Security and Real-time Communications – a maze of twisty little passages, that all look alike.
Olle E. Johansson, Consultant in network security and real-time communication – PKI, webrtc, SIP , XMPP. Kamailio and Asterisk expert.
Olle has worked with Internet and TCP/IP networking for almost 30 years and is a developer, project manager, documentation writer, trainer and a secret lover of X.509 and PKI. Olle is active in the IETF and has co-authored an RFC and contributed to many. He has spoken at many conferences and trained many, many Asterisk and Kamailio admins. Olle co-founded Astricon, the Asterisk conference. Outside of work he is an oral storyteller and spends a lot of time in his garden back home in Sweden.
After almost 20 years of working with real-time communication: SIP, XMPP, WebRTC, and other protocols and platforms. I haven’t built a standard compliant secure platform once with strong encryption and identity handling. I’ve been close, but no cigar.
Looking at the standard documents for SIP, there are a lot of missing pieces and most of the Open Source implementations are missing large amounts of code to implement both existing security specifications as well as the missing pieces. It’s a mess, and that doesn’t help those who are trying to implement secure real-time communications. We can do better and hopefully we will do better.
While WebRTC mandates encrypted communication channels, it doesn’t mean that all platforms are secure. Also there are as many definitions of “secure platform” as people implementing them.
There are hooks and new solutions to build from, but few implementers get the requirements, time and resources to do this.
Let’s discuss what the issues are, where privacy plays in, the missing support in the standard documents and where to go next.
We will also talk about why we think that the requirements for security are missing in almost every project and how we can change that.
Keywords:
– #MoreCrypto: PKI and TLS
– Oauth2 and OpenID connect, where do they fit in?
– SIP, The session initiation protocol
– WebRTC
– SRTP, Secure RealTime Protocol
A quick introduction to Kamailio - the leading Open Source SIP server (based on OpenSER and SER). Kamailio is quite different than Asterisk, FreeSwitch and many other VoIP platforms - why is that and how do you start getting your head around Kamailio?
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
VoIP attacks have evolved, and they are targeting Unified Communications (UC), commercial services, hosted environment and call centres using major vendor and protocol vulnerabilities. This workshop is designed to demonstrate these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Signalling protocols are the centre of UC environments, but also susceptible to IP spoofing, trust issues, call spoofing, authentication bypass and invalid signalling flows. They can be hacked with legacy techniques, but a set of new attacks will be demonstrated in this workshop. This workshop includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy use to analyse signalling services using novel techniques. Also the well-known attacks to the network infrastructure will be combined with the current VoIP vulnerabilities to test the target workshop network. Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by Fatih). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts, Cisco CUCDM exploitation and debugging services using as MITM. Furthermore, Viproy provides these attack modules in the Metasploit Framework environment with full integration. The workshop contains live demonstration of practical VoIP attacks and usage of the Viproy modules.
In this hands-on workshop, attendees will learn about basic attack types for UC infrastructure, advanced attacks to the SIP protocol weaknesses, Cisco Skinny protocol hacking, hacking Cisco CUCDM and CUCM servers, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy VoIP pen-test kit to analyse VoIP services using novel techniques. New CDP, CUCDM and Cisco Skinny modules and techniques of Viproy will be demonstrated in the workshop as well.
Hacking and Attacking VoIP Systems - What You Need To KnowDan York
Presentation by Dan York at AstriCon 2007 about how to secure VoIP systems with a focus on the Asterisk open source PBX. The presentation outlines the issues involved with VoIP security, the tools out there to attack/test VoIP systems, best practices to defend against attacks and ends with some specific security recommendations for Asterisk. Audio will soon be available at http://www.blueboxpodcast.com/ (and will be synced to this presentation).
A quick introduction to Kamailio - the leading Open Source SIP server (based on OpenSER and SER). Kamailio is quite different than Asterisk, FreeSwitch and many other VoIP platforms - why is that and how do you start getting your head around Kamailio?
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
VoIP attacks have evolved, and they are targeting Unified Communications (UC), commercial services, hosted environment and call centres using major vendor and protocol vulnerabilities. This workshop is designed to demonstrate these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Signalling protocols are the centre of UC environments, but also susceptible to IP spoofing, trust issues, call spoofing, authentication bypass and invalid signalling flows. They can be hacked with legacy techniques, but a set of new attacks will be demonstrated in this workshop. This workshop includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy use to analyse signalling services using novel techniques. Also the well-known attacks to the network infrastructure will be combined with the current VoIP vulnerabilities to test the target workshop network. Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by Fatih). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts, Cisco CUCDM exploitation and debugging services using as MITM. Furthermore, Viproy provides these attack modules in the Metasploit Framework environment with full integration. The workshop contains live demonstration of practical VoIP attacks and usage of the Viproy modules.
