<div dir="ltr">especially if you are not using srtp and you can just sniff the dtmf =D<br><br><br><div class="gmail_quote">On Mon, Oct 20, 2008 at 6:29 PM, Mitch Capper <span dir="ltr"><<a href="mailto:mitch.capper@gmail.com">mitch.capper@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div dir="ltr">Certainly offering support for hashed passwords has benefits and as you mentioned can be done using something other than the flat file XML directory format and decoding on the fly. I think one reason it hasn't been looked at as a major issue yet is voicemail and conference passwords are generally only numbers so they can be dialed over a phone, even an 8 digit password is 10^8 combination which is not a whole lot of hashes to brute force, so compromising even one way passwords would not be a major feat. It may deter a compromised machine from giving up its secrets but it certainly is a very narrow frame of protection. <br>
<font color="#888888">
<br>~Mitch</font><div><div></div><div class="Wj3C7c"><br><div class="gmail_quote">On Mon, Oct 20, 2008 at 5:43 PM, Peter P GMX <span dir="ltr"><<a href="mailto:Prometheus001@gmx.net" target="_blank">Prometheus001@gmx.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I think we can agree that the more passwords are available in clear text<br>
the more problems we will have if a system is compromized. Therefore<br>
it's common practise to not store passwords in clear text. In our case<br>
we use xml-curl to store the directory data in a database for a<br>
distributed freeswitch network. I simply try to avoid having a database<br>
with clear text passwords. VM-Passwords may not be a bigger problem, but<br>
gateway passwords and conference pins are.<br>
<br>
One way is of course to encrypt the passwords with e.g. OpenSSL/RSA,<br>
store it the database and decrypt it on the fly when it is needed. This<br>
moves the security implementation to the application side with some<br>
backdraws, as passwords can be retrieved with the decryption key and<br>
passwords are transferred through the network (of course via SSL) and<br>
the passwords are in the logs. This is how we do it for the time being.<br>
Another idea, as I propose, is not to store the passwords but hashes.<br>
<br>
To be honest: I do not understand this discussion. It would be wise to<br>
store passwords in an encrypted way. I have seen compromized servers on<br>
the client's side in the last years and security threats will even<br>
increase in the future. The more we protect our sensible data the safer<br>
the system will be for the future. There is a growing number of<br>
companies in Germany (even the very big ones as Deutsche Telecom) who<br>
recently had to tell their customers that a huge amount of sensible data<br>
was lost.<br>
<br>
I am not asking for doing it right now, but I would love to have it<br>
somehow on the roadmap for the future.<br>
<br>
Best regards<br>
Peter<br>
<br>
Kristian Kielhofner schrieb:<br>
<div>> On 10/20/08, Peter P GMX <<a href="mailto:Prometheus001@gmx.net" target="_blank">Prometheus001@gmx.net</a>> wrote:<br>
><br>
>> Hello Brian,<br>
>><br>
>> i have learned im my life that any server can be compromized if anyone<br>
>> uses enough effort to hack it. Thus I simply try to prevent storing<br>
>> passwords in clear text.<br>
>> I am actually trying to setup a secure system with TLS/SRTP and handling<br>
>> clear text passwords didn't really fit into this concept.<br>
>><br>
>> Best regards<br>
>> Peter<br>
>><br>
><br>
> If your server is compromised and they can read your config files they<br>
> can read the file store, db, etc and have access to everything (VM?)<br>
> that pin would have access to.<br>
><br>
><br>
<br>
</div><div><div></div><div>_______________________________________________<br>
Freeswitch-users mailing list<br>
<a href="mailto:Freeswitch-users@lists.freeswitch.org" target="_blank">Freeswitch-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</div></div></blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
Freeswitch-users mailing list<br>
<a href="mailto:Freeswitch-users@lists.freeswitch.org">Freeswitch-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Anthony Minessale II<br><br>FreeSWITCH <a href="http://www.freeswitch.org/">http://www.freeswitch.org/</a><br>ClueCon <a href="http://www.cluecon.com/">http://www.cluecon.com/</a><br>
<br>AIM: anthm<br><a href="mailto:MSN%3Aanthony_minessale@hotmail.com">MSN:anthony_minessale@hotmail.com</a><br>GTALK/JABBER/<a href="mailto:PAYPAL%3Aanthony.minessale@gmail.com">PAYPAL:anthony.minessale@gmail.com</a><br>
IRC: <a href="http://irc.freenode.net">irc.freenode.net</a> #freeswitch<br><br>FreeSWITCH Developer Conference<br><a href="mailto:sip%3A888@conference.freeswitch.org">sip:888@conference.freeswitch.org</a><br><a href="http://iax:guest@conference.freeswitch.org/888">iax:guest@conference.freeswitch.org/888</a><br>
<a href="mailto:googletalk%3Aconf%2B888@conference.freeswitch.org">googletalk:conf+888@conference.freeswitch.org</a><br>pstn:213-799-1400<br>
</div>