peter_m
Premium
join:2005-07-13
Canada, QC
| reply to nitzan
Re: Excellent!!
said by nitzan  :said by pandora :Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. Have you heard of the Echelon project?
Peter
EDIT: I don't sleep at night with a tin foil hat on my head... I only wear it when I am near technology. |
|
quetwo
That VoIP Guy
Premium
join:2004-09-04
East Lansing, MI
| reply to nitzan
My point is, however, security and encryption exists for many PBXes, but many of the smaller vendors (mostly the softswitch vendors), choose not to use the TIA protocols. H.323, for example, has a very well defined annex spec that specificies DSA based encryption between two end points. Many of the SIP vendors (Polycom, etc), choose not to invest in these technologies. It's just typical of the free/OSS world.
I tell my customers that it is to be assumed that the PSTN is secure from most sources, government aside. It is considered much more secure than any TCP/IP transport, and more secure than any mobile connection (Cell/portable). Inter-tamdem communications are considered very private, as many of the tap-points that are commonly used for wide-range snoops are at Class I and Class II offices. (T), our ILEC will always tap upon a government request, but for the most part, those do require a signed suponea.
CALEA pretty much dictiates that you be able to provide a tap at the point of PSTN interconnection. So, yes, you cannot facilitate end-to-end encryption over the PSTN without a HLS waiver. However, CALEA does not apply for interswitch communications, and switch-to-endpoint communications. It only applies if you act as a "gateway to other services". Our lawyers have interperated this as the communication from one of our customers to the outside only. Encrption between the customer and you should not be an issue in this case. If you act as an ISP, you are only to be concerned that you are able to tap the data from the customer to the next POP; you sholdn't care of the payload. |
|
anony101
@comcast.net
 from:
TKJunkMail
| reply to Cabal
False. Look up BPI+.
I've seen it done. All it takes is a trip to RadioShack. |
|
anony101
@comcast.net
| reply to nitzan
I could be wrong, but AFAIK your neighbors CANNOT sniff your packets. Unless they have access to the switch - which they don't - they cannot listen in on you.
You ARE wrong.
Why don't you do some READING on the subject. That will save you from posting misinformation which some here will assume is correct. |
|
nitzan
Premium,VIP
join:2008-02-27
 ·ViaTalk
 ·Comcast
| reply to quetwo
said by quetwo :said by nitzan :Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. If a third-party wanted to spy on you specifically, in 99% of cases they can't. My point is that let alone your ISP, but if you are in a business enviroment (the largest deployment of VoIP is in the business world), most workers work on a common switching infastructure as their telecommunications equipment. If I have a SIP/H.323 link between my PBX and your service, it would not be encrypted. Chances are it will also travel over some of this common switching infastructure, where it could be snooped on. This is how my PBX is setup, except we went the extra mile of forcing our vendor (Qwest) to allow us to interconnect with H.323e + TLS/G.711. That way, the signaling and the voice channels are encrypted the entire stretch (although the encryption is fairly weak, but it still exists). I think in this scenario you'd want to isolate the PBX from the rest of the network, and perhaps implement security between the phones and the PBX. I think it's more likely for a phone to be tapped on the switch it's connected to than between the PBX and VSP. (easier to access the phone's switch)
Either way though- no matter what you do, at this point in time inherently VoIP is not secure. But neither is PSTN for that matter.  There are very few real options for end-to-end secure conversations, and they cost thousands of dollars.
Security will come once there's enough demand in the market of course, but unfortunately we have to wait until that happens.
Another thing to keep in mind is that it is potentially illegal for VoIP providers to provide end-to-end security. i.e. they have a legal obligation to be able to tap your phone should law officials require it (CALEA). They could probably get around it by doing some sort of "translation" where they'd open one secure session with you, and one with the terminating carrier - but again this means technologies that aren't really mature yet. (not to mention extra horsepower for all the encrypted sessions) |
|
Cthen
join:2004-08-01
Ypsilanti, MI
·Comcast
| reply to nitzan
said by nitzan :Interesting. Didn't know that. So essentially, cable internet is inherently less secure than, say, DSL? or better yet - FTTH? Since when has the internet ever been secure on any ISP? Just because some connections go through the CO first doesn't mean some one can't tap into it along the way.  |
|
quetwo
That VoIP Guy
Premium
join:2004-09-04
East Lansing, MI
| reply to nitzan
said by nitzan :Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. If a third-party wanted to spy on you specifically, in 99% of cases they can't. My point is that let alone your ISP, but if you are in a business enviroment (the largest deployment of VoIP is in the business world), most workers work on a common switching infastructure as their telecommunications equipment. If I have a SIP/H.323 link between my PBX and your service, it would not be encrypted. Chances are it will also travel over some of this common switching infastructure, where it could be snooped on.
This is how my PBX is setup, except we went the extra mile of forcing our vendor (Qwest) to allow us to interconnect with H.323e + TLS/G.711. That way, the signaling and the voice channels are encrypted the entire stretch (although the encryption is fairly weak, but it still exists). |
|
quetwo
That VoIP Guy
Premium
join:2004-09-04
East Lansing, MI
| reply to anony101
said by anony101 :
Keep in mind that encrypted VOIP calls lose the encryption once they reach the PSTN.