In this hands-on workshop, attendees will learn about basic attack types for UC infrastructure, advanced attacks to the SIP protocol weaknesses, Cisco Skinny protocol hacking, hacking Cisco CUCDM and CUCM servers, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy VoIP pen-test kit to analyse VoIP services using novel techniques. New CDP, CUCDM and Cisco Skinny modules and techniques of Viproy will be demonstrated in the workshop as well.
Hacking and Attacking VoIP Systems - What You Need To KnowDan York
Presentation by Dan York at AstriCon 2007 about how to secure VoIP systems with a focus on the Asterisk open source PBX. The presentation outlines the issues involved with VoIP security, the tools out there to attack/test VoIP systems, best practices to defend against attacks and ends with some specific security recommendations for Asterisk. Audio will soon be available at http://www.blueboxpodcast.com/ (and will be synced to this presentation).
Self Contained Encrypted Voice solution for business and government. Central server + iphone and android app, high level of encrypted voice and text message capability that resides completely onsite, works anywhere from one enabled comms device to another on the same network
SlingSecure is the most secure encrypted messaging provider for Blackberry & Android mobile devices on the market. SlingSecure secure messaging was designed specifically for encrypting mobile-to-mobile, mobile-to-landline communication via Blackberry / Android smartphones.
Our multiple security features and protocols ensure safe, anonymous and highly secure transmission between Blackberry & Android devices for users who may deal with sensitive information and anyone who wants their peace of mind.
Features:
Blackberry to Android Encryption
Mobile to Landline Encryption
Landline to Landline Encryption
Private SMS Encryption
Email Encryption Blackberry to Android.
Visit us today at www.slingsecure.com
This presentation contain basic knowledge about how voIP work and what are the security threat in voIP. It will also contain how we can prevent attack on voIP system.
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
Enterprise companies are increasingly using Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication and video conference platform. These services are based on the VoIP and instant messaging protocols, and support multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones and teleconference devices. Also the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows) and web applications developed with .NET framework. Although the Microsoft Lync platform has been developed along with the new technologies, it still suffers from old VoIP, teleconference and platform issues.
Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync frontend and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks and insecure compatibility options may allow attackers to hijack enterprise communications. The enterprise users and employees are also the next generation targets for these attackers. They can attack client soft phones and handsets using the broken communication, invalid protocol options and malicious messaging content to compromise sensitive business assets. These attacks may lead to privacy violations, legal issues, call/toll fraud and intelligence collection.
Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment.
• A brief introduction to Microsoft Lync ecosystem
• Security requirements, design vulnerabilities and priorities
• Modern threats against commercial Microsoft Lync services
• Demonstration of new attack vectors against target test platform
MiraVid provides a suite of complementary quality assurance solutions to help companies attain the highest quality, error-free video throughout their entire media distribution chain from acquisition to transmission. MiraVid solutions range from real-time video monitoring with built in MPEG conformance testing to high volume offline content validation to high-quality analysis tools that are used to optimize compression efficiency or debug any MPEG-based product or distribution process.
Time to get serious about realtime communicationOlle E Johansson
My talk for ElastixWorld 2013 in Mexico City, Voip2day in Madrid and Astricon 10 in Atlanta:
I list four to-do's for everyone working with realtime communication as we move away from telephony over IP into the world of Internet-based realtime communication. I believe that here is a trust gap between what users expect us to deliver, but don't ask for, and what we actually deliver. Let's change that together!
The presentation got the "Best speaker" award at Voip2day 2013.
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)Olle E Johansson
My talk at Voip2day 2014 in Madrid, Spain and Elastix World 2014 in Santiago, Chile. Asterisk is now 15 years old and the revolution has faded away and is now part of regular business. It's time to restart and look forward, build new things and include security by default. Security needs to be in focus for everyone in VoIP and realtime communication during the coming year.
A presentation about new functionality in SIP that is really needed for Hosted PBX services, SIP on mobile phones and more situations. #SIP #Kamailio #Asterisk #TLS #MoreCrypto
A video with this presentation is available on YouTube at
https://www.youtube.com/watch?v=uqFNlqB_Ssw
Speaker: Olle Johansson
"SIP 2.0 was published as an RFC in 2002 and started a revolution in the telecom industry. The big move away from traditional technologies is still happening and things are moving fast. But 99% of the implementations of SIP are still focused on ISDN-over-IP, something that is very frustrating to many that believe that there are much more functionality in SIP. WebRTC is about to become standardized and we already see some early implementations. How will this affect the SIP industry and what should be in focus for the coming year? Olle delivers his thoughts, ideas and will give some clear instructions about how to move forward."
ElastixWorld
Santiago de Chile
October 2014
A presentation about how we can make the Internet hard to monitor - how we can and should encrypt more communication. This version includes a presentation of the TLS protocol.
