[asterisk-users] Is there a public blacklist of hackers' IPaddresses?

SIP sip at arcdiv.com
Thu Mar 26 12:38:14 CDT 2009


randulo wrote:
> On Thu, Mar 26, 2009 at 4:19 PM, SIP <sip at arcdiv.com> wrote:
>   
>> The first approach is the current approach:   build software with little
>> thought to how it will be secured, opting for all the work of securing
>>     
>
> What about SIP itself? Does it provide enough crypto to be solid? Or
> is that handled only by the layer above it?
>
> /r
>
> _______________________________________________
>   

SIP CAN be reasonably secure, but it suffers from some inherent issues
in the protocol for which things like TLS and the like were developed. 

It's still comparatively new, and it's a draft that I think needs some
work.  But it also suffers from an increasing amount of competition from
upstarts that are trying to muddy the field somewhat (IAX, Jingle, etc.)
and position themselves as the 'new' and 'better' way to address
communication. This detracts from a unified methodology -- even if only
somewhat.

SIP is, for all intents and purposes, as secure as vanilla SMTP email.
In fact, SIP was designed to closely resemble a combination of SMTP and
HTTP to make it easy to implement and process. However, like both SMTP
and HTTP, I think what SIP needs is a solid roll out of a secure layer
over and above the MD5 hashes commonly used to pass passwords -- but
that isn't really necessary to secure the protocol from
password-sniffing ne'er-do-wells who are out to steal your accounts.

SIP was written in such a way that the hashes it sends for passwords
could, with only a trivial rewrite of the server code, be SHA1 instead
of MD5 -- which would increase security to the level that, currently, it
would be far more trouble than it's worth to even bother to attempt to
crack.

For keeping people out of your paid accounts, this would make SIP quite
secure.  The only issue most people have with SIP at the moment is that,
if you're sniffing the network, you can read the SIP messages
themselves, even if you can't crack the passwords, so even with SRTP or
some other form of RTP encryption to protect the voice, your basic
privacy is still at risk.

But to protect money? I think SIP is perfectly fine even without TLS. It
just needs a change in commonly-used password hashing to alleviate the
concerns people have with the breakability of MD5.



-- 
Neil Fusillo
CEO
Infinideas, inc.
http://www.ideasip.com





More information about the asterisk-users mailing list