[VOIPSEC] Watering down VoIP security expectations.

[Voiceline]

Simon

The VoIP industry is in its relative commercial infancy. The problem is, 
that the commercial interest of making secure solutions is not the first 
consideration of the vendors. Money makes the world go around, and the 
market segment that needs hi level security is just not large enough to 
dominate the agenda. Technology is in the beginning, almost always feature 
driven, features are cool and easier to sell than a security pitch that most 
people/customers really will not understand the need fore anyway. So what is 
the sentiment of designing secure solutions to begin with, if the 
technologies large scale market deployment relies on cool features and not 
complicated technical solutions that most certainly are beyond the grasp of 
most consumers. We have to understand the power of the market driven 
industry. Security is not the first concern of the large majority of the 
costumers that I know. They blindly trust the whitepaper pitch, as fare as 
security goes. The bottom line is that the market is just not proactive from 
the point of security. I am from Denmark and here we are in the middle of an 
international crisis, which was started by a Danish newspaper that published 
12 very offensive drawings of the prophet Mohammed. In the wake of this 
incident, the small country of Denmark was under siege by the hacker 
community from 1 billion angry Muslims. Countless WebPages were defaced and 
destroyed, causing mayhem and major financial losses. Security was seemingly 
not a big issue before the incident - but now it's on the top of the agenda, 
at least until things has cooled down and people start forgetting that is 
was "the open gate that let the wolf in". Unfortunately security (at least) 
needs to be an issue - before it becomes an issue... and the only way to 
secure the values of security is to incorporate it into the fundamental 
architecture, and in fact build everything else, upon the foundation of a 
secure infrastructure. In my opinion VOIPSA needs to concentrate more on 
architecture and less on how to make a specific protocol work on a specific 
device.

"If we build it they will come..." :))

Patrick

----- Original Message ----- 
From: "Simon Horne" <s.horne at packetizer.com>
To: "Dustin D. Trammell" <dtrammell at tippingpoint.com>
Cc: <voipsec at voipsa.org>
Sent: Saturday, March 11, 2006 2:40 AM
Subject: Re: [VOIPSEC] Watering down VoIP security expectations.


>
> Dustin
>
>>In my opinion, the VoIP industry is still in it's relative infancy; it
>>should be OK to leave some technology behind.  Not every solution needs
>>to be backward compatible.  It would be nice if it is, but it shouldn't
>>always be a requirement, and will most likely hinder the security the
>>solution is meant to provide.
>
> VoIP has been around for 10 years. That's some infancy :)  The point is
> that a holistic (or any) security framework was never a consideration when
> formulating some VoIP protocols which makes securing them after the fact
> much much more difficult.
>
> It is very possible to create holistic interoperable approach for
> authentication and encryption (that goes most of the way) just they are
> much more difficult to do in SIP.
> See
> http://www.voip-security-blog.com/
> They also can also natively work behind NATs but that is a whole different
> thread :)
>
> I guess the point of my rant (apart from livening up the list) is that we
> should not cloud or limit our expectations on VoIP security because of 
> what
> we are using now but rather expect and demand VoIP security to do what we
> NEED in the future.  If we break things so be it, if we have to turn the
> world on its head then lets do that too.
>
> 10 years in a long time to be crawling so lets stand up and start 
> walking.....
>
> Simon
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org