I’ve seen quite a few threads pop up recommending Fire’s guide as a viable alternative to mine. I’m not going to be long-winded about this, and I’ll break down in a few simple paragraphs why I would avoid using a guide such as this for Skype security.
For reference, here is the guide in question: Fire’s Skype Proxy Guide – DDoS prevent assistance by Fire, TwitchTV Support Administrator
My four important points, reiterated from my own DDoS prevention guide, for any security or tech related solution are as follows:
It should be simple.
- This means it should be easy to set-up and hard (or impossible) to screw up. Nothing complicated, nothing requiring previous extensive technical knowledge. Just something easy to set up.
It should be elegant.
- The solution should require as few steps as possible, and omit any extraneous programs or steps that aren’t absolutely necessary.
It should be reliable.
- Whatever we set up should work the maximum amount of time, conditions permitting.
It should be secure.
- There shouldn’t be “half-measures” taken to secure yourself, ever. If you’re going to cut corners, don’t bother.
Fire’s Skype Protection guide fails on all four of these points.
- You should never route your traffic through an anonymous proxy obtained off of strange lists on the internet. Ever. Period. Don’t do it.
While Skype claims to encrypt all of their traffic, any update or change in the program that breaks this encryption or revokes it will mean you are exposing 100% of your traffic to whoever is controlling that proxy. If that proxy was being controlled by a malicious entity, they could very easily eavesdrop on your conversations, intercept private photographs or videos, or obtain any other info being sent either via files or through conversations with another person on Skype, including audio.
Another possible negative scenario would be a zero-day exploit surfacing that would allow someone sitting on the proxy to send you a false update to your Skype. Things of this nature have occurred on Tor before, a program people use to mask their identity online. If you install malicious software on your computer, anything is on the table insofar as what a user is able to obtain. Passwords saved in your browser that will lead to your e-mail, an e-mail address that will allow you to reset your bank password (unless you use 2-factor authentication), personal files on your computer, etc…etc…This simple program is all that’s required to dump all of the data from your Firefox into a file for someone to go through, without ever triggering a UAC warning.
Do not route traffic through random, insecure proxies.
This clearly violates our secure requirement for our security solution.
- Choosing random, anonymous proxies off of a list generated from public proxies means you are never guaranteed good – or even adequate – performance.
If you are streaming, playing a tournament match, scrimming with your team, speaking to your dying mother via Skype, or attempting to match fix with your nefarious e-sports partners, the last thing you want is for your Skype connection to randomly drop. There is absolutely no guarantee that any of these proxies will hold up for any amount of time. You have no assurance that they will allow you to transfer files or any meaningful data across Skype if you need to (though there are admittedly much better mediums for that, such as google drive).
Anonymous proxies on anonymous lists aren’t going to provide any kind of reliable data transfer, so this violates our reliable requirement.
- Do not mess with the Windows registry unless you either know exactly what you are doing or you absolutely have to, and absolutely under no circumstance should you be downloading and running sketchy batch/.reg files to modify your registry.
Messing with your windows registry settings can have catastrophic effects on your system. While it’s unlikely that you would ever ruin your computer or prevent its ability to boot by modifying registry settings pertaining to Skype, there’s no reason to modify your registry for our purposes of protecting Skype.
Also, who’s to say that a future update with Skype wouldn’t alter the way Skype searches for a proxy to connect to? In doing so, it runs the risk of completely breaking this registry fix.
I also have a huge problem downloading a .reg file from dropbox that’s going to modify your registry. Who’s to say that the original uploader of this imgur album won’t change the link to a malicious file in the future? Or, say you trust Fire as an administrator to not do that, who’s to say someone won’t gain access to his computer or imgur account and modify the link to point it towards some more malicious code?
You should not be downloading executables or batch/.reg files that modify your registry, especially when the link can be changed at any time to point to a malignant file.
The registry editing section of this anti-DDoS guide violates our elegant clause (because editing the registry is not necessary), our reliable clause (because a future Skype update could break the “fix”) and the security clause (because the link could be changed without a laymen realizing it to something more malicious).
- My final issue with this guide is that every time the anonymous and unreliable proxy you’ve chosen dies, you have to repeat steps 4-6 in order to get it working again.
This violates both our elegant and reliable rules, for obvious reasons.
It seems that every time my anti-DDoS guide is posted, this imgur album of “an easier solution” seems to pop up. My motivation for writing this article was to steer people clear of using inferior methods of DDoS protection.