

Communications networks, such as the Internet, can be monitored by criminals and hackers at any number of points. This is one of the reasons why e-mail and many Internet chat programs are considered unsafe from a security point of view. In other words, because there are so many ways for unknown persons to monitor users' communications, users must take positive steps to protect themselves from this type of intrusion.

Encryption is the process of encoding a message, using principles of mathematics, in such a way that it is readable only by the intended recipient. Many kinds of encryption techniques have been developed over the centuries, but they all tend to resemble a lockbox and key: Once a secret message is put into the lockbox and secured with the key, it can only be read again by someone possessing the same key.

Skype uses well-known standards-based encryption algorithms to protect Skype users' communications from falling into the hands of hackers and criminals. In so doing, Skype helps ensure user's privacy as well as the integrity of the data being sent from one user to another.

Independent security review

This review of Skype's encryption (PGP signature file) provides a detailed review of the security framework that is incorporated into Skype products. Skype provides its users with protections against a wide range of possible attacks, such as impersonation, eavesdropping, man-in-the-middle attacks, and the modification of data while in transit.

The report describes the general protective mechanisms that are in use throughout Skype's infrastructure as well as the general security policy that defines the basis for all designs within Skype's operational framework.

Skype is a peer-to-peer communications application, which means that it relies on computers being able to directly send messages to one another over the Internet. As such, Skype works best when users are able to communicate directly amongst themselves over the Internet without blocks or interference.

Firewalls are devices set up to protect computer networks from outside access, thereby thwarting attacks from potentially malicious users on the Internet. The presence of firewalls on a user's network often prevents that user from being able to directly receive communications from other users, which can make reduce the quality of a voice call.

However, Skype will work fine even if it is behind a firewall. This is because when Skype runs on a network behind a firewall, it connects "outward" toward the Internet. Skype does not in any way modify or interfere with the use of firewalls on the network. Although sometimes the quality of a Skype call is improved by allowing inbound connections from the Internet, no special firewall rules or exceptions are needed.

The most important step in making sure your computer remains safe and secure is to follow good general security practices:

1. Install and use an anti-virus program to protect your computer from online threats, no matter how they are sent to your computer.
2. Keep your computer's operating system up-to-date by installing updates or patches, such as by using the Windows Update service.
3. Don't open up file attachments, especially if they come from untrustworthy sources.
4. Install and use a firewall program.
5. Make backups of your important files and folders.
6. Use strong, hard-to-guess passwords.
7. Use care when downloading and installing programs.

We recommend that users read and follow the Safe Computing Tips promoted by the CERT® Coordination Center.

Security for your computer

• Learn how to protect your computer from online threats
• Follow the "best practices" for protecting your PC

Security response

• Read Skype's security blog
• Skype's security bulletins
• Contact Skype to report any suspected security vulnerabilities