[asterisk-biz] PBX got Hacked

Trixter aka Bret McDanel trixter at 0xdecafbad.com
Thu Mar 12 16:54:08 CDT 2009 

On Thu, 2009-03-12 at 16:24 -0400, Kristian Kielhofner wrote:
>   You'd be surprised how many devices support them.  Pretty much
> everything I've seen that supports SIP TLS (which is itself a
> surprising number of devices) supports various options for cert
> verification.  Of course this doesn't mean anything if the rest of
> your devices (including Asterisk) don't support it.
> 
>   Interop, like everything else SIP related, is the challenging part.
> Crypto is especially frustrating because it's hard(er) to debug SIP
> messages when they are encrypted on the wire. :)
> 

there are FOSS alternatives that work with most of the TLS/SRTP
implementations that are in phones, so obviously it can be done, but the
first step is to get SIP RFC compliant and add in TCP support (its
mandatory per the RFC) as that is a requirement for the way its usually
done.  There are even FOSS sip stacks like sofia-sip (LGPL
http://opensource.nokia.com/projects/sofia-sip/index.html) that support
TCP, and is a fairly well tested RFC compliant (RFC3261) SIP stack and
one could make a chan_sip, however the way that chan_sip integrates to
the asterisk core makes it difficult to have something really compliant
since a UA is only allowed to bind to one ip/port pair and you have to
in essence have multiple chan_sips running for each ip/port pair that
you want to bind to.  Would seem to me to be easier to use that than
trying to in essence compete with Nokia on a SIP stack for the FOSS
community, especially since that one exceeds the capabilities of the
current one.  

All that would have to be done is write the glue code in chan_sip to use
it and instantly the SIP capabilities of asterisk are improved and to a
point some of the SIP maintenance work can be offloaded onto Nokia who
has paid people maintaining their stack (although they are always open
to accepting patches and bug reports, or historically have been).  For
SRTP you would have to add to the RTP stack since sofia is a sip stack
not a RTP stack, but at least you could get the framework in place that
makes that a more reasonable task by having the TLS parts which in my
opinion should not be considered separate.

For a working example, freeswitch.org does SRTP/TLS using sofia-sip and
works with many phones on the market and happens to be FOSS (MPL).


> >  If you used certificate based auth, you couldn't even start the TLS
> >  negotiation.  Brute-forcing certs is, AFAIK, really, really difficult,
> >  like billions of years.
> 
>   Unless you are the NSA... ;)
> 

or you break into the server through other means and steal the cert :)
This would just be a cog in the greater scheme of things and not the end
of it.


-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.digium.com/pipermail/asterisk-biz/attachments/20090312/d3cab034/attachment.pgp

More information about the asterisk-biz mailing list