Changes in 2.2: Added quotes from Viktor Dukhovni's IETF RFC 7435 about Opportunistic Security
The tools at our disposal today for deploying HTTPS are tremendously powerful, and easy to use. Initiatives like Let's Encrypt offer certificates, and new security policies like HSTS and HPKP allow you to protect against extremely powerful attacks. HTTPS, Here and Now!
This was an invited talk at the ICT Security Happening, organized by the VDAB Competence Center in Leuven.
Self Contained Encrypted Voice solution for business and government. Central server + iphone and android app, high level of encrypted voice and text message capability that resides completely onsite, works anywhere from one enabled comms device to another on the same network
SlingSecure is the most secure encrypted messaging provider for Blackberry & Android mobile devices on the market. SlingSecure secure messaging was designed specifically for encrypting mobile-to-mobile, mobile-to-landline communication via Blackberry / Android smartphones.
Our multiple security features and protocols ensure safe, anonymous and highly secure transmission between Blackberry & Android devices for users who may deal with sensitive information and anyone who wants their peace of mind.
Features:
Blackberry to Android Encryption
Mobile to Landline Encryption
Landline to Landline Encryption
Private SMS Encryption
Email Encryption Blackberry to Android.
Visit us today at www.slingsecure.com
This presentation contain basic knowledge about how voIP work and what are the security threat in voIP. It will also contain how we can prevent attack on voIP system.
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
Enterprise companies are increasingly using Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication and video conference platform. These services are based on the VoIP and instant messaging protocols, and support multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones and teleconference devices. Also the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows) and web applications developed with .NET framework. Although the Microsoft Lync platform has been developed along with the new technologies, it still suffers from old VoIP, teleconference and platform issues.
Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync frontend and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks and insecure compatibility options may allow attackers to hijack enterprise communications. The enterprise users and employees are also the next generation targets for these attackers. They can attack client soft phones and handsets using the broken communication, invalid protocol options and malicious messaging content to compromise sensitive business assets. These attacks may lead to privacy violations, legal issues, call/toll fraud and intelligence collection.
Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment.
• A brief introduction to Microsoft Lync ecosystem
• Security requirements, design vulnerabilities and priorities
• Modern threats against commercial Microsoft Lync services
• Demonstration of new attack vectors against target test platform
MiraVid provides a suite of complementary quality assurance solutions to help companies attain the highest quality, error-free video throughout their entire media distribution chain from acquisition to transmission. MiraVid solutions range from real-time video monitoring with built in MPEG conformance testing to high volume offline content validation to high-quality analysis tools that are used to optimize compression efficiency or debug any MPEG-based product or distribution process.
Time to get serious about realtime communicationOlle E Johansson
My talk for ElastixWorld 2013 in Mexico City, Voip2day in Madrid and Astricon 10 in Atlanta:
I list four to-do's for everyone working with realtime communication as we move away from telephony over IP into the world of Internet-based realtime communication. I believe that here is a trust gap between what users expect us to deliver, but don't ask for, and what we actually deliver. Let's change that together!
The presentation got the "Best speaker" award at Voip2day 2013.
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)Olle E Johansson
My talk at Voip2day 2014 in Madrid, Spain and Elastix World 2014 in Santiago, Chile. Asterisk is now 15 years old and the revolution has faded away and is now part of regular business. It's time to restart and look forward, build new things and include security by default. Security needs to be in focus for everyone in VoIP and realtime communication during the coming year.
A presentation about new functionality in SIP that is really needed for Hosted PBX services, SIP on mobile phones and more situations. #SIP #Kamailio #Asterisk #TLS #MoreCrypto
A video with this presentation is available on YouTube at
https://www.youtube.com/watch?v=uqFNlqB_Ssw
Speaker: Olle Johansson
"SIP 2.0 was published as an RFC in 2002 and started a revolution in the telecom industry. The big move away from traditional technologies is still happening and things are moving fast. But 99% of the implementations of SIP are still focused on ISDN-over-IP, something that is very frustrating to many that believe that there are much more functionality in SIP. WebRTC is about to become standardized and we already see some early implementations. How will this affect the SIP industry and what should be in focus for the coming year? Olle delivers his thoughts, ideas and will give some clear instructions about how to move forward."
ElastixWorld
Santiago de Chile
October 2014
A presentation about how we can make the Internet hard to monitor - how we can and should encrypt more communication. This version includes a presentation of the TLS protocol.
Changes in 2.2: Added quotes from Viktor Dukhovni's IETF RFC 7435 about Opportunistic Security
The tools at our disposal today for deploying HTTPS are tremendously powerful, and easy to use. Initiatives like Let's Encrypt offer certificates, and new security policies like HSTS and HPKP allow you to protect against extremely powerful attacks. HTTPS, Here and Now!
This was an invited talk at the ICT Security Happening, organized by the VDAB Competence Center in Leuven.
