On Tue, Mar 14, 2017, at 08:28 PM, Dominik Schuermann wrote: > this should be of interest to Guardianproject's Ostel project: > https://www.sufficientlysecure.org/2017/03/15/zrtp.html
Always happy to see this kind of in-depth research. > We evaluated the ZRTP clients Acrobits Softphone, CSipSimple, Jitsi, > Linphone, and Signal in regards to their protocol compliance, error > handling, and user interfaces. Our extensive analysis uncovered a > critical vulnerability that allows wiretapping even though Short > Authentication Strings are compared correctly. We discuss shortcomings > in the clients’ error handling and design of security indicators > potentially leading to insecure connections. Thank you as well for working with Linphone to ensure the vulnerabilities were addressed. It is still to go to recommendation we provide for users interested in Ostel. May I ask why you did not test Linphone on iOS? > I also want to praise the effort put into your Open Secure Telephony > Network (OSTN), which we used as our test network. Glad it was useful. Honestly, most credit should go to Lee A. for continuing to maintain and support Ostel, as part of our larger community. I have been nervous about the state of SIP/ZRTP clients, making me also concerned about continuing to promote SIP-based communications at all. I suppose we will follow the reaction to your study, to see how the app vendors like Linphone and Jitsi respond moving forward. Best, Nathan _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
