On Thu, 12 Mar 2009, Kristian Kielhofner wrote:
On Thu, Mar 12, 2009 at 11:40 AM, Peter Beckman <[email protected]> wrote:
The simple matter is -- unless you secure your box properly, and set some
really good not-easily-guessable passwords, you are screwed no matter HOW
secure Olle and Digium makes Asterisk. Changing from MD5 to SHA won't fix
the fact that the username is 1000 and the password is 1000. Even TLS
doesn't fix the problem -- you're still using your dumbass password over a
secure link. The solution is either using strong passwords or use
Certificate-only key-based authentication (SSH does it, not sure what else
does, but I don't think SIP).
SIP+TLS can in fact do this (X.509/PKI/cert auth) but it remains to
be seen how widely this is (will be?) deployed.
I'm guessing unless forced, admins will continue to use bad passwords
rather than learn how to use certificates (if indeed they are supported on
ATAs and SIP devices, which I'm unsure about) to secure their devices.
That will cut down on all but the most deliberate and targeted attacks.
If you used certificate based auth, you couldn't even start the TLS
negotiation. Brute-forcing certs is, AFAIK, really, really difficult,
like billions of years.
CAs, keys, and key revocation are probably beyond what most people want
to do for a secure SIP install. I don't think we can expect people to
widely deploy this anytime soon. Even if you share a private key on all
of your clients you still have the revocation/reissue/web of trust issues
in the event one of them becomes compromised.
Completely agree. SSH allows me to create a public/private keypair, then
I can authenticate using that keypair. No CAs or anything like that.
It's not about trust, it's about preventing an unauthorized party from
connecting to your Asterisk server and making fraudulent calls.
Word. If you don't have the understanding to appreciate how
financially vulnerable you can be connecting telephony to the internet
(or any network) at least have the responsibility (to yourself, your
clients, and the world) to at least hire someone who does.
We are in full agreement! I'll do it for $150/hour. :-)
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
[email protected] http://www.angryox.com/
---------------------------------------------------------------------------
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
