[Asterisk-Dev] OMG THE SKY IS FALLING!! NOT!!!

Derek Smithies derek at indranet.co.nz
Sun May 16 17:26:52 MST 2004


Hi,

> As always: Use your head :-)

yep, and I think we have missed the point..

1)access to the network is required to launch an attack, such as those
  described in this thread.
  man in the middle based attacks, for example, require that you are
  able to "listen in" to the call..

2)Relying upon the difficulty of accessing the network to snoop is not a 
  valid defense mechanism.

3)iax does have issues with security. I have already described an attack,
  where a person listening in to a call can close it down.

4)Strong cryptographic systems, such as ipsec, are designed to secure the
  entire connection. Before any user data passes over the network (things 
  like username), keys are exchanged, and then a new key is decided on for 
  securing the session. After a preset time, the key for securing the 
  session is updated. 
  iax2 should follow this pattern, if it wants to be truly secure.


Derek.
===============================================


On Fri, 14 May 2004, Florian Overkamp wrote:

> Hi, 
> 
> > -----Original Message-----
> > Sadly, the article reads as more bogus than it really is. SIP 
> > really is weak. RTP stream are almost universally unencrypted 
> > right now. Listening in to a VoIP within your company is 
> > generally much easier than snooping on a traditional call. I 
> > wonder how long it will take before encryption, solid 
> > authentication, and other good stuff becomes widely deployed for VoIP?
> 
> Same goes for e-mail and many other instant messaging or chat networks. One
> should consider how the basic structure of the network is built and evaluate
> the risks. If the cost of a possible intercept exceeds the cost of the
> telephony savings - then this might be an argument to not use VoIP :-)
> 
> Then again: if you have a properly switched network, it will be less than
> trivial for non-authorised personel to snoop on a conversation. Yes, your
> network admins could. But you need to have a proper screening and trust
> relation with them anyway.
> 
> As always: Use your head :-)
> 
> Florian
> 
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-dev
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
> 
> 
> 



More information about the asterisk-dev mailing list