PGP Creator's Zfone Encrypts VoIP 150
Philip Zimmermann, creator of PGP wrote in to tell me about
Zfone, his new system for encrypting any SIP VoIP voice stream. His first release is Mac & Linux only. I tested it with him using Gizmo as our client and it was pretty trivial to use. While it should work on most any SIP compatible VoIP client, he hopes that clients like OpenWengo and Gizmo will incorporate Zfone directly into the UI.
Zfone has no centralization, and has been submitted to the IETF.
He hasn't yet determined a license, but he believes strongly in releasing source code for all encryption products. A windows client is forthcoming.
Re:Does it matter??? (Score:2, Informative)
There are prohibitions on export in the (many) terms to which you have to agree.
How long before it's all over the world?
Encryption is hard (Score:5, Informative)
There's also the not insignificant fact that encryption is complex to use and administer. Adding in robust encryption is not free from a user-friendliness perspective. Much thought has to be put into reducing the user-visible complexity as much as possible so that the user base will actually use the encryption, and use it in such a way that security is preserved. Not trivial.
PGPfone, Speak Freely (Score:5, Informative)
That died. It is good to see a new alternative that has adopted newer standards.
Another "oldy but goody" was Speak Freely [speakfreely.org].
Re:Why not encrypt by default (Score:5, Informative)
There are lots of reasons why encryption isn't being widely used. For one thing there is the normal tinfoil hat reason, ie. that the people in charge don't want it becausy they wouldn't be able to stick their nose where it don't belong so they try to prevent such technology from being widely used. Alot has also to do with cost and computing overhead. Encrypting can be an expensive thing to do in terms of computing power and especially so if everything form all the network communications protocols to storage media content is bening encrypted. Doning encryption with special hardware is one solution but that adds cost and also the problem of the hardware algorithms becoming obsolete like WEP for example. Just try to get ahold of, say a 100mb photoshop file. Now copy it into the user home directory of a regular user on an OS.X machine, then do the same for antoher user using 'File Vault'. You will quickly discover that the latter operation takes alot longer since those 100mb's of Photoshop file are being encrypted. You should notice similar problems when comparing normal unencrypted file transfers over a network with transfers over a high strength encrypted link. VPN for example works noticably slower using port forwarding over an SSH tunnel.
Re:It would also.. (Score:1, Informative)
No it wouldn't. This system doesn't use steganography to hide its protocol, so it's obvious to any application layer sniffer. It also does nothing to hide traffic data, i.e. source and destination addresses. That requires something like Tor [eff.org]. Telcos can selectively degrade service based on protocol and traffic analysis.
The only thing this would prevent is shaping based on the content of VoIP calls. Voice recognition on that scale is probably cost prohibitive for telcos at this point.
Re:PGPfone: Full duplex mode did suck (Score:3, Informative)
Re:Why not encrypt by default (Score:5, Informative)
For any IETF protocol developed in the past 10 years or so, it is. For example, RFC 3261 (which defines SIP) makes TLS encryption *mandatory* to implement. It does allow the users/administrators/whatever to turn it on and off, but you can't say your implementation is RFC 3261 compliant unless it contains TLS encryption.
For most other important protocols defined before the IESG required strong security in all protocols, there have been significant efforts to revise them as necessary to provide encryption. For example, RFC 3711 defines a mechanism for encrypting RTP (the voice packets in a VoIP call).
Anyone who bothers to actually implement to spec already has released products that do encryption, many by default. For example if I use the Snom 360 SIP phone on my desk to call anyone else using a client that has actually implemented all of RFC 3261 (instead of whatever small portion of it amused them) and implemented RFC 3711, both the signaling and the media will be strongly encrypted BY DEFAULT. And that's the way it was configured when I took it out of the box.
The fact that some current implementations don't bother following spec impugns their designers and implementors, not the protocols they're using. Using the standardized VoIP protocols available today, everyone *should* be able to make encrypted calls.
Re:Why not use OpenSSL? (Score:5, Informative)
OpenSSL builds encrypted sessions over TCP. TCP is not designed to work well for the requirement space needed by VoIP.
If fact, it just would not work well at all.
Re:Why not use OpenSSL? (Score:5, Informative)
OpenSSL is a misnomer.
I didn't mean "use SSL", I meant use OpenSSL the cryptographic library that supports all that standard stream ciphers. You can use whatever networking stuff you want outside of OpenSSL.
Re:What ever happened to PGP Phone? (Score:3, Informative)
Re:I agree, it is hugely important (Score:4, Informative)
Re:I agree, it is hugely important (Score:4, Informative)
For https and such, setting up the connection is the majority of the work. Public-key key exchange (public-key certificates, Diffie-Hellman, etc.) is an expensive operation because it requires a modular exponentiation on the part of the server. However, once the connection is set up, the cost of encrypting each packet is extremely small.
Melissa
Re:What ever happened to PGP Phone? (Score:3, Informative)
So PGPphone had a serious legal battle to reach wide use, and it never caught on as well as not having a great user interface. I hope Phil's newer tool catches on.