I can't help but notice that the vast majority of people can't process a piece of news such as the one that was posted recently on this blog. To quote Lao Tzu "Those who know do not speak, those who speak, do not know", or something in that regard (sweet irony for I am now speaking).
What are Skype supernodes? As explained in the Skype presentations given 6 years ago, Skype supernodes are a directory and routing service. They are basically the Yellow Pages of Skype, you send them your blobs, and you query them to get your contacts' blobs. If you are behind a NAT or firewall, they will route requests to you. Do they route voice calls (or IM)? No. Relay nodes take care of those if you can't communicate directly with the other end. There is a mutual exclusivity in that a node can't be a relay and a supernode at the same time. At this time, relays are still random machines in the "wild", and people from that "Skype Open Source Project" are full of shit.
Once again, as explained in Vanilla Skype, when you establish a session with a peer - through a relay or directly - each party sends to the other a half-AES key encrypted with the public RSA blob of the other party. Then the session is encrypted using that session key. This means that the end to end traffic is encrypted with something neither the supernode, nor the relay node, nor Skype, know stuff about: because they do *not* have your private RSA key. Does having centralized Supernodes ease wiretapping? No. Does it make the network more reliable, secure, and scalable? Most likely.
Read the slides (part 1 & part 2). If you don't understand them, too bad, you are missing out.
Leveling Up Fuzzing: Finding more vulnerabilities with AI
-
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source
Security Team
Recently, OSS-Fuzz reported 26 new vulnerabilities to open source...
1 day ago
1 comment:
sorry for my ignorance, but basically, you are saying that:
1) ok for microsoft to control all the supernodes
2) both of the ends communicating, are authenticated with their own public RSA, which don't rely in a central authority out of the control of microsoft
3) microsoft cannot replace the RSA from the users in the beginning of the session if demanded so by a court order
did i understood it right?
Post a Comment