Skype is compromised - Replace it with ZRTP and OTR


We now know for certain what has been suspected for a long time. Skype, the popular instant messaging and voice/video chat software is utterly compromised. If you are using Skype, you should keep in mind that your text, voice and video conversations are not private. They're being decrypted at Microsoft and handed over to the NSA as part of their blanket surveillance, which means a large number of individuals at Microsoft, the NSA, their contractors and anyone who can convince, trick, bribe, seduce or coerce any of them has access to these records.

So its high time to ditch Skype, which rose to popularity for making voice and video chat "just work" while including the convenient instant messaging and presence features from existing IM services. This isn't easy, because by now everyone and their grandma are on Skype, but if you value your privacy, trade secrets or don't want to get your door kicked in for making a silly joke to a friend, this is what it now takes.

Text chat

OTR preferences in Adium.

For text chat (instant messaging), this is easily done. IM is something Skype hasn't changed much, apart from the addition of some very well designed emoticons. OTR (Off-the-Record Messaging) is a well established protocol that not only provides authentication and encryption, but also deniability and PFS. To set it up, you need a client that supports it, such as Adium on Mac OS, or Pidgin (with OTR plugin) on Windows/Linux. Then each party generates a private key for their IM account with the push of a button. Set OTR to "Encrypt automatically" and as soon as you both start chatting, OTR will negotiate the encryption and inform you when it is established. If you don't have a secure channel (such as meeting in person) to verify fingerprints, you can have a video (or voice) call, as it would be hard for an MITM attacker to fake a familiar voice in realtime.

Voice and video calls

Short Authentication String (SAS) in action.

Which brings us to voice and video. OTR doesn't deal with that, but ZRTP does. It authenticates callers by showing both sides a short authentication string (SAS) which you should compare by reading it out loud at the start of the call. Calls can be set up over XMPP networks using the Jingle protocol, so you won't have to deal with SIP (unless you want to). A cross-platform client that incorporates all this is Jitsi. On top of that it also works with popular instant messaging networks and implements OTR, so you can have it all in one client, just like Skype.


Of course nothing ever works as it should. ZRTP is not relayed through a server like OTR, so direct connections must be established between clients, which thanks to the current widespread use of NAT and packet filtering is often difficult. IPv6 offers relief from this, but is often not available to end-users yet (or poorly implemented by also using NAT). Jitsi supports several workarounds in the form of STUN, TURN (relaying) and ICE (with UPnP). These will be used automatically, but in the worst case require some help from a server on the internet. Unless you want to run your own, the simplest way is to create a Jabber account on the network (related to, but not to be confused with the client of the same name), where such services are available and discoverable via XMPP, so you won't have to configure a thing.

Other issues I've encountered are problems with OTR getting out of sync and requiring manual re-establishing, and ICE failing to punch through multi-layered NAT as can be found on some mobile internet offers. There were also upsides, apart from privacy - video quality was usually better and had lower latency compared to Skype, most likely because they weren't relayed through a 3rd party server (the way Skype was originally intended). And of course, you can talk to your friends regardless of IM protocol.


Other ZRTP implementations include RedPhone for Android, Phil Zimmerman's Silent Circle products, which require a paid subscription and several GNU ZRTP based applications only available on Linux.