[asterisk-users] Is there a public blacklist of hackers' IPaddresses?
SIP
sip at arcdiv.com
Thu Mar 26 16:19:45 CDT 2009
Dave Platt wrote:
>> SIP was written in such a way that the hashes it sends for passwords
>> could, with only a trivial rewrite of the server code, be SHA1 instead
>> of MD5 -- which would increase security to the level that, currently, it
>> would be far more trouble than it's worth to even bother to attempt to
>> crack.
>>
>
> I strongly doubt that the known weaknesses in the MD5 hash are
> the "weak point" in SIP account security.
>
> Weak passwords are almost certainly much more of a problem. Performing
> a dictionary attack is going to be a lot faster than attempting
> a brute-force mathematical attack against MD5... and switching from
> MD5 to SHA-1 provides no significant defense against dictionary
> attacks.
>
> The only good way to keep passwords secure against dictionary attacks,
> is to make sure that the passwords aren't guessable by that means...
> no common words, no names, no simple permutations or birthdates or
> anything like that. Use a decent random-number generator and
> number-to-character conversion algorithm to generate SIP passwords
> that are sufficiently long and very DTR8FBWF_==F?Z@\.-+!N$ and you'll
> be well defended.
>
>
>
I'm referring to the weak link in the SIP protocol. Not in Asterisk's
SIP accounts. The question was whether or not SIP itself was secure.
--
Neil Fusillo
CEO
Infinideas, inc.
http://www.ideasip.com
More information about the asterisk-users
mailing list