[VOIPSEC] Voipsec Digest, Vol 12, Issue 24

dan_york at Mitel.com dan_york at Mitel.com
Tue Jan 3 15:32:51 CST 2006 

Mark,

Another Skype security analysis I found useful is at:

 
http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf

Regards,
Dan

P.S. I will note that recent list contributor Rodney Thayer also has his 
Skype security analysis online at 
http://www.canola-jones.com/material/candj-phreaknic2005.pdf

-- 
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp.     http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for 
secure communication





"Henry Sinnreich" <henry at pulver.com>
Sent by: Voipsec-bounces at voipsa.org
01/02/2006 11:21 AM
Please respond to henry

 
        To:     "'Mark Baugher'" <mbaugher at cisco.com>
        cc:     Voipsec at voipsa.org
        Subject:        Re: [VOIPSEC] Voipsec Digest, Vol 12, Issue 24


Hi Mark and Happy New Year!

You may have seen the security evaluation for Skype:
http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf 

It would be very interesting for someone who disagrees to take up this
evaluation, item by item and provide arguments to the contrary. I have not
not seen any arguments to the contrary, but just people who either like
Skype and some who don't. 

There is a test report though from a credible lab:

http://www.networkworld.com/reviews/2005/121205-skype-test.html 

In this light, Skype is probably more useful in the enterprise than the
hypothetical risks it may represent. Are Windows and its applications less
risky?

Actuallly, Skype can significantly increase productivity IMHO and should 
be
encouraged by IT untill a similar well designed application based on SIP
will emerge. Instead of griping about Skype, I would like IETF-minded 
folks
to work on a better-than-Skype P2P SIP product.

Thanks, Henry

 

-----Original Message-----
From: Mark Baugher [mailto:mbaugher at cisco.com] 
Sent: Monday, January 02, 2006 9:33 AM
To: henry at pulver.com
Cc: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] Voipsec Digest, Vol 12, Issue 24

hi Henry,

On Dec 28, 2005, at 7:05 AM, Henry Sinnreich wrote:

>> You can't sell expensive phones or nobody will be your customer
>
>
>
> Check out the Skype phones, (or the Nimcat/Avaya or Peerio PBX 
> phones).
>
> There is no central call routing and the phones are both secure and
> affordable.

I have not found a public description of Skype security and for that 
reason would not claim that they are secure.  In fact, what I have 
read about Skype security leads me to conclude that there is too much 
that is hidden from the user for Skype to be considered secure.

Mark
>
>
>
> Both the business models and the platforms (no VoIP infrastructure) 
> are
> different though from the "carrier" model, and this changes the 
> security
> model and cost in a fundamental way.
>
>
>
> Let the flames come! :-)
>
>
>
> Thanks, Henry
>
>
>
>
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec- 
> bounces at voipsa.org] On
> Behalf Of Voipsec-request at voipsa.org
> Sent: Wednesday, December 28, 2005 6:00 AM
> To: Voipsec at voipsa.org
> Subject: Voipsec Digest, Vol 12, Issue 24
>
>
>
> Send Voipsec mailing list submissions to
>
>       Voipsec at voipsa.org
>
>
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
>       http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
> or, via email, send a message with subject or body 'help' to
>
>       Voipsec-request at voipsa.org
>
>
>
> You can reach the person managing the list at
>
>       Voipsec-owner at voipsa.org
>
>
>
> When replying, please edit your Subject line so it is more specific
>
> than "Re: Contents of Voipsec digest..."
>
>
>
>
>
> Today's Topics:
>
>
>
>    1.  VoIP vulnerabilities summarization (david.castro)
>
>
>
>
>
> ----------------------------------------------------------------------
>
>
>
> Message: 1
>
> Date: Tue, 27 Dec 2005 16:12:14 +0100
>
> From: "david.castro" <david.castro at adianta.net>
>
> Subject: [VOIPSEC]  VoIP vulnerabilities summarization
>
> To: Voipsec at voipsa.org
>
> Message-ID: <43B159CE.8030706 at adianta.net>
>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>
>
> Hello, I'm David.
>
> I've just read your interesting "chat", and I learned a lot, but I'd
>
> like make a question about SIP.
>
> Let's imagine you are making an IP phone-operator. You have a central
>
> access point (server SIP and gateway to PSTN), or several access 
> points
>
> across internet. You can sell to your customers a IP-phone, so they
>
> don't have a computer run to chat on the phone. You can't sell
>
> expensives phones or nobody will be your customer, so the phones 
> hasn't
>
> TLS, IPSEC or proxy SIP, because they are connecting direct to 
> access point.
>
> How do you protect this scenario?
>
> I'm using login/password in register request, but in other request I
>
> can't by the phones. What would you do?
>
> Thanks
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------
>
>
>
> _______________________________________________
>
> Voipsec mailing list
>
> Voipsec at voipsa.org
>
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
>
>
> End of Voipsec Digest, Vol 12, Issue 24
>
> ***************************************
>
>
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list