Microsoft decrypts Skype comms to detect malicious links

The issue addresses last week by The H and their associates at heise Security of whether or not Microsoft checks links contained in encrypted Skype chat sessions and their claim that it did has raised quite a few questions.

Several independent researchers including security consultant Ashkan Soltani who was hired by Ars Technica confirmed that some of the URLs contained in chats were, indeed, accessed from an IP address belonging to Microsoft.

The machines in question sends HEAD requests (meaning that it doesn’t request the full web pages) to which the server responds with HTTP headers.

Ed Bott says that he’s “reasonably certain” the IP address is part of Microsoft’s SmartScreen (phishing, malware and spam filter) infrastructure and that these headers are then checked by it in order to detect potentially malicious URLs and ultimately tag them as such and / or block them.

He says that the way that SmartScreen works – it examines the host’s reputation – can explain why it needs only to check the HTTP headers to detect fraudulent and malicious links. Also, the fact that SmartScreen sends such requests only to links that haven’t yet a reputation and are therefore potentially suspicious seems to confirm that this “intrusion” is made with the best intentions.

But it’s also true that the encrypted communication must be decrypted in order for the links to be scanned, and according to its Privacy Policy, Skype can record and retain links and other content sent over Skype.

So the issue now becomes not whether Microsoft does this or not, but whether users know about this and take it into account when using Skype.

“There’s a widely held belief—even among security professionals, journalists, and human rights activists—that Skype somehow offers end-to-end encryption, meaning communications are encrypted by one user, transmitted over the wire, and then decrypted only when they reach the other party and are fully under that party’s control. This is clearly not the case if Microsoft has the ability to read URLs transmitted back and forth,” points out Ars Technica‘s Dan Goodin.

Don't miss