This is my Athcon 2013 slide set. I also demonstrated that attacking mobile applications via SIP Trust, scanning via SIP proxies and MITM fuzzing in Live Demo.
A presentation that tries to set an IPv6 agenda for the SIP community. VoIP and IPv6 is a natural match. If we want unified communication to be truly global and unified - we need to build solutions on IPv6 and not Ipv4.
Brief introduction into SIP protocol, how it works, common problems to solve. Tech. details about handshake, SIP Trunks and SIP trunking. Market research.
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
Recently we’ve seen many vulnerabilities related to improper certificate validation. Those vulnerabilities come from developers’ ignorance or misunderstanding of basic knowledge of certificate validation or insufficient testing of validation code. This presentation starts with the basics of the certificate validation process, surveys several vulnerabilities in the real world, and concludes with lessons learned from real-world vulnerabilities.
This is presented on JavaOne2015.
CipherCloud's Searchable Strong Encryption (SSE), FIPS 140-2 validated, delivers the benefits of the cloud, while assuring cloud data security and compliance for your most sensitive information.
TADSummit 2022 8/9 Nov Aveiro Portugal
Welcome to vCon! The next leap forward in the programmable communications industry.
Thomas Howe, CTO STROLID
Slides and Video
Why do we need vCon?
What is vCon?
How is it being used today?
Where is vCon going?
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...Alan Quayle
TADSummit 2022 8/9 Nov Aveiro Portugal
Supercharging CPaaS Growth & Margins with Identity and Authentication
Aditya Khurjekar, GM Prove Protocol
Mobile networks were designed for communication, yet commerce is driving most of the demand for mobile connectivity today
The growth segments in today’s digital economy benefit from CPaaS APIs for Identity verification, authentication, proofs & claims
Commerce-enabling CPaaS APIs rely on the intrinsic security of mobile network and devices
Deterministic (rather than probabilistic) authentication drastically reduces fraud, hence increases margins
The secure element in mobile devices has been under-utilized by carriers
FIDO standard presents a horizontal application opportunity for hardware based (deterministic) authentication
Authenticated ID verification is key to secure yet seamless digital onboarding, leading to financial inclusion & consumer protection
The needs of the new crypto-based (web3) economy can also be satisfied with smart CPaaS offerings that preserve anonymity/pseudonymity
The imminent ubiquity of eSIMs is timely to fight fraud in the increasingly sophisticated digital & crypto-enabled economy
It’s time for a purpose-built global payments network!
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...Alan Quayle
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-second production broadcasts
Jerod Venema, CEO and Co-Founder, LiveSwitch
In the throes of the pandemic, the WWE debuted its ThunderDome, a world-first, large-scale installation of high resolution LED screens that transformed empty seats into live-streamed fans who joined over video from around the world. Performers in the ring and TV audiences at home could see and hear these virtual fans in real-time. LiveSwitch was selected to develop and manage the ThunderDome’s cloud video infrastructure.
How to enable low-latency, live video streamed via the internet capable of fostering real-time engagement between performers and audiences on a massive scale.
Massive-scale latency challenges and how to overcome them.
Current and future uses of programmable communications for live fan engagement.
What makes a cellular IoT API great? Tobias GoebelAlan Quayle
What makes a cellular IoT API great?
Tobias Goebel, Principal Product Marketing Manager, IoT, Twilio
Why IoT SIMs need an API in the first place
The core functions needed in a cellular IoT API: SIM activation and deactivation, SIM status queries, Network access configuration, Pulling billing information and usage records, Troubleshooting, Device reachability
What matters in a good API (any API)
10 tips and tricks for how to find a good IoT SIM with a strong API
eSIM as Root of Trust for IoT security, João CasalAlan Quayle
TADSummit 2022 8/9 Nov Aveiro Portugal
eSIM as Root of Trust for IoT security
João Casal, Head of R&D at Truphone
ARCADIAN-IoT: Research with eSIM as key element of a novel IoT security framework
SIM: Proven secure element
Leveraging cellular network authentication for zero-touch authentication of IoT devices in third-party services
The eSIM ecosystem role in new security mechanisms for IoT
IoT connectivity and IoT security: 2 faces of the same coin
Architecting your WebRTC application for scalability, Arin SimeAlan Quayle
TADSummit 2022 8/9 Nov Aveiro Portugal
Architecting your WebRTC application for scalability
Arin Sime, CEO/Founder at WebRTC.ventures and AgilityFeat, & Alberto González Trastoy, CTO at WebRTC.ventures | Software/Telecom Engineer.
There are many ways to architecture your live video application with WebRTC. Open Source and CPaaS media servers are one consideration, but far from the only decision you’ll need to make.
