At Mon, 23 Feb 2009 10:33:07 -0600, Dean Willis wrote: > > > I've often railed about how using "sips:" doesn't really prove > anything to the user, since the connection is not end-to-end and > downstream elements might be lying about what they are doing. > > Apparently a similar attack is possible on https, when augmented with > a (very) little social engineering. I'm pretty sure this trick would > fool me occasionally, and my mother wouldn't stand a chance. > > > > See: > > http://www.forbes.com/2009/02/18/black-hat-hackers-technology-security_0218_blackhat.html > > > > A poignant quote: > > > The fundamental lesson of his encryption-stripping attack, says > > Marlinspike, is that the protections on the Web's "secure" pages are > > really just as weak as any page that can impersonate that security. > > "The real answer is to encrypt everything," Marlinspike says. "When > > you have a secure protocol that depends on an insecure protocol, > > that's a problem." > > > So, what are the implications for the SIP world?
Uh, none? This is the whole reason why you need to start with secure references and not allow opportunistic upgrade. -Ekr _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
