"Spam and phishing sites are not usually found on HTTPS pages"
That's actually a lie, making people think a website is safe just because they see https:// in the address bar.
In fact, automated link visits is a common practice used by many email spam filters, and it makes sense to implement it in other messaging systems such as Skype.
Skype was originally marketed as having end-to-end encryption. Now, we know that since Microsoft bought Skype they've added wiretapping support, which works by making themselves a man-in-the-middle. They claim they only do this temporarily for people they are actively wiretapping.
This, however, shows that Microsoft regularly MITMs you, for the purpose of evaluating whether links are dangerous. This means that basically all of Skype's former privacy claims are no longer true. They simply regularly look at your unencrypted traffic, which means that they are a target for attackers, governments, and pretty much anyone who wants to eavesdrop or read your messages.
How do you know if Microsoft is actually eavesdropping the entire conversation, or it's just the Skype client filtering out URLs in the conversation for additional screening? Sorry if I missed something in the article.
The URLs are being pinged by computers within Microsoft, so even if the filtering was only occurring on the client side (which I doubt) it still makes its way back to MS servers.
I wouldn't call this man-in-the-middle, they are the man at both ends and in the middle.
MITM usually refers to 3rd parties routing your traffic. So if your ISP or network admin was sniffing your Skype messages, that would be what is generally called MITM.
That article is very dismissive and pretty flimsy. "A single experiment"? No, it was replicated by multiple people. I’ve concluded that the reason for the mysterious visit is almost certainly innocent.... I’m reasonably certain that address is part of Microsoft’s SmartScreen infrastructure. First, that's not very reassuring. The data should not be readable by Microsoft. Second, since the traffic showed up hours after the message was sent, it is not useful as a screening service. The link would have been clicked long before the URL was checked out. The only mitigating piece of this mess is that the request was a HEAD and not a GET, so they're not fetching the whole contents of the page. But the damage is done long before.
Then again, some people have discovered that GET requests came in probably from the same person and with a google referrer after the HEAD request from the google bot:
The ZDNet do not say that Microsoft aren't reading and interpreting what people write in private chat. ZDNet just say its "almost certainly innocent" because its done automatically by a machine for the purpose of increased security.
I for once disagree here that such actions are innocent. When peoples private conversation is read and interpreted, even by a machine, most people still get a feeling of lost security. This in turn causes a real problem from lower personal security, increased mental stress, and social self-imposed restrictions.
In addition to sp332's well-taken points, there is the fact that what Microsoft sees, it cannot prevent the USA government and its allies from seeing. Many Skype customers would see that as an unacceptable threat.
The article concludes: There’s no evidence that anyone, human or machine, is reading your confidential messages.
Well obviously, a machine is reading your confidential messages, if only to scan them for links. In the most benign case, the link scanning could be done in the skype client (closed source software on your machine), and MS's servers are seeing a list of links + an encrypted message.
The best recommendation I have at the current time is OTR https://en.wikipedia.org/wiki/Off-the-Record_Messaging, authenticate your key fingerprints, ensure that neither party's chat program is logging, and that both computers are free of malware.
Pidgin supports OTR, but it crashes enough to raise concerns about that last point.
I'm confused. The above poster asked what a good chat program is for communicating with other people (namely non-technical users) where the user can't get spied upon.
This isn't so much a "how can I be secure" question, but a "what alternatives to Skype do I have that work on Linux" question.
Which is one I'm also interested in, since I also want something thats (1)linux compatible, (2) easy and accessible for "average users" of any OS, (3) and secure. And I'm hoping for those things in that order.
If you are talking to an average user (implied by #2), then there are short odds that at some point their machine will be compromised, at which point it doesn't matter how secure the communications channel is.
I should clarify, I don't mean secure from all angles. In terms of security I don't want a company looking through my chat logs, and I don't want someone who be able to see what I'm saying via a wifi sniffer.
I've switched to Yate's QT client (http://yate.null.ro) for all my communication needs. allocate about 512MB of RAM to a VM for Asterisk/Openfire/FreePBX, and connect to it. You'll have voice/video plus instant messaging, with no central authority snooping on all your conversations.
I realize I could probably use Yate for everything, but I know asterisk and openfire better at this point, so I use them. :)
I laughed, because it's funny to think that someone concerned about Microsoft snooping on their chat sessions would be willing to somehow publish those same messages into a (very public) blockchain.
As an ex-Microsoftie, I'm really happy Skype is doing this. Instant messages are one of the best ways to spread bad things to other people's computers by getting them to click on things. This is going to protect a lot of people.
Google goes through every Gmail that's sent or received, looking for keywords so they can target Gmail users with paid ads. And there's no way to opt out of this invasion of your privacy. Outlook.com is different—we don't go through your email to sell ads.
I've recently discovered that MSN censors IMs with some urls. From reports, it seems that the censor rules are really random too: e.g. everything with the .io tld. It also gave zero feedback that it was doing this, other than "error sending message".
That is not acceptable. If you think there is a virus in a URL, attach a warning as web browsers do with domains that have had reports of distributing malware. And beyond that, actually make sure that you only do this for sites that are really a danger, rather than making up arbitrary rules with exceedingly low precision.
I would prefer they put their efforts into making a secure operating system in the first place instead of trying to nanny their users in such a creepy fashion.
I suspect different teams are involved with scanning for malware URLs in Skype and implementing core OS protections, so the tradeoff you imply is illusory. Besides, Microsoft already puts a lot of effort into the security of Windows, with seemingly good results. There's nothing wrong with defense in depth.
This is just microsoft running chat logs through automation scripts. I'm would assume these links also coordinate content of the conversation with the link and are correlated into bing search results.
Side Note: I wouldn't be surprised if google chrome submits url and page content to googlebot (for crawling).
That's actually a lie, making people think a website is safe just because they see https:// in the address bar.
In fact, automated link visits is a common practice used by many email spam filters, and it makes sense to implement it in other messaging systems such as Skype.