Voxalot / SIP Broker Support Forums - View Single Post

sleek · 10-26-2009, 12:35 PM

martin, I only gave an example of how eavesdropping may take place. Truth be told, it depends on which corner of world you live, as well as your network infrastructure and circumstances.

Fact is, there are a lot of people sharing internet connection (between neighbors for ex.), there are ISPs still using switched networks, many offices/buildings are using switched networks, colleges, dorms..etc. situations where your infrastructure is subject to either MITM or ARP attacks subsequently hijacking sensitive information. As far as wireless networks go, I'm sure you're aware of the large number unsecured wifi spots both at residential and business establishments. Not to mention people who still think WEP is 'secure' option for their networks. I won't omit an ISP either, I don't trust them and why should I?

Just because you believe an eavesdrop is 'unlikely', doesn't mean it's out of the question. If that was the case, banks and security organizations wouldn't go trough the trouble of creating expensive encryption software/hardware to protect sensitive information. Are you willing to do your online banking without SSL, certificate or any other encryption, trusting your ISP or any other corresponding network won't tap in on your bank accounts? I know I wouldn't!

As for the SIP hashes, to my understanding they are md5-like and more importantly they are subject to dictionary and bruteforce attacks. I found a number of tools for that.

Bottom line is, I suppose I can live with a strong non-dictionary based password travel trough the net, but a completely unsecured rtp media stream is one thing I cannot abide or allow and perhaps daily, casual conversations aren't a big deal, but business VoIP is. I can't imagine talking to my bank or my accountant or confidants knowing someone might be listening.

Unless people are willing to leave their privacy to chance, security amendments must implemented. (IMHO)

10-26-2009, 12:35 PM	#5
sleek Member Join Date: Dec 2008 Posts: 54 Thanks: 2 Thanked 5 Times in 5 Posts	martin, I only gave an example of how eavesdropping may take place. Truth be told, it depends on which corner of world you live, as well as your network infrastructure and circumstances. Fact is, there are a lot of people sharing internet connection (between neighbors for ex.), there are ISPs still using switched networks, many offices/buildings are using switched networks, colleges, dorms..etc. situations where your infrastructure is subject to either MITM or ARP attacks subsequently hijacking sensitive information. As far as wireless networks go, I'm sure you're aware of the large number unsecured wifi spots both at residential and business establishments. Not to mention people who still think WEP is 'secure' option for their networks. I won't omit an ISP either, I don't trust them and why should I? Just because you believe an eavesdrop is 'unlikely', doesn't mean it's out of the question. If that was the case, banks and security organizations wouldn't go trough the trouble of creating expensive encryption software/hardware to protect sensitive information. Are you willing to do your online banking without SSL, certificate or any other encryption, trusting your ISP or any other corresponding network won't tap in on your bank accounts? I know I wouldn't! As for the SIP hashes, to my understanding they are md5-like and more importantly they are subject to dictionary and bruteforce attacks. I found a number of tools for that. Bottom line is, I suppose I can live with a strong non-dictionary based password travel trough the net, but a completely unsecured rtp media stream is one thing I cannot abide or allow and perhaps daily, casual conversations aren't a big deal, but business VoIP is. I can't imagine talking to my bank or my accountant or confidants knowing someone might be listening. Unless people are willing to leave their privacy to chance, security amendments must implemented. (IMHO) Last edited by sleek; 10-26-2009 at 01:56 PM.