[VOIPSEC] Soft Phone Vulnerabilities
Jon Callas
jon at pgpeng.com
Wed Jun 14 10:53:17 CDT 2006
>
> Point 1: The security aspects of Skype. I consider Skype
> security to be a solved problem, orders of magnitude better than
> what has been implemented by vendors using products based on ITU,
> 3G and the proposed IMS standards. Standards are useless unless
> implementations work correctly. The security analysis done by Dr.
> Thomas A. Berson is valid and correct. The only implementations
> that approach or exceed Skype's level of security and trust are
> arguably the personal trust of PGP ZRTP, high-cost proprietary
> systems for commercial or military use, and the research coming
> from Henning Schulzrinne and Eunsoo Shim that are being considered
> for use in a future P2PSIP standard. The assertions in my
> presentation could not have been made if Skype security was an open
> issue. As a comparison, millions of financial transactions use IIS/
> IE as the underlying platform. Any public opinions on IIS/IE
> security are best left to the reader.
>
Comment: ZRTP has nothing to do with PGP. While I both am the Chief
Technical Officer of PGP Corporation and a co-author of the ZRTP,
ZRTP is not a PGP Corporation system. Please call it ZRTP if you're
talking about the protocol or
Phil Zimmermann is the main creator of ZRTP. You really should credit
him. Please change your web site to reflect this.
> Point 3: Unknown relays in Skype. Jon Callas rightly points out
> that unknown relays in Skype cause a concern regarding sensitive
> communications, and I agree with him.
I didn't point this out at all. Please credit the proper person.
Jon
--
Jon Callas
CTO, CSO
PGP Corporation Tel: +1 (650) 319-9016
3460 West Bayshore Fax: +1 (650) 319-9001
Palo Alto, CA 94303 PGP: ed15 5bdf cd41 adfc 00f3
USA 28b6 52bf 5a46 bc98 e63d
More information about the Voipsec
mailing list