[Asterisk-Dev] OMG THE SKY IS FALLING!! NOT!!!

Sam Bingner sam at bingner.com
Sat May 15 15:37:25 MST 2004


True it's very weak, BUT if you read this article it sounds like anybody
in the world can listen to any call they like...

>What sorts of vulnerabilities exist? Let's start with the basics. Because
>most VOIP traffic over the Internet is unencrypted, anyone with network
>access can listen in on conversations. That means Willy in the mailroom
>can overhear your CEO and HR director discuss the latest round of
layoffs.

That, unless you have a REALLY AWFUL network is completely incorrect.  You
can only see that traffic when in a non-switched network, and when you
happen to be on the same subnet.  Most places now use switches, so unless
you are able to get into the switch config, you can't see what is going
on.   This means that in practice, only your network admins will really be
able to snoop on phone calls...

Sam

-----Original Message-----
From: asterisk-dev-admin at lists.digium.com
[mailto:asterisk-dev-admin at lists.digium.com] On Behalf Of Steve Underwood
Sent: Friday, May 14, 2004 4:49 AM
To: asterisk-dev at lists.digium.com
Subject: Re: [Asterisk-Dev] OMG THE SKY IS FALLING!! NOT!!!


Rob Gagnon wrote:

>:-)  Didnt know you were gonna share this bit of mis-information, but
>it would be nice for people using Asterisk to send the author some
>knowledge....
>
>I love this part "According to a prominent networking and security pal
>of mine-who wished to remain nameless..."
>
>That is the worst form of journalism....  It's called making stuff up,
>and having no source
>
>
Sadly, the article reads as more bogus than it really is. SIP really is
weak. RTP stream are almost universally unencrypted right now. Listening
in to a VoIP within your company is generally much easier than snooping
on a traditional call. I wonder how long it will take before encryption,
solid authentication, and other good stuff becomes widely deployed for
VoIP?

Regards,
Steve

_______________________________________________
Asterisk-Dev mailing list
Asterisk-Dev at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-dev
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3047 bytes
Desc: not available
Url : http://lists.digium.com/pipermail/asterisk-dev/attachments/20040515/721a7f78/smime.bin


More information about the asterisk-dev mailing list