LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-14-2014, 10:20 AM   #1
ordealbyfire83
Member
 
Registered: Oct 2006
Location: Leiden, Netherlands
Distribution: LFS, Ubuntu Hardy
Posts: 302

Rep: Reputation: 89
How secure is SIP / VOIP?


Lately I have been reading up on SIP and its respective clients, but it seems that much of the information out there is from circa 2009-2011. I realize that there are two types of "conversation," computer -> computer and computer -> real phone (through an external service).

I am wondering what the implications of using this are in terms of security. In reading about Ekiga and Empathy they claim to not support encryption. What exactly is meant by this? Does "encryption" in this case refer to end-to-end encryption like GPG, or some SSL-type authentication process? If neither, does this mean that calls are flying around the internet unencrypted, which would make things like credit card purchases by phone impractical? In other words, what can be done to prevent man-in-the-middle attacks?

I have also looked into LinPhone but it seems that encryption is not shipped by default. (Also good luck compiling ZRTP from source.) This program seems particularly appealing because it also has a console interface. Ekiga and Empathy are just too tied down to a particular desktop environment to be useful to people who do not want to install a bunch of Gnome dependencies.

Even in the event that it is possible to encrypt computer -> computer "calls" ("apps" like sipgate *may* do this, from what I've heard), what about the security of calls to real phones?

I realize that there are a million "I want to replace Skype" threads on here, but the lack of documentation and true facts about SIP may be a deterrent for people wanting to start using it.

Of course Skype is not to be trusted as nothing more than a blob and now owned by a very disreputable company, but if using SIP adds more fundamental insecurity then what choice do people really have?
 
Old 08-14-2014, 10:51 AM   #2
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,635
Blog Entries: 4

Rep: Reputation: 3931Reputation: 3931Reputation: 3931Reputation: 3931Reputation: 3931Reputation: 3931Reputation: 3931Reputation: 3931Reputation: 3931Reputation: 3931Reputation: 3931
Generally, it refers to a sort of "secure tunnel," in which the data that is passing through the public network (the Internet) is encrypted using digitally-signed methods. The purpose is not only to guard against casual eavesdropping, but also to identify the sender and the receiver to one another so that you're hearing the right conversation (and none others).

Pragmatically speaking, today all phone networks use VOIP technology: the legacy copper cables from your house only go a very short distance to a station that digitizes the signal and sends it on a (non-public) TCP/IP network.

And yet, most phone calls these days take place over the radio, where anyone for miles around could intercept the signal and, fairly easily, eavesdrop upon your conversation.

These are not "scrambler" technologies that are designed to further-obfuscate the underlying voice signal that is being transferred. (Such technologies, today, usually add a second layer of encryption to accomplish the scrambling.)

And, natcherly, "if what you have in mind is terrorism or a crime, too-bad." This will relieve you of the problem of "nosy next-door neighbors on a party line," but they won't keep you out of prison.

Last edited by sundialsvcs; 08-14-2014 at 12:44 PM.
 
Old 08-14-2014, 06:52 PM   #3
ordealbyfire83
Member
 
Registered: Oct 2006
Location: Leiden, Netherlands
Distribution: LFS, Ubuntu Hardy
Posts: 302

Original Poster
Rep: Reputation: 89
Ok... Well that sounds like the second half the equation in the ( computer -> digitizing service -> real phone ) call. But is encryption still lacking for the ( computer -> digitizing service ) part, as this would essentially be a ( computer -> computer ) call without being forwarded to a phone?

My concern is that using SIP over port 5060 is really nothing special in terms of security. You really don't even need a third party SIP service to do this. All the SIP service (i.e. ekiga.net and others) does is resolve your user name to your IP address. Without this, you can just use username@ipaddress:5060 and so on. So, if at least one of the computers is running a SIP server then it is just a conversation over 5060 and it is the responsibility of the individual participants to utilize their own encryption. Note that this part doesn't involve phones; this could be e.g. talking over microphone, text, or webcam. This is essentially the non-phone functionality of Skype.

Fine, but can these "digitizing services" accept some form of encrypted data? If not, then what would stop anyone on your local network (which could be a huge corporate network, where even in-house calls are confidential) from running Wireshark and capturing everything over this port going in and out of a particular computer? To me this sounds no different than "capturing" ordinary http transfers (versus https).

Assuming someone installs ekiga out of the box, sets up a Diamondcard account, and makes a call to a real phone, how do we know the call can't be hacked before it reaches the forwarding service?

Last edited by ordealbyfire83; 08-14-2014 at 06:54 PM.
 
Old 08-14-2014, 06:58 PM   #4
jefro
Moderator
 
Registered: Mar 2008
Posts: 21,970

Rep: Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622
You have no reasonable belief that your call is not being monitored or possible to monitor. So, assume it has some security hole.

In some ways a POTS call is protected but phone companies don't even offer POTS anymore. They give you a voip setup.
 
Old 08-14-2014, 08:14 PM   #5
ordealbyfire83
Member
 
Registered: Oct 2006
Location: Leiden, Netherlands
Distribution: LFS, Ubuntu Hardy
Posts: 302

Original Poster
Rep: Reputation: 89
Yes, but that's not really the concern here.

Imagine the SIP call BEFORE the digitizing service (like Diamondcard, et al) is like a "ramp" to the ordinary landline/cell phone network. From what I'm hearing here, the ramp is totally insecure and can be cherrypicked just like any data sent over plain http. If that is true, then one would be far more secure just picking up a landline or cell phone and making a call.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] SIP account not registering through voip tripialos Linux - Server 3 05-27-2013 06:41 AM
SIP DID and VOIP Trunk Inquiry depam Linux - Software 2 12-05-2009 08:28 AM
LXer: Secure VoIP, GNU SIP Witch, and replacing Skype with free software LXer Syndicated Linux News 0 08-27-2009 02:20 PM
LXer: Secure VoIP, GNU SIP Witch, and replacing Skype with free software LXer Syndicated Linux News 0 08-27-2009 01:50 PM
VOIP/SIP: what about openwengo? frenchn00b General 1 11-03-2008 01:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration