[Asterisk-Users] VOIP Spam

Duane digium at aus-biz.com
Sat Apr 17 18:13:27 MST 2004 

Tracy R Reed wrote:
> Same way I know someones key is theirs by the pgp fingerprint. It's well
> publicized and they use it quite a bit. 

But have you ever met face to face with an employee from a CA and 
verified they were an employee or just grabbed the info from their 
website and assumed there was no man in the middle attack sending you an 
alternate key/fingerprint (yes I know this is highly unlikely however 
high profile targets would be possible at some point, how lucky do you 
feel? :)

> Not sure what you mean by matching an email address against a hostname but
> a lot of the crypto accelerator cards implement fundamentals that could be
> used in either system and more specific hardware devices would certainly
> come along if more people used it. But with the speed and SIMD capability
> modern cpu's I'm not too concerned either way.

If we make up some number, I have seen figures for websites can't seem 
to find them at present, anyways say a TLS/SSL operation uses 8x more 
CPU power then a non-TLS connection, this means if you are running a 
voip to pstn service or in an office environment with a large amount of 
handsets/calls you need 8x more servers or 8x less clients so there is 
definitely a cost involved there even if CPUs etc are cheaper...

As for hostname matching, you run an enum check on a phone number, it 
returns a URL... say iaxtel.com... you connect to it and it then says 
I'm able to provide encryption here is my public certificate, you grab 
the certificate and it has fred at smith.com, which doesn't match 
iaxtel.com, or even if it was fred.smith at iaxtel.com how do you know that 
email account should be able to say I validate this server is the one 
you should be talking to and that DNS hasn't been hijacked? PGP can't 
easily deal with this, and if you start connecting to foreign asterisk 
servers via enum services how can you validate them without prior 
relationships? While PKI may be flawed it is better then the current 
alternatives at present...

Umm just a side note, we have a working enum.164 website/dns ( 
http://e164.org ) service that now does pstn verification (due 
diligence) by calling you and reading out a pin number, currently a 
little rough and we need a few IVR records (which will within the next 
few days), and need to update the documentation on the website, however 
it does seem to work reasonably well...

> If the MUA authors forced the issue everyone would use crypto. Look at
> what Outlook did for html mail. Encrypted spam would be difficult for the
> spammers to do. It would consume huge resources, make spam a lot more
> expensive, and if they signed the spam with a trusted key such that my MUA
> trusted them you can be sure the signer would revoke his signature lest he
> get the signatures on his own key revoked by someone.

Most HTML emails have a non-html component as well, and the amount of 
people that dislike html emails I don't see this as a good comparison ;)

You can't enforce crypto from a MTA/MUA point of view, there is a whole 
bunch of complications if you force certificates on people like you'd 
have to get them a public/private key pair and then well it wouldn't be 
so private...

> Some very interesting points. Especially about encrypted spam confounding
> the government. Although I doubt they would encrypt spam it does add chaff
> to the wheat to help hide us all. Just like the everyone sending their
> letters in envelopes instead of on postcards analogy.

The reason they would is to beat the virus/spam filters currently in 
operation at a MTA level, they would be rendered useless, at present all 
you need is a valid email address to get a certificate issued from a CA 
with their root certificate in most/all current email clients...

> On a per capita basis it's not nearly as often as computers get broken
> into. :) Whenever anyone bothers to try to physically secure their stuff
> they usually do a pretty good job. Not so with computers.

maybe cars being stolen was a better suggestion, break a window and 
you're in unless they have an alarm (computers can also have "alarms" in 
this sense)

-- 
Best regards,
  Duane

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://happysnapper.com.au - Sell your photos over the net!
http://e164.org - Using Enum.164 to interconnect asterisk servers

More information about the asterisk-users mailing list