[VOIPSEC] Voipsec Digest, Vol 12, Issue 24

Mark Baugher mbaugher at cisco.com
Tue Jan 3 15:57:24 CST 2006 

Henry,

On Jan 2, 2006, at 8:21 AM, Henry Sinnreich wrote:

> Hi Mark and Happy New Year!

Same to you.
>
> You may have seen the security evaluation for Skype:
> http://www.skype.com/security/files/2005-031%20security% 
> 20evaluation.pdf

I will read it.  Another good source is Simson Garfinkle, http:// 
www.simson.net/ref/2005/OSI_Skype6.pdf

Mark
>
> It would be very interesting for someone who disagrees to take up this
> evaluation, item by item and provide arguments to the contrary. I  
> have not
> not seen any arguments to the contrary, but just people who either  
> like
> Skype and some who don't.
>
> There is a test report though from a credible lab:
>
> http://www.networkworld.com/reviews/2005/121205-skype-test.html
>
> In this light, Skype is probably more useful in the enterprise than  
> the
> hypothetical risks it may represent. Are Windows and its  
> applications less
> risky?
>
> Actuallly, Skype can significantly increase productivity IMHO and  
> should be
> encouraged by IT untill a similar well designed application based  
> on SIP
> will emerge. Instead of griping about Skype, I would like IETF- 
> minded folks
> to work on a better-than-Skype P2P SIP product.
>
> Thanks, Henry
>
>
>
> -----Original Message-----
> From: Mark Baugher [mailto:mbaugher at cisco.com]
> Sent: Monday, January 02, 2006 9:33 AM
> To: henry at pulver.com
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Voipsec Digest, Vol 12, Issue 24
>
> hi Henry,
>
> On Dec 28, 2005, at 7:05 AM, Henry Sinnreich wrote:
>
>>> You can't sell expensive phones or nobody will be your customer
>>
>>
>>
>> Check out the Skype phones, (or the Nimcat/Avaya or Peerio PBX
>> phones).
>>
>> There is no central call routing and the phones are both secure and
>> affordable.
>
> I have not found a public description of Skype security and for that
> reason would not claim that they are secure.  In fact, what I have
> read about Skype security leads me to conclude that there is too much
> that is hidden from the user for Skype to be considered secure.
>
> Mark
>>
>>
>>
>> Both the business models and the platforms (no VoIP infrastructure)
>> are
>> different though from the "carrier" model, and this changes the
>> security
>> model and cost in a fundamental way.
>>
>>
>>
>> Let the flames come! :-)
>>
>>
>>
>> Thanks, Henry
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-
>> bounces at voipsa.org] On
>> Behalf Of Voipsec-request at voipsa.org
>> Sent: Wednesday, December 28, 2005 6:00 AM
>> To: Voipsec at voipsa.org
>> Subject: Voipsec Digest, Vol 12, Issue 24
>>
>>
>>
>> Send Voipsec mailing list submissions to
>>
>>       Voipsec at voipsa.org
>>
>>
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>
>>       http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>> or, via email, send a message with subject or body 'help' to
>>
>>       Voipsec-request at voipsa.org
>>
>>
>>
>> You can reach the person managing the list at
>>
>>       Voipsec-owner at voipsa.org
>>
>>
>>
>> When replying, please edit your Subject line so it is more specific
>>
>> than "Re: Contents of Voipsec digest..."
>>
>>
>>
>>
>>
>> Today's Topics:
>>
>>
>>
>>    1.  VoIP vulnerabilities summarization (david.castro)
>>
>>
>>
>>
>>
>> --------------------------------------------------------------------- 
>> -
>>
>>
>>
>> Message: 1
>>
>> Date: Tue, 27 Dec 2005 16:12:14 +0100
>>
>> From: "david.castro" <david.castro at adianta.net>
>>
>> Subject: [VOIPSEC]  VoIP vulnerabilities summarization
>>
>> To: Voipsec at voipsa.org
>>
>> Message-ID: <43B159CE.8030706 at adianta.net>
>>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>>
>>
>> Hello, I'm David.
>>
>> I've just read your interesting "chat", and I learned a lot, but I'd
>>
>> like make a question about SIP.
>>
>> Let's imagine you are making an IP phone-operator. You have a central
>>
>> access point (server SIP and gateway to PSTN), or several access
>> points
>>
>> across internet. You can sell to your customers a IP-phone, so they
>>
>> don't have a computer run to chat on the phone. You can't sell
>>
>> expensives phones or nobody will be your customer, so the phones
>> hasn't
>>
>> TLS, IPSEC or proxy SIP, because they are connecting direct to
>> access point.
>>
>> How do you protect this scenario?
>>
>> I'm using login/password in register request, but in other request I
>>
>> can't by the phones. What would you do?
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------
>>
>>
>>
>> _______________________________________________
>>
>> Voipsec mailing list
>>
>> Voipsec at voipsa.org
>>
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>>
>>
>>
>>
>> End of Voipsec Digest, Vol 12, Issue 24
>>
>> ***************************************
>>
>>
>>
>>
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list