Computer Security Rants & Reverse Engineering

Thursday, December 8, 2011

SIP Credentials

In response to Zanthexter: SIP isn't my my most fluent protocol, but I did a bit of looking at the captures. Its using MD5 digest authentication, so I see the usernames, nonces, etc. I don't see the password being sent plain text, but I only did a cursory glance. Whenever I make it back from work I'll take a deeper look at it.

While yes, VPN is certainly an option, so is turning on SIP-TLS and SRTP or other security options, which is something that republic/phonebooth could easily do -- and should in my opinion.


  1. Found this regarding SIPS and SRTP with the Phonebooth service:
    It sounds good, but the issue with SRTP and TLS is that their adoption is not widespread. When we hand off the call to other carriers the encryption would be removed and then the call exposed. SRTP can also negatively impact call quality, this will cause a lot of support calls and issues from customers. TLS is interesting, but it affects the ability to troubleshoot issues and can cause additional issues with Secure Key negotiations.

    This is why almost no hosted IP-PBX provider uses these security measures. I would like to know what your concern is? What scenario are you worried about?"

    I think the local airlink security will be addressed with Hotspot 2.0 and 802.11u which will support WPA2/AES in a public environment. End-to-end is another matter.


  2. Responded with a post,