On Sat, 2009-05-23 at 09:19 -0400, SIP wrote: > It's also too bad that once your phone call heads to the PSTN, any form > of encryption becomes functionally worthless. It's INCREDIBLY easy to > tap into, trace, and catalogue a PSTN phone call. >
there is nothing that can be done about that, unless the answering end supports crypto too. I still think its easier to monitor VoIP calls since that can be done from almost anywhere on the intarweb (although do it in the wrong spot and it becomes quite noticable). PSTN *generally* requires physical access limiting the ones who can do this somewhat. > Still... is very nice to see someone providing ZRTP services. Would like > to see more of that in the future. yeah, and to be crypto agnostic like that, both SRTP/TLS and ZRTP is a nice bonus. Ensures that more people can use it, although the way that ZRTP works, it becomes harder to validate the cipher since you cant compare the codes each end provides. If you use a mechanical voice or a sip im it becomes trivial to spoof the challenge/response codes, it relies on humans speaking and listening to share the codes to validate. Because you cant validate the cipher I cannot say that you can trust ZRTP in this implementation, but then it was not designed to be on a server side, this is where TLS can be handy. However SRTP/TLS is designed to be server side but not as dynamic nor forget everything about the session making key recovery impossible (the cert is still there), something ZRTP is designed for. ZRTP is more of an end to end human to human implementation, so for things where the server has to be in the middle SRTP/TLS is certainly superior. -- Trixter http://www.0xdecafbad.com Bret McDanel pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721 _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