In this session we will give an update on the most popular media servers to consider as well as go deeper into scalability with topics such as deployment using kubernetes/docker, persistence when using multiple SFU/MCU servers, and optimizations available with WebRTC for better performance.
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...Alan Quayle
TADSummit 2022 8/9 Nov Aveiro Portugal
CPaaS Conversational Platforms and Conversational Customer Service – The Experience Gap”?
Ben Waymark, Chief Technology Officer, Webio.
CPaaS players are doing the low hanging, simple conversations via their conversational design and plug in’s to the messenger layer, but what are they really hoping to achieve, and should they be aimed at the developer community?
No-code low-code configurable conversational customer support have done really well by integrating with customer ticketing, and integrating other platforms into their workflows. Kustomer.com was bought for a billion, something is going right there.
Conversational experiences are becoming part of the digital customer experience. What does this look like and why might this be important for other companies to understand?
Programmable Testing for Programmable Telcos, Andreas GranigAlan Quayle
Programmable Testing for Programmable Telcos
Andreas Granig, Founder & CEO at Sipfront
Advantages and Challenges of automating real-time communication testing
How real-time communication testing could actually be quite pleasant
Creative ways to use typical server-side applications like kamailio and rtpengine as test clients
The revival of sipp, and how you create test scenarios 20 years after its invention
“Just show me the curl command”
How to best maximize the conversation data stream for your business? Surbhi R...Alan Quayle
TADSummit 2022 8/9 Nov Aveiro Portugal
How to best maximize the conversation data stream for your business?
Surbhi Rathore, CEO & Co-Founder, Symbl.ai
How do we go from building a scalable pipeline of conversation data that merges and correlates with other types of data in the business and helps us makes decisions and predictions that are informed by conversations?
We will talk about context, real-time aspects of understanding and how you can use this data combined with sales, marketing, HR, support and other existing analytics to understand behavior and adapt to what works best in each of these functions.
We will go deep into specific use case and customer stories that have adopted Symbl’s conversation understanding platform to drive this change in their organization and give concrete examples of where to start.
Latest Updates and Experiences in Launching Local Language Tools, Karel BourgoisAlan Quayle
TADSummit 2022, 8/9 Nov Aveiro Portugal
Latest Updates and Experiences in Launching Local Language Tools
Karel Bourgois, Founder Voxist, President Le Voice Lab, Exec Director Slatch, Chapter Pilot France AI Hub
Experiences with launching our own speech-to-text (French and English, both HD and Telephony audio, real-time and asynchronous).
‘Implicit Knowledge Management’ solution: using our STT engine we are indexing and searching thousands of hours of video to find those that discuss specific topics or identify people that are experts on those topics.
Latest updates on Voxist and its evolution to a “callbot.”
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...Alan Quayle
TADSummit 2022 8/9 Nov 2022
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawful Robocalls.
Gerry Christensen, VP YouMail.
The Unwanted Robocall Problem
STIR/SHAKEN Fixes Some, but Not All, Spoofing
Leased DIDs are Challenge for the Ecosystem
Scenarios and Solutions for CPaaS Providers
Do your Customers Use Your DIDs? Are you Monitoring Usage/Behavior?
Do your Customers Bring their Own DIDs? Are you Investigating Reputation as Part of KYC?
About YouMail Protective Services
YouMail PS Solutions for CPaaS
YouMail Score
YouMail Watch
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...Alan Quayle
Master the Audience Experience Multiverse: AX Best Practices and Success Stories
Ken Herron, Chief Growth Officer, UIB
Customers need you to help them solve their #1 problem – Audience Experience (AX).
Customers struggle with managing their differentiated brand journeys at scale in a post-pandemic world where their external and internal audiences decide the platforms, channels, and languages.
This session will share AX best practices and success stories from Europe, the Middle East, Asia, and the US for how enterprise and small business customers can control their respective brands, journeys, and audiences with a single brand voice –
Create/Control a differentiated AX
Respond in real-time
Mirror channels
Curate audiences
Secure conversational data
Monetize engagement
Scale monitoring
This session will include a live, interactive demo.
Open Source Telecom Software Survey 2022, Alan QuayleAlan Quayle
TADSummit 2022, 8/9 Nov Aveiro Portugal
Open Source Telecom Software Survey 2022 Results.
Alan Quayle, independent
Results from survey undertaken over the summer 2022
Accelerators. For example, Subspace (now closed down), AWS Global Accelerator, etc.
SMS versus IP for A2P messaging
STIR/SHAKEN
Device Lifecycle Management
vCon
DDoS
Security
Expectations on investment 2022-2024
Expectations on winners and losers 2022-2024
Popular open source software
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei IancuAlan Quayle
TADSummit 2022, 8/9 Nov Aveiro Portugal
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems.
Bogdan-Andrei Iancu, Founder and Developer at OpenSIPS Project
SIP also supports instant messaging and presence.
