[Freeswitch-users] Passwords in clear text

Anthony Minessale anthony.minessale at gmail.com
Mon Oct 20 16:27:41 PDT 2008


if you want to test latest trunk i added code that *should* let you auth the
vm using the same
a1-hash also we added an "md5" api command to mod_commands so you can use it
in your own apps.

${md5(some data)}



On Mon, Oct 20, 2008 at 4:43 PM, Peter P GMX <Prometheus001 at gmx.net> wrote:

> I think we can agree that the more passwords are available in clear text
> the more problems we will have if a system is compromized. Therefore
> it's common practise to not store passwords in clear text. In our case
> we use xml-curl to store the directory data in a database for a
> distributed freeswitch network. I simply try to avoid having a database
> with clear text passwords. VM-Passwords may not be a bigger problem, but
> gateway passwords and conference pins are.
>
> One way is of course to encrypt the passwords with e.g. OpenSSL/RSA,
> store it the database and decrypt it on the fly when it is needed. This
> moves the security implementation to the application side with some
> backdraws, as passwords can be retrieved with the decryption key and
> passwords are transferred through the network (of course via SSL) and
> the passwords are in the logs. This is how we do it for the time being.
> Another idea, as I propose, is not to store the passwords but hashes.
>
> To be honest: I do not understand this discussion. It would be wise to
> store passwords in an encrypted way. I have seen compromized servers on
> the client's side in the last years and security threats will even
> increase in the future. The more we protect our sensible data the safer
> the system will be for the future. There is a growing number of
> companies in Germany (even the very big ones as Deutsche Telecom) who
> recently had to tell their customers that a huge amount of sensible data
> was lost.
>
> I am not asking for doing it right now, but I would love to have it
> somehow on the roadmap for the future.
>
> Best regards
> Peter
>
> Kristian Kielhofner schrieb:
> > On 10/20/08, Peter P GMX <Prometheus001 at gmx.net> wrote:
> >
> >> Hello Brian,
> >>
> >>  i have learned im my life that any server can be compromized if anyone
> >>  uses enough effort to hack it. Thus I simply try to prevent storing
> >>  passwords in clear text.
> >>  I am actually trying to setup a secure system with TLS/SRTP and
> handling
> >>  clear text passwords didn't really fit into this concept.
> >>
> >>  Best regards
> >>  Peter
> >>
> >
> > If your server is compromised and they can read your config files they
> > can read the file store, db, etc and have access to everything (VM?)
> > that pin would have access to.
> >
> >
>
> _______________________________________________
> Freeswitch-users mailing list
> Freeswitch-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 
Anthony Minessale II

FreeSWITCH http://www.freeswitch.org/
ClueCon http://www.cluecon.com/

AIM: anthm
MSN:anthony_minessale at hotmail.com <MSN%3Aanthony_minessale at hotmail.com>
GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
IRC: irc.freenode.net #freeswitch

FreeSWITCH Developer Conference
sip:888 at conference.freeswitch.org <sip%3A888 at conference.freeswitch.org>
iax:guest at conference.freeswitch.org/888
googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
pstn:213-799-1400
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20081020/b8353baf/attachment-0002.html 


More information about the FreeSWITCH-users mailing list