Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Microsoft Accesses Skype Chats

Jon Camfield jon at
Fri May 17 07:10:24 PDT 2013

On 05/17/2013 07:31 AM, Rich Kulawiec wrote:
> On Tue, May 14, 2013 at 09:14:19PM +0530, Pranesh Prakash wrote:
>> Heise Security is reporting that Microsoft accesses links sent over
>> Skype chat.[1]
> Everyone who thinks that's the *only* thing that Microsoft is quietly
> doing behind everyone's back, raise your hand.
> And incidentally, the proffered rationale for this doesn't fly, given
> that (a) they're only sending HEAD: actually scanning destination URLs
> for malware would require fetching the whole page and (b) they're
> only retrieving HTTPS URLs (per Heise) which is not what someone actually
> looking for malware would do.

Let me address (b) first - I want to clarify that there is HEAD scanning
on HTTP URLs, *not just HTTPS*.

This comes from the same IP, with a 2-3 hour delay from posting in skype
to seeing in the logs: - - [15/May/2013:09:16:33 -0700] "HEAD /skype.html
HTTP/1.1" 200 320 "-" "-"

I'm doing some follow-up tests to see if it follows redirects, links
posted without http:// or https:// , links without www.* and so on.
This could inform the utility of (a) (I'm arguing as a devil's advocate
here).  Given that MS might have an existing catalog of malware sites
and/or a separate method for finding new ones; this HEAD scanning may be
looking for new, unknown redirects to known malware sites. (However,
this wouldn't find in-page redirects or javascript redirects/additions,
and a number of other "popular" malware/adspam distribution tools).

  Moreover (c) even if they classified
> a URL as malicious, let's say, the recipient
> of said URL is likely to access it via a data path outside their control,
> thus -- unless they blocked it *inside* Skype -- they have no way to
> prevent access to it and delivery of whatever malware payload awaits.

Skype does detect and activate links based on some regex-like system, so
it's remotely possible that this same process could have an overridden
link to a pass-through warning page/etc.

Also could be worth testing...

> Source code is truth; all the rest is smoke and mirrors, hype and PR.
> If Microsoft had the *slightest* interest in telling y'all the truth,
> then they would have answered the group letter earlier this spring with
> code, not with glib prose crafted by a committee of talented spokesliars.
> ---rsk
> p.s. Heise's discovery is an existence proof that it's possible to
> intercept the contents.  Therefore we must presume that other entities
> besides Microsoft may have this capability -- doubly so given that some
> of those entities have not only the resources, but the motivation.

It's also possible that the skype client is reporting these urls
separately from the content of a chat as part of its link-verification
and activation.  As you say, without the source, it's not really knowable.

More interesting, the IP is listed by ARIN as being from Redmond, which
means that at the very least, the URLs pass through the US and could be
subject to warrants, NSLs, and so forth; which is somewhat at odds with
the Skype-data-is-in-Luxembourg text from

"What is Microsoft and Skype’s position on CALEA?
The U.S. law, Communications Assistance for Law Enforcement Act, does
not apply to any of Microsoft’s services, including Skype, as Microsoft
is not a telecommunications carrier. Skype is an independent division
headquartered and operating under Luxembourg law."


More information about the liberationtech mailing list