Review of Messaging in IMS
Review of Messaging in Unified Communications
OpenSIPS 3.3 in the messaging ecosystem
Review of implementation using Message Session Relay Protocol (RFC 4975, RFC 4976), groups multiple messages in sessions.
Conclusions: OpenSIPS 3.3 targets to implement various components of the overall SIP Instant MESSAGING ecosystem, from gateways and transport to services.
TADS 2022 - Shifting from Voice to Workflow Management, Filipe LeitaoAlan Quayle
TADSummit 2022, 8/9 Nov Aveiro Portugal
Shifting from Voice to Workflow Management
Filipe Leitão, Global Service Provider Channel SE, RingCentral
There is an ongoing consolidation of the Cloud Communications market where mainstream providers compete against each other for the same spaces, UCaaS / CCaaS / CPaaS.
Weapons of choice are the same for everyone: instant messaging, and audio & video conferencing. Most capabilities provided by mainstream UC providers are table stakes.
Find out how RingCentral is looking at UC from more than just a siloed perspective by going one step further and co-innovating with Service and Technology Providers to become a workflow management platform.
What happened since we last met TADSummit 2022, Alan QuayleAlan Quayle
TADSummit 2022, 8/9 Nov Aveiro Portugal
What happened since we last met? Where is the Programmable Comms market going?
Alan Quayle, independent
3 years in Programmable Communications: 2020, 2021, and 2022 all done in 16 slides
Pandemic Consolidation
Post-pandemic Reckoning – I did predict what we’re seeing with Avaya
The Coming of Cost Competition
Messaging, will A2P SMS growth ever stop?
What’s the recession going to do to us?
The Voice AI Reckoning
After all the consolidation, where next? Twilio’s heading there – it’s about the data
And a few more predictions that are usually too optimistic
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike BromwichAlan Quayle
TADSummit 2022, 8/9 Nov Aveiro Portugal
Time to ditch the ‘dumb-pipe’ – reinventing the core mobile network, to put developers first.
Mike Bromwich, CEO / Co-Founder Stacuity & Tim Dowling, Co-Founder Stacuity
The emergence of public cloud has revolutionized the way developers can muster and deploy virtual infrastructures, as and when required.
In contrast, mobile networks are still rigidly defined and protected by operators, who are unable or unwilling to offer such control and flexibility.
As a result, the mobile network operates as little more than a dumb-pipe (unless you have lots of patience and deep pockets).
Addressing this problem requires a different approach, not just the creation of a thin façade over legacy network elements.
How Stacuity is reinventing the core mobile network, to put developers first.
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...Alan Quayle
TADSummit 2022 8/9 Nov Aveiro Portugal
AWA – a Telco bootstrapping product development: Challenges with dynamic market consolidation – an 18 month road trip.
Marten Schoenherr, CEO Automat Berlin/AWA Network/Founding Partner at TheWorkinGroup.
Product roadmap vs. copy with pride
Independent stack vs. unique feature
Meta platform vs. black-box vendor
Founding a Startup in Telecoms. The good, the bad and the ugly. João CamarateAlan Quayle
TADSummit 2022 8/9 Nov Aveiro Portugal
Founding a Startup in Telecoms. The good, the bad and the ugly.
João Camarate, CTO at Broadvoice & GoContact.
A deep dive into the challenges and opportunities of starting a new venture in the telecom space while leveraging open-source
How to bring down your own RTC platform. Sandro GauciAlan Quayle
TADSummit 2022 8/9 Nov Aveiro Portugal
How to bring down your own RTC platform. Running DDoS simulations on your own.
Sandro Gauci, CEO / Senior Penetration Tester / Chief mischief officer at Enable Security
Why would you want to do such a thing?
Preparing for destruction
Running the tests – best practices
What happens after the fact
Moving forward towards more robust RTC
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Security and Real-time Communications – a maze of twisty little passages, that all look alike. Olle E. Johansson
1. REALTIME SECURITY
SIP,WEBRTC AND STUFF
oej@edvina.net | @oej November 2020
“you are in a maze of twisty little
passages, all alike”
the adventure game.
1
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
“OH NO, NOT AGAIN”
MARWIN, the paranoid android
2
2. YES, ONE MORE TIME!
Olle - the stubborn evangelist.
3
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
OLLE E. JOHANSSON
• History:Asterisk developer
• Contributor to Kamailio,
Janus, Baresip and other
projects
• Consultant, trainer, amateur
gardener, dog owner,
storyteller
• SIP,WebRTC, XMPP, MQTT,
IP (4&6), PKI,TLS…
4
3. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
AGENDA
• Introduction - problem
overview
• SIP &TLS
• WebRTC
• Summary
5
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
WARNING
Massive slide re-use. Some
of these are between 5-10
years old but still valid.
Change does not happen
over night, folks. If you are
concerned about security:
DON’T GIVE UP!
