Hey David!<br><br>You should come by to this year's ClueCon!<br>We still have some speaking slots left.<br><br><br><div class="gmail_quote">On Thu, May 7, 2009 at 11:08 AM, David Sugar <span dir="ltr"><<a href="mailto:dyfet@gnutelephony.org">dyfet@gnutelephony.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">SIP TLS will protect the SIP session information with static keys via a<br>
certificate, assuming of course the call is direct between two peers.<br>
It will do nothing for the actual voice channel.<br>
<br>
There is SRTP, which can be used to create a cryptographic context over<br>
RTP. However, the key question is how to exchange the keys. If they<br>
are exchanged in the SIP session, even TLS SIP, then there are<br>
certificates around, and it is possible to acquire a past rtp session<br>
that has been intercepted.<br>
<br>
ZRTP offers a solution for setting up SRTP cryptographic contexts using<br>
distributed and self generated keys (much like gnupg or ssh) that are<br>
exchanged between the peers over RTP itself, and validated through a<br>
fingerprint hash at both ends. It is of course essential to initially<br>
validate the keys in a secure network first, but once that is done, a<br>
man-in-the-middle in the key exchange process will then stick out like a<br>
sore thumb. Furthermore, since each call uses different per-session<br>
generated keys, there is no forward knowledge; breaking one call does<br>
not allow one to also decrypt all past calls.<br>
<div><div></div><div class="h5"><br>
Paul wrote:<br>
> Yes, I've seen this <a href="http://wiki.freeswitch.org/wiki/SIP_TLS" target="_blank">http://wiki.freeswitch.org/wiki/SIP_TLS</a>.<br>
> I was just curious if the only way to have true end to end secure communications with FS would have to be a SIP trunk from one FS system to another encrypted SIP system on the other with no POTS/PRI/BRI circuits used in transit. I'm assuming if there's any POTS/BRI/PRI/DSS circuits used in transit, anyone with a lineman's handset could still eavesdrop on any conversations. Is this not the case?<br>
><br>
> Paul<br>
><br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Freeswitch-users mailing list<br>
> <a href="mailto:Freeswitch-users@lists.freeswitch.org">Freeswitch-users@lists.freeswitch.org</a><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</div></div><br>_______________________________________________<br>
Freeswitch-users mailing list<br>
<a href="mailto:Freeswitch-users@lists.freeswitch.org">Freeswitch-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Anthony Minessale II<br><br>FreeSWITCH <a href="http://www.freeswitch.org/">http://www.freeswitch.org/</a><br>ClueCon <a href="http://www.cluecon.com/">http://www.cluecon.com/</a><br>
<br>AIM: anthm<br><a href="mailto:MSN%3Aanthony_minessale@hotmail.com">MSN:anthony_minessale@hotmail.com</a><br>GTALK/JABBER/<a href="mailto:PAYPAL%3Aanthony.minessale@gmail.com">PAYPAL:anthony.minessale@gmail.com</a><br>
IRC: <a href="http://irc.freenode.net">irc.freenode.net</a> #freeswitch<br><br>FreeSWITCH Developer Conference<br><a href="mailto:sip%3A888@conference.freeswitch.org">sip:888@conference.freeswitch.org</a><br><a href="http://iax:guest@conference.freeswitch.org/888">iax:guest@conference.freeswitch.org/888</a><br>
<a href="mailto:googletalk%3Aconf%2B888@conference.freeswitch.org">googletalk:conf+888@conference.freeswitch.org</a><br>pstn:213-799-1400<br>