[asterisk-biz] Toll Free Toll Free tollfreetollfree.com SIP gateway now supports ZRTP in addition to SIP/TLS, SIP/TCP, SIP/UDP, G729

[Trixter aka Bret McDanel]

On Sat, 2009-05-23 at 09:19 -0400, SIP wrote:
> It's also too bad that once your phone call heads to the PSTN, any form 
> of encryption becomes functionally worthless. It's INCREDIBLY easy to 
> tap into, trace, and catalogue a PSTN phone call.
> 

there is nothing that can be done about that, unless the answering end
supports crypto too.  I still think its easier to monitor VoIP calls
since that can be done from almost anywhere on the intarweb (although do
it in the wrong spot and it becomes quite noticable).  PSTN *generally*
requires physical access limiting the ones who can do this somewhat.

> Still... is very nice to see someone providing ZRTP services. Would like 
> to see more of that in the future.

yeah, and to be crypto agnostic like that, both SRTP/TLS and ZRTP is a
nice bonus.  Ensures that more people can use it, although the way that
ZRTP works, it becomes harder to validate the cipher since you cant
compare the codes each end provides.  If you use a mechanical voice or a
sip im it becomes trivial to spoof the challenge/response codes, it
relies on humans speaking and listening to share the codes to validate.

Because you cant validate the cipher I cannot say that you can trust
ZRTP in this implementation, but then it was not designed to be on a
server side, this is where TLS can be handy.  However SRTP/TLS is
designed to be server side but not as dynamic nor forget everything
about the session making key recovery impossible (the cert is still
there), something ZRTP is designed for.

ZRTP is more of an end to end human to human implementation, so for
things where the server has to be in the middle SRTP/TLS is certainly
superior.



-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721