6
4. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
WHAT IS REALTIME
COMMUNICATION SECURITY?
According to
@oej
7
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
From this... …to this
8
5. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
Talk
Video
Chat
Application sharing
3D holographic 7.1 conferences
9
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
CONVERSATIONS
BETWEEN
TWO OR
MORE PEOPLE
10
6. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
OUT OF SCOPETODAY.
Tommy the system intruder
Christina the network sniffer
Adrian the BOT
network manager
Marwin
the fraudster
11
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
IN SCOPE
You Me
12
7. WHAT ISTHE PROBLEM?
The usual security issues...
13
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
WHO’STALKING?
You Me
Identity
14
8. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
WHO IS LISTENING?
You Me
Confidentiality
3rd party
15
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
DIDYOU REALLY WRITETHAT?
You Me
Integrity
16
9. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
YOU CAN’T DOTHAT.
You Me
Authorization
17
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
WHO AM I?
Me
IP Phone
Softphone
Chat client
Car
Pad
Set-top-box
Laptop
Cell phone
18
10. YOU ANDYOUR DEVICES
Me
IP Phone
Softphone
Chat client
Car
Pad
Set-top-box
Laptop
Cell phone
19
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
THE IP REALTIME WORLD
DATACOM TELECOM
20
11. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
NETWORK SECURITY
You Me
Our problem
21
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
TELECOM SECURITY MODEL
You Me
In the telco
we trust.
22
12. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
END2END ORTHROUGH
PROXY SERVER?
Do you want
someone else to handle your keys?
Do you
want to set up
a secure session between you
and me? If so, how?
You Me
23
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
THIS APPLIESTO MANY
PROTOCOLS
SIP
XMPP
WEBRTC
?
24
13. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
THETOOLBOX
TLS
SIGNALLING
DTLS/SRTP
MEDIA
SIP IDENTITY
S/MIME
INTEGRITY
HTTP DIGEST
AUTH
MSRP/TLS
CHAT
IDENTITY
Oauth2, GNAP
MLS
(Coming)
25
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
WHAT’STHE ISSUE
WITH REALTIME SECURITY?
Almost No one
asks for it.
Therefore no one
implements it.
Which means lack of
experience.
26
14. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
WHAT I FAILTO
UNDERSTAND.
Why does nobody
care, really?
27
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
FINAL QUESTION:
What’s a secure
session for you?
28
15. THE IDENTITY
- WHO AREYOU?
And can you prove that claim?
29
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
SIP AUTHENTICATION
• History: HTTP Digest MD5 auth or
TLS client certs
• Improvement: SHA256 and SHA512
• Next step: Oauth2/OpenID connect
authentication using JWTTokens
How do you migrate to
stronger auth?
How do we separate
device and person?
30
16. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
FIKA BREAK
This is a good moment to take
a break, refill your tea cup and
stand up.
31
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
FIKA BREAK
32
18. TLS -TRANSPORT LAYER
SECURITY.
35
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
TLS IN ONE PICTURE
Server
Network
Link
Application
Client
Identity check
Algorithm agreement
Key Set up
Encryption of data
Without prior agreement
Certificate validation
36
19. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
TLS & S/MIME
USAGE IN SIP
• TLS is used in SIP for
• authentication of servers and
clients
• initiating encryption of a session
• digital signatures on SIP messages
to ensure integrity and provide
authentication
• S/MIME is used for message
integrity and authentication
Authentication
Who are you? Prove it!
Encryption
Providing confidentiality
Integrity
Making sure that the
receiver get what the
37
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
TLS & S/MIME
USAGE IN WEBRTC
• TLS is mandatory in webrtc for
• authentication of web servers
• encryption of the HTTP session
• DTLS is used for
• initiating encryption of a session
- but not for encrypting the session
• but the DTLS certificates are not
validated by default!
Authentication
Who are you? Prove it!
Encryption
Providing confidentiality
Integrity
Making sure that the
receiver get what the
sender sent
38
20. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
SIP TLS CONNECTIONS
• The SIP UA Client sets up connection to server (proxy or
UAS) onTLS port
• TLS negotiation happens before SIP starts,
• Server always provide certificate
• Client challenges certificate to make sure that server has
private key for certificate’s public key
• Client may check the validity of the server cert before
accepting connection to proceed
• What trust store does the client (phone) use?
39
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
TLS CLIENT
AUTHENTICATION
• Server may request client certificate and
challenge certificate
• This may replace WWW digest auth and
provide an accepted identity of the SIP user
• Problematic if there’s an untrusted SIP
proxy in the path
40
21. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
TLS TRUST
• If you only need a basic encrypted session, i.e. some confidentiality,
there’s no need to check the certificates - but you can’t really trust that
the session is confidential
• If you want more than simple confidentiality, you need to make sure the
software on both sides handle verification of the certificates
•Are they signed by a trusted third party?
