[VOIPSEC] Soft Phone Vulnerabilities
s.horne at packetizer.com
Thu Jun 8 10:24:06 BST 2006
I totally agree, people really don't care about security, well they do but
not at the expense of functionality and price. If you have 2 devices, the
same price with similar functionality, one secure the other not then they
will most likely pay for the one with security however if the secure
product is more expensive and you get a drop in functionality, they will
not, in general, pay extra for it unlsss they have a compelling need to.
Security is one of the least issues on people's minds with SKYPE.
Things I have experienced and other have reported to me are things like,
1. Variant Call Quality (some times calls are excellent but mostly they are
average, sometimes usable)
2. Over usage of resources (very resource hungry, particularity CPU) .
A point to point call is always going to provide better consistent call
quality than a peer to peer one. The secret IMHO is not to do peering but
figure out how to do point to point (if at all possible) media and
signalling with a standards based protocol with cleaver endpoints/UA's is a
very NAT infested Internet environment and allow businesses to control
their own little VoIP patch .
Certainly if there is a will...
At 08:26 AM 8/06/2006, Craig Southeren wrote:
>On Wed, 7 Jun 2006 16:45:42 -0700
>Mark Baugher <mbaugher at cisco.com> wrote:
> > It's a different question as to whether skype is more or less secure
> > than other systems such as sip systems. Another interesting question
> > is whether or not a true peer-to-peer system can be made secure.
> >From a techical standpoint, I think the answer is an unequivocal "yes".
>Crypto algorithms exist to implement end to end security and
>authentication regardless of the network topology - it's just a matter
>of developing the and deploying the appropriate infrastructure.
>However, from a business standpoint, the answer has to be a "maybe".
>Developing and deploying a system that has cryptographically secure
>communcations is expensive, and has to run an impressive gauntlet of
>legal hurdles to be available in the biggest target markets.
>For a company, most of the value can be extracted from the VoIP market
>without incurring the significant additional costs of implementing this
>kind of security. The fact that the PSTN and cellphones do quite well
>thank you very much without it shows that most users don't really care.
>I'm sure that one day a company will offer secure end to end SIP or
>H.323 calls - but they won't be cheap. And "secure" will be very tightly
> Craig Southeren Post Increment VoIP Consulting and Software
> craigs at postincrement.com.au www.postincrement.com.au
> Phone: +61 243654666 ICQ: #86852844
> Fax: +61 243656905 MSN: craig_southeren at hotmail.com
> Mobile: +61 417231046
> "It takes a man to suffer ignorance and smile.
> Be yourself, no matter what they say." Sting
>Voipsec mailing list
>Voipsec at voipsa.org
More information about the Voipsec