I've not tested it with 4.1 yet, but in 4.x my router shows that ports opened by skype via UPNP are never closed when skype is closed.

Ports opened by other applications via UPNP close fine on exit, such as torrent applications, if you could please look into it.

Skype deletes old uPnP mappings on new start of the Skype client, if your router supports it.

Can you explain to me how that makes any logical sense whatsoever? You're saying that Skype removes the mapped ports when it starts... at which point it will re-open them again..?

They SHOULD be closed on Skype close, closing them manually is not appreciated, considering nearly every other app manages to do this fine, I don't see why Skype can't.

opening ports via UPnP is great for Skype because it makes NAT traversal easy, but the UPnP function itself is NOT secure (there are known exploits in the wild too) and MANY security experts recommend turning this function OFF in the router

I don't know what experts you consult, but that debate isn't for this thread. Yes it has security concerns, but you make it sound like the spawn of the devil. A NAT&SPI router with UPnP is perfectly secure.

I can't think of a worse security threat than a program not closing it's ports after it's finished with them, a.k.a. Skype.

the fact of the matter is that as currently implemented there is NO authentication associated with the app that uses UPnP so that makes it a BIG security threat -- and if you think that this is not necessary for apps that are already running on your system, think again (no need to help a trojan get set up to receive instructions after calling home)

if you disable UPnP like in the router like you should, then this thread becomes irrelevant, so I think it is perfectly valid to bring it up



although I agree on general principle, for there to be a security threat two things have to exist:

1) an app has to be listening to the open port (wouldn't be the case if Skype is closed at the time)

2) the app that is listening to the open port must have a known vulnerability that can be leveraged (assuming you can even tell from the outside what app this might even be)

Well my point is it's obviously a problem that shouldn't be dismissed.

Bump.

This issue has not been dismissed.

I have raised it as a feedback point for considerations.

When I found the "enable uPnP" option in 4.1, I was somewhat surprised to find no help whatsoever anywhere - no explanation, nothing.

I was under the impression that uPnP was a problem anyway - but has anything changed since this: http://www.grc.com/UnPnP/UnPnP.htm ? I have always disabled it since then (2001).

The question, what is it there for in terms that anyone can understand? If it is a risk (and its behaviour now seems to be even odder), why is this not explained?

if you disable this feature in your router, it does not matter whether the option to use it is set in the Skype client or not

apparently Skype only considers two types of users:

a) those that know already, and who therefore don't need an explanation

b) those that don't need to know

Thanks, Neil, noted.
Actually, disabled on the laptop, but your types assessment seems all too common, unfortunately.

the best place to disable UPnP is always in the router itself

...my previous post was not my assessment, by the way . . . I was being sarcastic . . . of course there should be some sort of explanation

Router: not using one at the moment. But when I was, I saw no such setting.
Sarky: I realized that, of course! ;-) But I have still encountered this kind of opacity many times.
Explanation: And I am hoping still that we get one.

Put it this way, there are those who are suspicious of Skype as it is. This will not help my comfort.

Skype and security experts like Steve Gibson apparently disagree on whether the risk associated with the current implementation of UPnP (no authentication of process using the feature) outweighs the benefit (easy NAT traversal)

I side with Steve on this, especially as there are already some known exploits associated with UPnP

Skype just wants it to work, and UPnP is often/usually ON in the router by default

iirc, Skype's use of UPnP is also ON by default