True, but again, the PSTN is regulated, and in the pre-Bush world, it was very hard to get access to the data going across it. Sadly this is not the case as much anymore. |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
 ·Sprint Mobile Broa..
·Comcast
| reply to pfak
There is no protection against tampering with the signals on the RF cable network.
The main advantages of BPI+ in DOCSIS 1.1 is the capability to upgrade crypto mechanisms in already deployed Cable Modems and the use of digital certificates to authenticate Cable Modems.
Notice also that all setup and configuration of the BPI functions are made at the CMTS, so as a user you have very little control over when your data are encrypted and when they are not. In reality the purpose of BPI and BPI+ is this
* To protect against theft of service
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk? |
|
pfak
Premium
join:2002-12-29
Canada
·Shaw
 ·Novus Entertainmen..
| reply to TKJunkMail
said by TKJunkMail :You couldn't do it on the PC side of the cable modem. But if you hook up a device directly to the cable and bypass the cable modem altogether with a sniffer device, you could see and capture the packets on your local node. Look up BPI+.
Sometimes I really wish DSLR had a moderation system like Slashdot so all your posts would be "-1"
--
Xenophase - British Columbia's premier online gaming community. |
|
Cabal
Premium
join:2007-01-21
Boston, MA
| reply to anony101
said by anony101 :Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. That's not accurate. Cable customers can listen in to unencrypted VOIP calls within the same node they're in which means their neighborhood. False. Look up BPI+.
--
Do you care about network neutrality, the right to privacy, or patent system abuse? Obama used to. |
|
nitzan
Premium,VIP
join:2008-02-27 | reply to TKJunkMail
Interesting. Didn't know that.
So essentially, cable internet is inherently less secure than, say, DSL? or better yet - FTTH? |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
·Sprint Mobile Broa..
·Comcast
1 edit | reply to nitzan
said by nitzan :said by anony101 :Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. That's not accurate. Cable customers can listen in to unencrypted VOIP calls within the same node they're in which means their neighborhood. I could be wrong, but AFAIK your neighbors CANNOT sniff your packets. Unless they have access to the switch - which they don't - they cannot listen in on you. You couldn't do it on the PC side of the cable modem. But if you hook up a device directly to the cable and bypass the cable modem altogether with a sniffer device, you could see and capture the packets on your local node.
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk? |
|
nitzan
Premium,VIP
join:2008-02-27
·ViaTalk
·Comcast
| reply to anony101
said by anony101 :Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. That's not accurate. Cable customers can listen in to unencrypted VOIP calls within the same node they're in which means their neighborhood. I could be wrong, but AFAIK your neighbors CANNOT sniff your packets. Unless they have access to the switch - which they don't - they cannot listen in on you. |
|
pandora
Premium
join:2001-06-01
Outland
·ooma
·Future Nine Corpor..
·Comcast
|  reply to anony101
said by anony101 :Thanks for the information. I have another question about security. My thought was my cable Internet service is shared with about 60-100 of my neighbors. Wouldn't any of my neighbors on our shared Comcast cable node be able to listen into my VOIP calls? It depends whether your VOIP provider uses SRTP to encrypt RTP packets from you to their proxy. Some do and some don't. You should call them and ask. Keep in mind that encrypted VOIP calls lose the encryption once they reach the PSTN. If you read this thread, you'll see my provider has posted and indicated there is no security for my VOIP content.
»Re: Excellent!!
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use." |
|
knightmb
Everybody Lies
join:2003-12-01
Franklin, TN
 ·AT&T DSL Service
| reply to anony101
said by anony101 :Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. That's not accurate. Cable customers can listen in to unencrypted VOIP calls within the same node they're in which means their neighborhood. Does that mean all Cable calls are unencrypted by default? How would a customer turn on encryption?
--
Fight NebuAD and the like:
Click Here to pollute their data |
|
anony101
@comcast.net
| reply to pandora
Thanks for the information. I have another question about security. My thought was my cable Internet service is shared with about 60-100 of my neighbors. Wouldn't any of my neighbors on our shared Comcast cable node be able to listen into my VOIP calls? It depends whether your VOIP provider uses SRTP to encrypt RTP packets from you to their proxy. Some do and some don't. You should call them and ask.
Keep in mind that encrypted VOIP calls lose the encryption once they reach the PSTN. |
|
anony101
@comcast.net
| reply to nitzan
Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. That's not accurate. Cable customers can listen in to unencrypted VOIP calls within the same node they're in which means their neighborhood. |
|
pandora
Premium
join:2001-06-01
Outland
·ooma
·Future Nine Corpor..
·Comcast
| reply to nitzan
Thanks for the information. I have another question about security. My thought was my cable Internet service is shared with about 60-100 of my neighbors. Wouldn't any of my neighbors on our shared Comcast cable node be able to listen into my VOIP calls?
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use." |
|
nitzan
Premium,VIP
join:2008-02-27
·ViaTalk
·Comcast
| reply to pandora
said by pandora :Ok, try this. I'm a Future-Nine customer, using a PAP2T. How exactly do I get secure VOIP communication on my calls? You cannot at this point. Secure RTP is not developed enough to implement at this point in time unfortunately.
We do intend to implement it once readily available though.
Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time.
If a third-party wanted to spy on you specifically, in 99% of cases they can't.
--
Nitzan Kon, CEO
Future Nine Corporation |
|