•Is the subject of the certificate authorized to use your
system?
•Does the certificate allow usage for SIP session setups?
•Are they still valid?
41
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
SIPS: - WAS A BAD IDEA.
Just forget it.
SIP doesn’t work like the web.
42
22. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
A SIP REGISTRATION AND
CALL
SIP client/server
(phone)
SIP serverHello, here’s my current location
SIP Contact URI
(IPv6 or IPv4 address + port)
Incoming callIncoming call
sent to Contact URI
Contact
URI
Two separate
Connections/Flows
43
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
…WITH TLS
SIP client/server
(phone)
SIP server
Hello, here’s my current location
SIP Contact URI
(IPv6 or IPv4 address + port)
Incoming call
Incoming call
TLS
TLS
The phone needs
to be a TLS server with a
certificate
Contact
URI
The cert needs to match
the Contact URI.
Which is changing unless you use GRUU
Contact
URI
44
23. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
SIP MATCHING SERVER
CERTIFICATE
sip:alice@example.com
SIP server
cn: example.com
san: ww.example.com
SIP server
cn: namn.se
san: example.com
SIP server
cn: example.com
DNS SRV for example.com points to
sip01.siphosting.com
FAIL
OK!OK!
SIP server
cn: *.example.com
Fail
Wildcards are
not allowed.
With no SAN, CN is used.
But only with no SAN.
RFC 5922 - SIP domain certificates
45
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
IN XMPP AN OPEN
CONNECTION = “AVAILABLE”
XMPP client
XMPP
server
Incoming message
TLS
A client without a
connection is off line.
OneTCP/TLS connection.
46
24. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
SIP XMPP STYLE
= SIP OUTBOUND
SIP client/server
(phone)
SIP server
Incoming call
TLS
Reuse the same connection,
managed by the client!
REGISTER
INVITE
As long as we have at
least one connection, the UA is
”online” and available.
RFC 5626
47
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
SIP OUTBOUND AND IP
FLOWS
SIP
”it’s really hard to notice that aTCP connection is dead”
Panagiotis Stathopoulos at #Fosdem 2016
UA
SIP
SIP
SIP edge proxys
SIP location server
48
25. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
SECURITY?
NO GUARANTEES, EVER
SIP SIP
UA UA
The user can only control and
verify the first hop
49
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
CLIENT CERTIFICATES
CAN BE TRICKY
SIP SIP
UA
THIS SERVER (THE REGISTRAR)
CAN’TVERIFY THE CLIENT
CERTIFICATE.
TLS hop
50
26. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
IN SHORT FOR SIP: WITHOUT
OUTBOUND, YOU’RE A NO GO
Managing client certs is a
pain and a high cost.
Keep your
connections happy and users
secure!
51
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
WORK TO DO
Kill SIPS:
Finally. Get rid of it. Clarify SIP/TLS
usage. Mandate outbound for
phones.
Standardize SIP client
certificates.
Standardise DANE usage in
SIP.
Work on Peer-to-
peer security for all
protocols.
52
27. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
SUMMARY
“you are in a maze of twisty
little passages, all alike”
the adventure game.
53
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
WHAT CAN
YOU DO
NOW?
54
28. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
FIRST STEPS
• UseTLS as first hop protection - just do it.Always.
• Add SIP client certs to provisioning if you can
• Demand properTLS implementation from phone
vendors
• Require DTLS key exchange and SRTP (like in
WebRTC)
• Require vendors to leave the MD5 auth and SDES key
exchange behind and move to stronger solutions
55
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
FOR WEBRTC PLATFORMS
• Depends on your usage and users
• If you want improved security:
• Normal web security advice apply for the
web and app part
• Tie the DTLS cert to a real identity (IDP)
• always validate certs
56
29. IN SHORT: CLEARTEXT IS A
BAD IDEA
Classic SIP:
No confidentiality, bad auth
SIP +TLS oppurtunistic crypto:
Basic confidentiality for signalling
SIP +TLS oppurtunistic crypto + SRTP
Basic confidentiality for calls
SIP + MutualTLS+ SRTP
Secure conversations
-
+
+
+
57
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
WHATEVER YOU DO:
• Listen to Sandro:
Always test
your security!
58
30. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
STAY UPTO
DATE.
Security is never done.
59
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
BUILD WITH
SECURITY.
DON’T WAITTO
ADD IT
AFTERWARDS.
60
31. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
DON’T
EVER
STOP.
IT SECURITY
IS A PROCESS.
61
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
MONEY
TALKS
PUT PRESSURE
ONYOUR
VENDORS.
62
32. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
IF
NEEDED,
GET HELP.
IT SECURITY
NEEDS AN EXTRA
PAIR OF EYES.
63
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved.
STAY
CURIOUS.
64