Secure VoIP, an Achievable Goal 103
An anonymous reader writes "ITO is running a comprehensive article on VoIP security issues and how one can protect against them: "VoIP creates new ways of delivering fully-featured phone services that promise big cost savings and open the way for a whole new range of multimedia communication services. After years of 'will it, won't it' speculation and unfulfilled predictions of universal adoption, Gartner is now positioning VoIP firmly on its way to the 'plateau of productivity' on its widely-respected technology hype cycle. But questions about its security and reliability persist.""
It Sure Is (Score:5, Informative)
I'd like to be able to hear the pin drop first. (Score:4, Informative)
Problme with security today and SIP (Score:5, Informative)
Re:I'd like to be able to hear the pin drop first. (Score:5, Informative)
New NSA guide for securing VOIP (Score:5, Informative)
Re:VoIP crypto with Diffie-Hellman? (Score:2, Informative)
You still need some other mechanism to make sure that you are actually talking directly to the right person and not to some man in the middle.
In IPsec they use either a shared secret, a public key or a certificate to authenticate parties.
Re:It Sure Is (Score:3, Informative)
I've read the FAQ and I don't think this is the case. ZPhone gives you an authentication string that you read to the person on the other end of the line, and they read (theirs) to you, so you can be sure that the node that your computer is connected to is the same one that the person at the other end of the call is sitting in front of. This seems to prevent most passive MiTM attacks that would insert a server somewhere into the middle of the connection that decrypted your side of the call and then re-encrypted it and sent it along to the person you wanted to talk to.
It of course doesn't guarantee that the person on the other end of the phone is the person you want to talk to -- but that's no more or less secure than any other telephone conversation, and really not much less secure than talking in person to a stranger you're unfamilar with. The authentication is to the phone, not to the person.
I don't really see the implementation as flawed for this. It seems significantly better than Skype, and as good as anything else that civilians have access to right now.