Skip to Content.
Sympa Menu - Re: [] Zfone news

Subject: SIP in higher education

List archive

Re: [] Zfone news

Chronological Thread 
  • From: Duane <>
  • To:
  • Subject: Re: [] Zfone news
  • Date: Sat, 15 Apr 2006 09:35:47 +1000

Candace Holman wrote:
Here's a good article about Zfone, Phil Zimmerman's encryption add-on for SIP softphones. It discusses the good (encryption without the hassle of key exchange, publishing the protocol as an IETF draft), the bad ("picky" and "flaky" Mac beta?), and the ugly (difficult Linux installation, may not remain open for free downloading if Zimmerman gets the venture capital he's seeking). I'm not clear on why the author claims the package is neither open source nor free software - one would have to read the Linux tarball README to find out why he suggests that.

A first look at Zfone, Nathan Willis

While Zfone (more likely the under lying SRTP code, which is an opensource library) is a good start by protecting the content of the phone call, but doesn't complete the picture.

There is an article at financial cryptography on even more people calling to encrypt the voice channel, but they just don't go far enough because the data in the control channel is also valuable for people, especially if you are sending DTMF out of band.

Please take Bruce Schneier's comment with a bag of salt, because there's nothing like a pair of alligator clips and 5 minutes in a telco pitt, or easier still cordless phones to blow that myth out of the water.

In any case as I said before zfone is a good start, but there also needs to be encryption between the sip proxies to protect the data channel and potentially any DTMF. DTMF is a problem because you can send sensitive financial information such as phone banking details, or other phone services that require credit cards and people unaware their call could be sniffed will have their detail stolen.

Even before zfone came along, sipura devices were using srtp to encrypt calls between 2 of the same devices, but this is where most efforts stopped because people couldn't work out how to proceed further, but I feel a system similar to that proposed by the ISC for DNS security could be used to protect inter-SIP proxy, and end user to SIP proxy information, by storing the encryption certificate in DNS and when devices do a lookup they simply pull the certificate at the same time.

This way you don't need out of band verification that occurs with zfone, not to mention this being almost impossible in most commercial installations, yet the end result is complete encryption and not just encryption covering the audio.


Best regards,
Duane - Free Security Certificates - Think globally, network locally - Telecommunications Freedom - Because is a tax on VoIP

"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."

Archive powered by MHonArc 2.6.16.

Top of Page