[Freeswitch-users] Passwords in clear text
Anthony Minessale
anthony.minessale at gmail.com
Mon Oct 20 17:14:57 PDT 2008
especially if you are not using srtp and you can just sniff the dtmf =D
On Mon, Oct 20, 2008 at 6:29 PM, Mitch Capper <mitch.capper at gmail.com>wrote:
> Certainly offering support for hashed passwords has benefits and as you
> mentioned can be done using something other than the flat file XML directory
> format and decoding on the fly. I think one reason it hasn't been looked
> at as a major issue yet is voicemail and conference passwords are generally
> only numbers so they can be dialed over a phone, even an 8 digit password is
> 10^8 combination which is not a whole lot of hashes to brute force, so
> compromising even one way passwords would not be a major feat. It may
> deter a compromised machine from giving up its secrets but it certainly is a
> very narrow frame of protection.
>
> ~Mitch
>
> On Mon, Oct 20, 2008 at 5:43 PM, Peter P GMX <Prometheus001 at gmx.net>wrote:
>
>> I think we can agree that the more passwords are available in clear text
>> the more problems we will have if a system is compromized. Therefore
>> it's common practise to not store passwords in clear text. In our case
>> we use xml-curl to store the directory data in a database for a
>> distributed freeswitch network. I simply try to avoid having a database
>> with clear text passwords. VM-Passwords may not be a bigger problem, but
>> gateway passwords and conference pins are.
>>
>> One way is of course to encrypt the passwords with e.g. OpenSSL/RSA,
>> store it the database and decrypt it on the fly when it is needed. This
>> moves the security implementation to the application side with some
>> backdraws, as passwords can be retrieved with the decryption key and
>> passwords are transferred through the network (of course via SSL) and
>> the passwords are in the logs. This is how we do it for the time being.
>> Another idea, as I propose, is not to store the passwords but hashes.
>>
>> To be honest: I do not understand this discussion. It would be wise to
>> store passwords in an encrypted way. I have seen compromized servers on
>> the client's side in the last years and security threats will even
>> increase in the future. The more we protect our sensible data the safer
>> the system will be for the future. There is a growing number of
>> companies in Germany (even the very big ones as Deutsche Telecom) who
>> recently had to tell their customers that a huge amount of sensible data
>> was lost.
>>
>> I am not asking for doing it right now, but I would love to have it
>> somehow on the roadmap for the future.
>>
>> Best regards
>> Peter
>>
>> Kristian Kielhofner schrieb:
>> > On 10/20/08, Peter P GMX <Prometheus001 at gmx.net> wrote:
>> >
>> >> Hello Brian,
>> >>
>> >> i have learned im my life that any server can be compromized if anyone
>> >> uses enough effort to hack it. Thus I simply try to prevent storing
>> >> passwords in clear text.
>> >> I am actually trying to setup a secure system with TLS/SRTP and
>> handling
>> >> clear text passwords didn't really fit into this concept.
>> >>
>> >> Best regards
>> >> Peter
>> >>
>> >
>> > If your server is compromised and they can read your config files they
>> > can read the file store, db, etc and have access to everything (VM?)
>> > that pin would have access to.
>> >
>> >
>>
>> _______________________________________________
>> Freeswitch-users mailing list
>> Freeswitch-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _______________________________________________
> Freeswitch-users mailing list
> Freeswitch-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
--
Anthony Minessale II
FreeSWITCH http://www.freeswitch.org/
ClueCon http://www.cluecon.com/
AIM: anthm
MSN:anthony_minessale at hotmail.com <MSN%3Aanthony_minessale at hotmail.com>
GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
IRC: irc.freenode.net #freeswitch
FreeSWITCH Developer Conference
sip:888 at conference.freeswitch.org <sip%3A888 at conference.freeswitch.org>
iax:guest at conference.freeswitch.org/888
googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
pstn:213-799-1400
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20081020/6f439bb6/attachment-0002.html
More information about the FreeSWITCH-users
mailing list