
Skype with care – Microsoft is reading everything you write - jessaustin
http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html#
======
cabirum
"Spam and phishing sites are not usually found on HTTPS pages"

That's actually a lie, making people think a website is safe just because they
see <https://> in the address bar.

In fact, automated link visits is a common practice used by many email spam
filters, and it makes sense to implement it in other messaging systems such as
Skype.

------
Lightning
Previous discussion: <https://news.ycombinator.com/item?id=5704574> Also, no
it isn't: [http://www.zdnet.com/is-microsoft-reading-your-skype-
instant...](http://www.zdnet.com/is-microsoft-reading-your-skype-instant-
messages-7000015388/)

~~~
lambda
Ed Bott just doesn't get it, does he?

Skype was originally marketed as having end-to-end encryption. Now, we know
that since Microsoft bought Skype they've added wiretapping support, which
works by making themselves a man-in-the-middle. They claim they only do this
temporarily for people they are actively wiretapping.

This, however, shows that Microsoft regularly MITMs you, for the purpose of
evaluating whether links are dangerous. This means that basically all of
Skype's former privacy claims are no longer true. They simply regularly look
at your unencrypted traffic, which means that they are a target for attackers,
governments, and pretty much anyone who wants to eavesdrop or read your
messages.

~~~
sigterm
How do you know if Microsoft is actually eavesdropping the entire
conversation, or it's just the Skype client filtering out URLs in the
conversation for additional screening? Sorry if I missed something in the
article.

~~~
shuzchen
The URLs are being pinged by computers within Microsoft, so even if the
filtering was only occurring on the client side (which I doubt) it still makes
its way back to MS servers.

------
LesZedCB
So, as a linux user wishing to have some communication with _other_ people in
the world, what is the correct alternative to skype?

~~~
marshray
The best recommendation I have at the current time is OTR
<https://en.wikipedia.org/wiki/Off-the-Record_Messaging>, authenticate your
key fingerprints, ensure that neither party's chat program is logging, and
that both computers are free of malware.

Pidgin supports OTR, but it crashes enough to raise concerns about that last
point.

~~~
lelandbatey
I'm confused. The above poster asked what a good chat program is for
communicating with other people (namely non-technical users) where the user
can't get spied upon.

This isn't so much a "how can I be secure" question, but a "what alternatives
to Skype do I have that work on Linux" question.

Which is one I'm also interested in, since I also want something thats
(1)linux compatible, (2) easy and accessible for "average users" of any OS,
(3) and secure. And I'm hoping for those things in that order.

~~~
aidenn0
If you are talking to an average user (implied by #2), then there are short
odds that at some point their machine will be compromised, at which point it
doesn't matter how secure the communications channel is.

~~~
lelandbatey
I should clarify, I don't mean secure from all angles. In terms of security I
don't want a company looking through my chat logs, and I don't want someone
who be able to see what I'm saying via a wifi sniffer.

------
privasectech
If you're looking for alternatives, I recommend anything with off-the-record
(OTR) messaging. <http://privasectech.com/2013/05/who-can-read-your-chat/>

------
sriramk
As an ex-Microsoftie, I'm really happy Skype is doing this. Instant messages
are one of the best ways to spread bad things to other people's computers by
getting them to click on things. This is going to protect a lot of people.

~~~
tensor
I've recently discovered that MSN censors IMs with some urls. From reports, it
seems that the censor rules are really random too: e.g. everything with the
.io tld. It also gave zero feedback that it was doing this, other than "error
sending message".

That is not acceptable. If you think there is a virus in a URL, attach a
warning as web browsers do with domains that have had reports of distributing
malware. And beyond that, actually make sure that you only do this for sites
that are really a danger, rather than making up arbitrary rules with
exceedingly low precision.

~~~
sli
I've had actually trouble sending any links _at all_ over MSN. Oddly, removing
<http://> sidesteps it completely.

------
quackerhacker
This is just microsoft running chat logs through automation scripts. I'm would
assume these links also coordinate content of the conversation with the link
and are correlated into bing search results.

Side Note: I wouldn't be surprised if google chrome submits url and page
content to googlebot (for crawling).

