I've often railed about how using "sips:" doesn't really prove anything to the user, since the connection is not end-to-end and downstream elements might be lying about what they are doing.
Apparently a similar attack is possible on https, when augmented with a (very) little social engineering. I'm pretty sure this trick would fool me occasionally, and my mother wouldn't stand a chance.
See: http://www.forbes.com/2009/02/18/black-hat-hackers-technology-security_0218_blackhat.html A poignant quote:
The fundamental lesson of his encryption-stripping attack, says Marlinspike, is that the protections on the Web's "secure" pages are really just as weak as any page that can impersonate that security. "The real answer is to encrypt everything," Marlinspike says. "When you have a secure protocol that depends on an insecure protocol, that's a problem."
So, what are the implications for the SIP world? -- Dean _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
