[VOIPSEC] Soft Phone Vulnerabilities

Simon Horne s.horne at packetizer.com
Thu Jun 8 04:24:06 CDT 2006 

Craig

I totally agree, people really don't care about security, well they do but 
not at the expense of functionality and price. If you have 2 devices, the 
same price with similar functionality, one secure the other not then they 
will most likely pay for the one with security however if the secure 
product is more expensive and you get a drop in functionality, they will 
not, in general, pay extra for it unlsss they have a compelling need to.

Security is one of the least issues on people's minds with SKYPE.
Things I have experienced and other have reported to me are things like,
1. Variant Call Quality (some times calls are excellent but mostly they are 
average, sometimes usable)
2. Over usage of resources (very resource hungry, particularity CPU)  .

A point to point call is always going to provide better consistent call 
quality than a peer to peer one. The secret IMHO is not to do peering but 
figure out how to do point to point (if at all possible) media and 
signalling with a standards based protocol with cleaver endpoints/UA's is a 
very NAT infested Internet environment and allow businesses to  control 
their own little VoIP patch .

Certainly if there is a will...

Simon



At 08:26 AM 8/06/2006, Craig Southeren wrote:
>On Wed, 7 Jun 2006 16:45:42 -0700
>Mark Baugher <mbaugher at cisco.com> wrote:
>
>..deleted
>
> > It's a different question as to whether skype is more or less secure
> > than other systems such as sip systems.  Another interesting question
> > is whether or not a true peer-to-peer system can be made secure.
>
> >From a techical standpoint, I think the answer is an unequivocal "yes".
>
>Crypto algorithms exist to implement end to end security and
>authentication regardless of the network topology - it's just a matter
>of developing the and deploying the appropriate infrastructure.
>
>However, from a business standpoint, the answer has to be a "maybe".
>Developing and deploying a system that has cryptographically secure
>communcations is expensive, and has to run an impressive gauntlet of
>legal hurdles to be available in the biggest target markets.
>
>For a company, most of the value can be extracted from the VoIP market
>without incurring the significant additional costs of implementing this
>kind of security. The fact that the PSTN and cellphones do quite well
>thank you very much without it shows that most users don't really care.
>
>I'm sure that one day a company will offer secure end to end SIP or
>H.323 calls - but they won't be cheap. And "secure" will be very tightly
>defined :)
>
>    Craig
>
>-----------------------------------------------------------------------
>  Craig Southeren          Post Increment ­ VoIP Consulting and Software
>  craigs at postincrement.com.au                   www.postincrement.com.au
>
>  Phone:  +61 243654666      ICQ: #86852844
>  Fax:    +61 243656905      MSN: craig_southeren at hotmail.com
>  Mobile: +61 417231046
>
>  "It takes a man to suffer ignorance and smile.
>   Be yourself, no matter what they say."   Sting
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list