especially if you are not using srtp and you can just sniff the dtmf =D
On Mon, Oct 20, 2008 at 6:29 PM, Mitch Capper <[EMAIL PROTECTED]>wrote: > Certainly offering support for hashed passwords has benefits and as you > mentioned can be done using something other than the flat file XML directory > format and decoding on the fly. I think one reason it hasn't been looked > at as a major issue yet is voicemail and conference passwords are generally > only numbers so they can be dialed over a phone, even an 8 digit password is > 10^8 combination which is not a whole lot of hashes to brute force, so > compromising even one way passwords would not be a major feat. It may > deter a compromised machine from giving up its secrets but it certainly is a > very narrow frame of protection. > > ~Mitch > > On Mon, Oct 20, 2008 at 5:43 PM, Peter P GMX <[EMAIL PROTECTED]>wrote: > >> I think we can agree that the more passwords are available in clear text >> the more problems we will have if a system is compromized. Therefore >> it's common practise to not store passwords in clear text. In our case >> we use xml-curl to store the directory data in a database for a >> distributed freeswitch network. I simply try to avoid having a database >> with clear text passwords. VM-Passwords may not be a bigger problem, but >> gateway passwords and conference pins are. >> >> One way is of course to encrypt the passwords with e.g. OpenSSL/RSA, >> store it the database and decrypt it on the fly when it is needed. This >> moves the security implementation to the application side with some >> backdraws, as passwords can be retrieved with the decryption key and >> passwords are transferred through the network (of course via SSL) and >> the passwords are in the logs. This is how we do it for the time being. >> Another idea, as I propose, is not to store the passwords but hashes. >> >> To be honest: I do not understand this discussion. It would be wise to >> store passwords in an encrypted way. I have seen compromized servers on >> the client's side in the last years and security threats will even >> increase in the future. The more we protect our sensible data the safer >> the system will be for the future. There is a growing number of >> companies in Germany (even the very big ones as Deutsche Telecom) who >> recently had to tell their customers that a huge amount of sensible data >> was lost. >> >> I am not asking for doing it right now, but I would love to have it >> somehow on the roadmap for the future. >> >> Best regards >> Peter >> >> Kristian Kielhofner schrieb: >> > On 10/20/08, Peter P GMX <[EMAIL PROTECTED]> wrote: >> > >> >> Hello Brian, >> >> >> >> i have learned im my life that any server can be compromized if anyone >> >> uses enough effort to hack it. Thus I simply try to prevent storing >> >> passwords in clear text. >> >> I am actually trying to setup a secure system with TLS/SRTP and >> handling >> >> clear text passwords didn't really fit into this concept. >> >> >> >> Best regards >> >> Peter >> >> >> > >> > If your server is compromised and they can read your config files they >> > can read the file store, db, etc and have access to everything (VM?) >> > that pin would have access to. >> > >> > >> >> _______________________________________________ >> Freeswitch-users mailing list >> [email protected] >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >> http://www.freeswitch.org >> > > > _______________________________________________ > Freeswitch-users mailing list > [email protected] > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users > http://www.freeswitch.org > > -- Anthony Minessale II FreeSWITCH http://www.freeswitch.org/ ClueCon http://www.cluecon.com/ AIM: anthm MSN:[EMAIL PROTECTED] <[EMAIL PROTECTED]> GTALK/JABBER/PAYPAL:[EMAIL PROTECTED]<[EMAIL PROTECTED]> IRC: irc.freenode.net #freeswitch FreeSWITCH Developer Conference sip:[EMAIL PROTECTED] <[EMAIL PROTECTED]> iax:[EMAIL PROTECTED]/888 googletalk:[EMAIL PROTECTED]<[EMAIL PROTECTED]> pstn:213-799-1400
_______________________________________________ Freeswitch-users mailing list [email protected] http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org
