[u-u] FreePBX expertese? Re: Business Internet Providers in Toronto?

Fri Feb 7 17:14:55 EST 2020

On 2020-02-07 15:37, D. Hugh Redelmeier wrote:
> | From: David Gilbert <uu at dclg.ca>
> | From: John Sellens <jsellens at syonex.com>
> | From: Norman Branitsky <ngbranitsky at gmail.com>
>
> Thanks for the several useful answers.
>
> As I understand it, TLS (including OpenVPN) only protects from active
> MITM (Man In The Middle) attacks if both sides are authenticated.  In
> other words, if each sides uses an X.509 certificate that the other
> side can validate.  This is almost never how TLS is deployed.
>
> This is typical of how poorly cryptography is understood and used.
>
> In general, if someone tells me that there stuff is cryptographically
> protected for privacy and security, I ask them how they do it.  More often
> than not, the answer is inconsistent with the claim.

Well... yes and no.  More no.  You're not considering your threat 
model.  As a trivial example, your sip client (phone, app, whatever) 
will authenticate with the sip server (asterisk, ISP, VoIP provider) in 
one of several ways... most typically username and password.   The 
primary point of using TLS for this is to no divulge that username and 
password to the casual listener... which is primarily something to stop 
fraud...

If your threat model includes someone who can redirect the static IP 
address of your providers system, then you have more serious worries 
indeed.  I have never seen fraud perpetrated this way. And, indeed, if 
your service provider is also local or providing you internet, then the 
level of control that an adversary would need to pull this off somewhat 
moots the point of worrying about your VoIP packets.

As I alluded in my reply to your previous post, the VAST majority of 
exchanged VoIP traffic runs in the clear with the sole protection of 
static IP addresses.  This is sufficient to deter fraud on most networks.

That may also lead you to speculate that VoIP calls are only somewhat 
private.  That is true of all internet traffic.  I remember a novel 
application we (as an early ISP) found in 1995 or so that would display 
all images that any user was accessing across the whole ISP mosaic'd on 
the screen.  https (basic TLS) has made this many orders of magnitude 
more difficult.  I speculate that very little casual traffic in TLS 
tunnels is casually snooped.

Similarly now most VoIP traffic is in the clear such that, when pressed 
to look at a quality problem, I can dump the packets and feed them into 
wireshark and not only "hear" the audio, but also diagnose the problem.  
Over time, this will get somewhat difficult like the images above.

But if you have a determined adversary, you probably want SIP over 
strong IPSEC.  SIP is not designed and likely will never grow guarantees 
of the nature you're looking for.