Voxalot / SIP Broker Support Forums - View Single Post

remm · 10-27-2009, 01:50 AM

As far as I know SIP Digest authentication only protects the sip provider and the account at the sip provider -- it does not really protect the user.

* I have no way to know if the server I'm talking to is really the one I think it is. This is what TLS is for and for the key exchange to setup SRTP.

* As stated above -- just TLS does not guarantee security -- but it does allow one to use SDES (if your server allows it) to setup SRTP voip to voip.

I'm not saying TLS is the solution for voxalot -- I'm not certain. Really viop-to-voip security may be better served by zrtp, and in terms of voxalot to get pstn termination security that must be implemented on the termination side -- which I've not been able to find. TLS would however help people wanting to do sip to sip connections between voip phones. OpenVPN seems intresting also but it means a lot of bandwith on the voxalot end.

The other thing I would say -- people make a lot of comments about voip being more secure than your pstn phone -- and if your using DSL and only looking at a connection between your home and your ISP -- I can believe that. However, this is not the real security concern:

* What happens at the 30-40 other nodes and routers your call will go though before it is terminated either into PSTN or into another voip device -- and the dozen compaines, and the 100 people that have access to it along the way? Then of course there is the 1000 crackers that will try to break into those 40 nodes or otherwise route traffic.

* What happens when your traveling and in a hostile environment like a hotel or hotspot network? Is the traffic secure and the DNS reliable there?

I don't mean to be alarmist -- but I do think these are all issues -- and that they are all good reasons not to trust some voip setups for business and financial uses. This makes me sad -- but I think it's the situation.

The other sad thing is that there is at least one major internet phone company that already uses encryption. It's sad because I don't care to support, recommend or use the closed Sk* protocol and software. I just wish SIP people would take some action regarding security.

Rob

10-27-2009, 01:50 AM	#6
remm Junior Member Join Date: Oct 2009 Posts: 9 Thanks: 2 Thanked 0 Times in 0 Posts	Security Issues As far as I know SIP Digest authentication only protects the sip provider and the account at the sip provider -- it does not really protect the user. * I have no way to know if the server I'm talking to is really the one I think it is. This is what TLS is for and for the key exchange to setup SRTP. * As stated above -- just TLS does not guarantee security -- but it does allow one to use SDES (if your server allows it) to setup SRTP voip to voip. I'm not saying TLS is the solution for voxalot -- I'm not certain. Really viop-to-voip security may be better served by zrtp, and in terms of voxalot to get pstn termination security that must be implemented on the termination side -- which I've not been able to find. TLS would however help people wanting to do sip to sip connections between voip phones. OpenVPN seems intresting also but it means a lot of bandwith on the voxalot end. The other thing I would say -- people make a lot of comments about voip being more secure than your pstn phone -- and if your using DSL and only looking at a connection between your home and your ISP -- I can believe that. However, this is not the real security concern: * What happens at the 30-40 other nodes and routers your call will go though before it is terminated either into PSTN or into another voip device -- and the dozen compaines, and the 100 people that have access to it along the way? Then of course there is the 1000 crackers that will try to break into those 40 nodes or otherwise route traffic. * What happens when your traveling and in a hostile environment like a hotel or hotspot network? Is the traffic secure and the DNS reliable there? I don't mean to be alarmist -- but I do think these are all issues -- and that they are all good reasons not to trust some voip setups for business and financial uses. This makes me sad -- but I think it's the situation. The other sad thing is that there is at least one major internet phone company that already uses encryption. It's sad because I don't care to support, recommend or use the closed Sk* protocol and software. I just wish SIP people would take some action regarding security. Rob