[VOIPSEC] VOIP for free??
Savage, John C (John)
jcsavage at lucent.com
Mon Apr 11 12:35:53 CDT 2005
DNS, SMTP, and HTTP, ICQ, etc.. have never been seen as private, or
non-public communication methods. It's not really a vulnerability, none of
them were ever intended to be particularly secure, just efficient. Those
that wanted that information kept private\secured have always needed to take
extra steps to do so.
Voice has been "assumed private" in the US for quite a while, ever since
party lines died out. The comparative ease of monitoring a VoIP line
doesn't seem too much different than that of a PSTN line either. You still
need access, monitoring equipment of some sort, etc.. Connection security
and auditing from a provider prospective would seem much more important than
user-user communications.
John Savage
Global Platforms & Operations
Lucent Technologies
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]On
Behalf Of Michael Shields
Sent: Monday, April 11, 2005 11:59 AM
To: Diana Cionoiu
Cc: Smith, Donald; voipsec at voipsa.org; securityrequirements at voipsa.org
Subject: Re: [VOIPSEC] VOIP for free??
Diana Cionoiu wrote:
> RTP is not trivial to be listen,
> and anyway who can listen you phone calls also can see your yahoo, icq,
> msn,irc messages, so i think first we should solve those things and then
> go after plain VoIP.
I am not sure why you say this. For over two years, Ethereal has been
able to decode RTP streams and save the audio into a file. This only
takes a few clicks, and with a little time you could automate it completely.
It is true that other more widely used protocols also have
vulnerabilities, including DNS, SMTP, and HTTP. However, work on VOIP
security does not block work on other protocols, so that is no reason to
put VOIP security work on hold. It is easier to fix problems now while
the protocols are still in relatively limited deployment.
--
Michael Shields
Systems Programmer
AOL Network Security
[not speaking for AOL]
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list