Slashdot Mirror
U.S. Government Issues Report on VoIP Security Holes
ranson writes "PC World is reporting on VoIP technology's threat of being manipulated by hackers, through call interception and DoS attacks on users' internet connections. While these threats are nothing new, the article cites an interesting government report on the topic, as well as its author, who believes a VoIP user's best protection is security by obscurity."
This has been discussed at great lengths on the Vonage VoIP Forum here: http://www.vonage-forum.com/ftopic5604.html and also here: http://www.vonage-forum.com/ftopic3422.html
Skype says its calls are encrypted.
The calls... are highly secure with end-to-end encryption.
Whether their scheme is snake oil or for real, I don't know, as I can't find any documentation on it, much less source code.
Calls between Skype software users (PC-to-PC calls) are secure and encrypted. Calls to standard telephone or mobile numbers are encrypted until they reach public switched telephone network. Note that in a conference call where one participant is a PSTN (regular telephone or mobile phone) number/phone number, the padlock icon will not appear indicating that the call is not encrypted.
If they're so worried about this kind of security stuff, why don't they put embedded OpenBSD systems in each of the phones? They'd be virtually uncrackable seeing how pedantic and strict OpenBSD is about ANY code that goes into their -stable branch.
You can drastically speed up PDF load times if you disable all the unneeded plugins:
t
1. Install Adobe Reader 6.0 and notice where it is installed.
2. Navigate to that folder in Explorer, locate the plug_ins subfolder and rename this folder to plug_ins_disabled.
3. Create a new plug_ins folder.
4. Move the files EWH32.api, printme.api and search.api from plug_ins_disabled to plug_ins.
From http://www.mozilla.org/support/firefox/faq#acroba
I would highly recommend Firefox plugin/extension TargetAlert. This extension places a small icon next to links to indicate the type of link it is, including a small PDF icon for PDF files, a Word icon for Word files etc.
I knew it was a PDF link :-)
There are standards for running encryption on top of SIP (see SRTP), but almost nobody implements them. Much more common is to avoid running SIP on the open Internet -- my company uses SIP for VoIP, but we only run it within a closed LAN or tunneled through OpenVPN.
Yes, it has encryption -- but it's a closed, proprietary solution that's virtually impossible to integrate with anything else.
Convincing all the SIP implementations to support SRTP is the Right Thing as a long-term solution -- heck, just implementing SRTP support for Asterisk would be a big improvement. As an immediate-term solution (particularly for companies using VoIP to connect with remote users or branch offices), running over a VPN (particularly with IAX trunking if you're connecting branch offices, such as to reduce the number of packets sent and so the damage done by per-packet VPN overhead) works well too.
CALEA says:
"ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."
Which in my first glance at this means that VoIP can be encrypted, though if the carrier handles too much of the private key generation, which would be necessary for any non-technical user, the carrier must keep the key for law enforcement use. (I'm thinking that a standalone VoIP phone would need a factory generated key on EEPROM, though software VoIP could use your average PC to generate a key itself.) But then again I'm not even sure if this applies to VoIP since this isn't exactly a service I'm currently familiar with. I'll note though that this is the only place "encryption" came up in a search of the law itself, so there's not much more to look at than the above quote. However, what the FBI and FCC have done in regulations may be a totally different matter. Can anyone clear this up more or is it just a regulatory mess?
//TODO: signature
Any system which hides key management completely is snake oil, to a certain extent. Encryption without authentication is useless, and the best authentication you can get with completely hidden key management is that an attacker has to be in the middle from the start and all the time to be undetectable. Better than nothing, but not really secure either. The achievable level is about the same as an SSH account where you never check if the server fingerprint is OK.
i figured you'd be able to get a stream cipher in there without adding more than a couple of milliseconds.
I'd imagine stream compression would be a harder problem than stream encryption.
Of course you've still got to do some sort of shared key or PK exchange, but that's call setup latency so it's no big deal.