croczilla.com 
 home   zap   svg   xtf   jssh   bits&pieces   blog   personal   
  home > zap > lists > zap-devel > Archive > 2006 > 2006-06 > SIP Security / Julien VEHENT <julien@linuxwall.info>
» ZAP home
» Project Overview
» Build Documentation
» Code Documentation
» ZAP SIP client
» Mailing List
Developer Resources:
» zap-central
» buildbot
» try server
» doxygen

zap-devel mailing list

To subscribe, send a mail with subject 'subscribe' to zap-devel(at)croczilla.com. Likewise, to unsubscribe, send a mail with subject 'unsubscribe' to zap-devel(at)croczilla.com.

[ << ] [ >> ]

[ Link error while trying to compile trunk with ... ] [ traces / "jean-michel gens" ... ]

SIP Security
Julien VEHENT <julien(at)linuxwall.info>		 2006-06-14 08:14:32 [ FULL ] 
Hi,

I've discovered Zap recently and I have a question about it :

Have you already plan a feature to secure SIP communication ?

I explain : I'm studying computer security in a french university and for my
end-term project (which is realised with another student) we want to work on "a
way to authenticate peers in SIP communication" (this is the aim of the project
already accepted by our professors).

Zap is a very interesting software, more opened than others like wengo and so
on, and perhaps we could help devs with this project.

But we aren't overskilled devs (in particular me, contrary to my colleague). So
the idea is not to code for 6 months but to create a lightweight and secure SIP
infrastructure, including client side (for example : zap) and server side
(modified asterix ?).

What is your opinion about that ?


Best regards,

julien





----
Julien VEHENT

gpg: 0x7A7B6F2C sur keyserver.net
web: www.linuxwall.info
Attachments:  
application.pgp-signature application/pgp-signature 308 Bytes
Re: [zap-devel] SIP Security
Alex Fritze <alex(at)croczilla.com>		 2006-06-18 16:18:39 [ FULL ] 
Hi Julien,

User-to-user authentication is not yet working in zap, but it should be 
easy enough to implement.

Note also that, while there is some sips support in zap and there is TLS 
in Mozilla, the relevant parts are not hooked up yet. Again, I don't 
think it would be difficult to get it to work (a little bit more 
difficult than user-to-user authentication though).

Cheers,
Alex

Julien VEHENT wrote:[...]
Re: [zap-devel] SIP Security
Julien VEHENT <julien(at)linuxwall.info>		 2006-06-20 12:27:30 [ FULL ] 
Thanks for your response
[...]
I agree, but how ?
I think the problem doesn't come from the code but more from the algorithm...
Several technics are providing user to user and server to user authentication
but not so many are "users friendly".

I've just read an article from securityfocus which deal with human factor in
phishing attacks. Several researchers from Harvard have just finished a study
showing that more than 80% of participants were fooled because they 
didn't care
about SSL error messages and so on...

I think it could be interesting to work on a secured an user friendly
authentication, like (again taken from this article) an image exchange or
something else.
[...]
Yes you're right, and Wengo devs told me the same thing.
[...]
Best regards,
Julien


[...][...][...]







----
Julien VEHENT

gpg: 0x7A7B6F2C sur keyserver.net
web: www.linuxwall.info
MailBoxer
 (c)2005 alex fritze