Microsoft, Signal add end-to-end encryption to Skype

AppleInsider

Skype users will soon be able to message without fear of prying eyes as secure communications firm Signal has partnered with Microsoft to add new encryption capabilities to the service.

The new feature, dubbed Private Conversations, has some key differences from typical Skype chats. Users must specifically accept invitations to private conversations, and for now those conversations must be one-to-one.

Additionally, private conversations can only take place on the devices they're initiated from. That means that a conversation started on a phone can't be continued from a laptop, for instance, due to the nature of Signal's encryption protocol.

Users also won't be able to edit messages or forward files in private conversations, or see message previews in the main chat window.

Skype marks the third major messaging service to adopt Signal's protocol for secure end-to-end encryption. WhatsApp, Facebook Messenger, and Google's Allo added the feature in 2016,

Private conversations are available now in Skype Insider builds for Windows, Mac, Linux, and Android. There's no word yet on when the feature will roll out to a wider audience.

racerhomie3

Wow .
They did not have this before!

indieshack

Um - what? Signal will have been (or will be in the future) the recipient of a midnight knock at the door by someone holding a court order to provide them access to the encryption. Personally I couldn’t care less since I don’t do anything interesting (or dodgy) in my spare time, but no one should be under the illusion that this is completely impenetrable.

bobjohnson

indieshack said:

Um - what? Signal will have been (or will be in the future) the recipient of a midnight knock at the door by someone holding a court order to provide them access to the encryption. Personally I couldn’t care less since I don’t do anything interesting (or dodgy) in my spare time, but no one should be under the illusion that this is completely impenetrable.

Barring a flaw in the protocol itself, this isn't really possible. The core concept of end-to-end encryption is that the only parties capable of reading messages are the parties sending the messages, because they generate the keypairs directly. You can't have a "master key."

edited January 2018

indieshack

bobjohnson said:

indieshack said:

Um - what? Signal will have been (or will be in the future) the recipient of a midnight knock at the door by someone holding a court order to provide them access to the encryption. Personally I couldn’t care less since I don’t do anything interesting (or dodgy) in my spare time, but no one should be under the illusion that this is completely impenetrable.

Barring a flaw in the protocol itself, this isn't really possible. The core concept of end-to-end encryption is that the only parties capable of reading messages are the parties sending the messages, because they generate the keypairs directly. You can't have a "master key."

I stand corrected - I read up some more after your comment 

roake

indieshack said:

Um - what? Signal will have been (or will be in the future) the recipient of a midnight knock at the door by someone holding a court order to provide them access to the encryption. Personally I couldn’t care less since I don’t do anything interesting (or dodgy) in my spare time, but no one should be under the illusion that this is completely impenetrable.

None of us do anything interesting (or dodgy), or maybe we do.  In any case, it’s ours to do, and not the business of the government.  And if they think it is, they can damned well investigate based on my merits or actions, and not by slithering around through everything attributed to me on the internet.

lkrupp

So does Microsoft now join the ranks of “Jerks” and “Evil Geniuses” with Apple?

darren mccoy

Oh yeah... Skype.

sandor

If WhatsApp, FaceBook & Google have it, then Skype is the 4th, right?
And Signal already has it in their messaging app, so Skype would be the 5th.

linkman

bobjohnson said:

indieshack said:

Um - what? Signal will have been (or will be in the future) the recipient of a midnight knock at the door by someone holding a court order to provide them access to the encryption. Personally I couldn’t care less since I don’t do anything interesting (or dodgy) in my spare time, but no one should be under the illusion that this is completely impenetrable.

Barring a flaw in the protocol itself, this isn't really possible. The core concept of end-to-end encryption is that the only parties capable of reading messages are the parties sending the messages, because they generate the keypairs directly. You can't have a "master key."

The flaw is that we can't be certain that Microsoft/Skype/Signal hasn't placed a backdoor in the app where the keys for every conversation get sent to a third party because of some secret law/order.

indieshack

linkman said:

bobjohnson said:

indieshack said:

Um - what? Signal will have been (or will be in the future) the recipient of a midnight knock at the door by someone holding a court order to provide them access to the encryption. Personally I couldn’t care less since I don’t do anything interesting (or dodgy) in my spare time, but no one should be under the illusion that this is completely impenetrable.

Barring a flaw in the protocol itself, this isn't really possible. The core concept of end-to-end encryption is that the only parties capable of reading messages are the parties sending the messages, because they generate the keypairs directly. You can't have a "master key."

The flaw is that we can't be certain that Microsoft/Skype/Signal hasn't placed a backdoor in the app where the keys for every conversation get sent to a third party because of some secret law/order.

You are saying pretty much what I also commented, but end-to-end encryption is meant to be less susceptible to back door capability, at least based on what I read

gatorguy

linkman said:

bobjohnson said:

indieshack said:

Um - what? Signal will have been (or will be in the future) the recipient of a midnight knock at the door by someone holding a court order to provide them access to the encryption. Personally I couldn’t care less since I don’t do anything interesting (or dodgy) in my spare time, but no one should be under the illusion that this is completely impenetrable.

Barring a flaw in the protocol itself, this isn't really possible. The core concept of end-to-end encryption is that the only parties capable of reading messages are the parties sending the messages, because they generate the keypairs directly. You can't have a "master key."

The flaw is that we can't be certain that Microsoft/Skype/Signal hasn't placed a backdoor in the app where the keys for every conversation get sent to a third party because of some secret law/order.

China immediately comes to mind which perhaps is the reason both Signal and Skype are now barred from there, a relatively recent event. Under new(ish) Chinese mandates all encrypting software services operating there must pass inspection and approval by authorities in order to be legally used. As part of the approval process a method for China to decrypt must also be provided. 

edited January 2018

bobjohnson

linkman said:

The flaw is that we can't be certain that Microsoft/Skype/Signal hasn't placed a backdoor in the app where the keys for every conversation get sent to a third party because of some secret law/order.

The signal protocol is designed to mitigate this with renewable session keys: https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm

You'd have to intercept literally everything - after obtaining the keys - to access the contents of one message. We're talking targeted NSA-level surveillance here, and for people considering that a component of their threat model I don't think Skype is on the table anyway.

linkman

bobjohnson said:

linkman said:

The flaw is that we can't be certain that Microsoft/Skype/Signal hasn't placed a backdoor in the app where the keys for every conversation get sent to a third party because of some secret law/order.

The signal protocol is designed to mitigate this with renewable session keys: https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm

You'd have to intercept literally everything - after obtaining the keys - to access the contents of one message. We're talking targeted NSA-level surveillance here, and for people considering that a component of their threat model I don't think Skype is on the table anyway.

A feature built into the app to send keys and the messages to the surveillance group would have them monitoring the communications with no problem. It would be no different than each end of the pair receiving the messages.

cgwerks

racerhomie3 said:

Wow .
They did not have this before!

No kidding, I was under the impression Skype chats were already encrypted and 'end-to-end'. Hmm...

But, this ultimately comes down to trust. Comey (back during the encrypted phone brouhaha) was asking for so-called "end-to-end" encryption where 3-letter agencies got to be 'man in the middle' elements. So, effectively 'end-to-end' with a tap in the middle. You know, like 'end-to-end encrypted' for practical purposes, just not really end-to-end when it comes to our trusted government entities.

So, do we trust Signal? Apple? etc.