Encrypted Internet Telephony is Only Safe Option
Note: Good article. I think Dirk brings up some valid points. With the mass adoption of VoIP we must still understand its just another technology that has its strengths and weaknesses. If you using an IP telephony phone system your general network security policy should cover it also. .02
We can safely say that it's unsafe: the Voice over Internet Protocol (VoIP) that enables telephony over the internet. Hackers can choose between a variety of widely available programs to pluck conversations out of the data stream and then manipulate them. IT experts also expect a rapid increase in spam over Internet Telephony (SPIT) in coming years - spam mails being read aloud by a text-to-speech computer calling on the telephone. While there are a variety of effective security concepts, they are rarely put to use.
One fundamental error is presuming that old-fashioned telephones were particularly secure devices themselves.
"The traditional telephone net is unsafe too," warns Hartmut Pohl, professor of Data Security at the Polytechnic Institute of Bonn- Rhein-Sieg in Sankt Augustin. The telephone junction box of any apartment building is more or less freely accessible.
"It's just that it takes less effort with VoIP because the conversation is already digitized." One must therefore presume that any internet phone conversation is public.
As with email, few private users actually employ encryption for their internet telephony. "There's simply not much awareness," Pohl says. He is also spokesman for the Working Group for Data and IT Security at the Society for Computer Sciences in Bonn. There are in fact several encryption methods for VoIP.
Secure Real-Time Transport Protocol (SRTP) is perhaps the most common. Yet even SRTP is not 100 per cent secure in and of itself, the German Federal Agency for Security in Information Technology (BSI) in Bonn determined in its study VoiPSEC.
One problem arises, if the key exchanged between sender and recipient is sent without encryption at the start of the conversation. SRTP is only supported by a few VoIP providers for the internet portion of the conversation. And not every VoIP telephone offers the encryption.
If the two parties converse solely over the internet, using programs known as softphones to telephone from computer to computer or via VoIP telephony, then they can encrypt their conversation regardless of their VoIP provider. This presumes that softphones and VoIP telephones support the same protocols.
If the conversation to be encrypted is running between a softphone or VoIP telephone and the landline network, then the VoIP providers network must also support the encryption.
That's why Sipgate, a Dusseldorf-based provider, intends offering secure encryption soon, combining the SRTP and Transport Layer Security (TLS) protocols.
"The traditional telephone net is unsafe too," warns Hartmut Pohl, professor of Data Security at the Polytechnic Institute of Bonn- Rhein-Sieg in Sankt Augustin. The telephone junction box of any apartment building is more or less freely accessible.
"It's just that it takes less effort with VoIP because the conversation is already digitized." One must therefore presume that any internet phone conversation is public.
As with email, few private users actually employ encryption for their internet telephony. "There's simply not much awareness," Pohl says. He is also spokesman for the Working Group for Data and IT Security at the Society for Computer Sciences in Bonn. There are in fact several encryption methods for VoIP.
Secure Real-Time Transport Protocol (SRTP) is perhaps the most common. Yet even SRTP is not 100 per cent secure in and of itself, the German Federal Agency for Security in Information Technology (BSI) in Bonn determined in its study VoiPSEC.
One problem arises, if the key exchanged between sender and recipient is sent without encryption at the start of the conversation. SRTP is only supported by a few VoIP providers for the internet portion of the conversation. And not every VoIP telephone offers the encryption.
If the two parties converse solely over the internet, using programs known as softphones to telephone from computer to computer or via VoIP telephony, then they can encrypt their conversation regardless of their VoIP provider. This presumes that softphones and VoIP telephones support the same protocols.
If the conversation to be encrypted is running between a softphone or VoIP telephone and the landline network, then the VoIP providers network must also support the encryption.
That's why Sipgate, a Dusseldorf-based provider, intends offering secure encryption soon, combining the SRTP and Transport Layer Security (TLS) protocols.
blinklist : 
BoingBoing : 
del.icio.us : 
digg : 
furl :
shadows : 
simpy : 
Slashdot : 
spurl : 
yahoo
|
Posted to VoIP Security