On Apr 13, 2007, at 9:58 AM, Paul Kyzivat wrote:
*This* message only reveals that Alice *thinks* Bob is reachable at
that address. Its no worse than intercepting an email from Alice to
Charlie that mentions the sip (or sips) address of Bob.
Trust me, the spooks look for those too.
If you want to prevent Alice from disclosing the address of Bob
then you have a much harder problem. I don't think this is solvable
in practice, nor do I think it needs to be solved.
If Alice had just not sent the request via SIP, but used SIPS, the it
would have been solved.
Since traceroute on biloxi.example.com may well give us a good
idea of the physical location of biloxi.example.com, an
interceptor picking up this message would have a good chance of
being able to find Bob.
No. Only Bob's home proxy.
In the call flow described (from 3665) there is no home proxy.
THERE IS NO REQUIREMENT THAT SIP USERS HAVE A HOME PROXY AND I WOULD
BE VERY HAPPY IF PEOPLE WOULD REMEMBER THAT!
But IF there had been a home proxy in this example, and the request
were intercepted between Bob's home proxy and Bob, then it would
reveal Bob's location as understood by Bob's home proxy.
Assuming that this message is sent unencrypted when used with SIP
(instead of SIPS), it's relatively easy to intercept.
The interceptor didn't need credentials to get into a location
server that might translate [EMAIL PROTECTED] to
[EMAIL PROTECTED] They didn't need credentials to look in a
directory server. They just pulled the information "off the wire"
in such a way that Bob will be unable to know how the interceptor
got his location.
I don't see how this discloses the address [EMAIL PROTECTED],
which is the only one that Bob has any chance of hiding. All Bob
needs to do is be careful in what he puts into his *response* to
the above invite. (E.g. He shouldn't put his contact address if he
is rejecting the call, and he should ensure his address isn't
mentioned in a H-I header.) If he is really paranoid about this he
could simply refuse to send any response to the invite, and let it
timeout.
It discloses"[EMAIL PROTECTED]" by the very simple mechanism of
including both "[EMAIL PROTECTED]" and "[EMAIL PROTECTED]" in a
plain-text message. This disclosure occurs even if Bob never responds
to the request, and even if bob never even RECEIVES the request.
--
Dean
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
