[VOIPSEC] Governments employing MiTM attacks against SSL
Michael Medina
mmedina at apriva.com
Wed Apr 21 10:51:12 CDT 2010
Hello Ari,
I see you mentionned ZRTP on your posting. Can you (or any body else) compare and contrast ZRTP vs SRTP by measuring their security behaviors. Thank you!
Serge.
> Date: Tue, 20 Apr 2010 23:40:54 +0300
> From: voipsa at codenomicon.com
> To: sil at infiltrated.net
> CC: voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Governments employing MiTM attacks against SSL
>
> On Tue, Apr 20, 2010 at 02:48:14PM -0400, J. Oquendo wrote:
> > So if you went with common sense/logic, it would make all the more
> > sense to mass surveil rather than fork off 30-40k for tapping a
> > single individual.
>
> Definitely. Especially in VoIP, it is actually easiest to just record
> everything. Data volumes are so low in most cases that you could store
> weeks of full voice/video recording, and all signalling for entire
> year, without much cost per subscriber. If needed, you can also easily
> store that at a safe location that no human can access, without the
> right access permissions. Data-mining the traffic is simple with tools
> like: http://www.codenomicon.com/analyzer/
>
> The biggest threat privacy people often have when you really get to
> the bottom of it (after enough beers) is that they have nothing
> against recording and storing the data itself, but they do not trust
> the _people_ (the individuals working at the telco, government or
> law-enforcement) having access to the data. Most recent discussions I
> have heard is actually only related to defining what data those people
> can see. Fortunately in VoIP setups (in most countries), the
> confidential data is mostly in the media streams and therefore easy to
> protect from illegal access.
>
> But like J. said, who cares, if you have nothing to hide, and
> especially if you trust the people who access that data. If you don't
> like that, there is very little you can do except start using GnuPG
> TOR (1) and ZRTP. Even that does not help much.
>
> /Ari
>
> (1) http://archives.seul.org/or/talk/May-2006/msg00255.html
>
> --
> Check out latest news from Codenomicon: http://www.codenomicon.com/news/
> Check out my book on fuzzing: http://www.fuzz-test.com/
>
> -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> Ari Takanen Codenomicon Ltd.
> ari.takanen at codenomicon.com tel: +358-40 50 67678
> PGP: http://www.codenomicon.com/codenomicon-key.asc
> -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
_________________________________________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list