[HacktionLab] Open Source / federated VOIP? (johnc)
johnc
johnc at aktivix.org
Sat Jan 3 18:04:50 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim's suggestion will definitely work for a situation where you trust
the PBX, don't require federation and have techies on hand to help out
with quite a complex set-up. I'd personally use freeswitch though with
SRTP/TLS for encryption rather than having to deal with the added
complexity of a VPN.
> Seems a bit of a 'holy grail' this fully encrypted, federated,
> open-source VoIP, as in my experience (medium+ level techie) ...
As regards the above comment there are commercially available encrypted
telephone products in the UK that already work :-)
The blackphone was launched at the IP expo in November last year.
https://store.blackphone.ch/
It uses ZRTP (designed by Zimmerman of PGP fame) and TLS so it works in
a similar way to the ostel project.
I was also at the IP expo plugging the encrypted VOIP solution that the
company I work for provides. It is a trusted man in the middle system
using SRTP/TLS
As regards Kim's announcement, I'm a little sceptical
> https://twitter.com/KimDotcom/status/549429689198968832
The browser Webrtc standard currently says that you only have to
implement DTLS-SRTP. There is however a draft proposal for ZRTP:
https://tools.ietf.org/html/draft-johnston-rtcweb-zrtp-00
If you use SRTP you end up doing the key exchange in the TLS protected
SIP channel. That means you have to trust commercial TLS certificates or
work out a way of exchanging certs without a man in the middle attack
occurring.
On 01/01/15 12:17, Acesabe wrote:
>
> Message: 1
> Date: Wed, 31 Dec 2014 16:24:33 +0000
> From: johnc <johnc at aktivix.org <mailto:johnc at aktivix.org>>
> To: hacktionlab at lists.aktivix.org <mailto:hacktionlab at lists.aktivix.org>
> Subject: Re: [HacktionLab] Open Source / federated VOIP?
> Message-ID: <54A42341.3020606 at aktivix.org
> <mailto:54A42341.3020606 at aktivix.org>>
> Content-Type: text/plain; charset=ISO-8859-1
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> The Ostel project is probably the best attempt at doing this so far.
>
> https://ostel.co/
>
> I demoed a very similar system a couple of years ago at barn camp:
>
> https://www.johncahill.net/__wiki/index.php/Skype_like___conferencing_System
> <https://www.johncahill.net/wiki/index.php/Skype_like_conferencing_System>
>
> both borrow heavily from:
> http://kb.asipto.com/kamailio:__skype-like-service-in-less-__than-one-hour
> <http://kb.asipto.com/kamailio:skype-like-service-in-less-than-one-hour>
>
> Some of the nice things about this approach:
> - - Easy federation, i.e. alice at domain1.com
> <mailto:alice at domain1.com> can call bob at domain2.com
> <mailto:bob at domain2.com> with
> no additional configuration required.
> - - You can do ZRTP end to end encryption so you don't have to trust the
> server or the people running it.
> - - Easy configuration, ostel have managed to get their config included
> with the csipsimple SIP app which may be downloaded from the play store
> etc. You just enter someuser at ostel.co <mailto:someuser at ostel.co> and
> your password and you are
> basically done.
> - -Far end NAT traversal solution. Kamailio fixes up the SIP signalling
> (rewrites IP's and ports for contact headers etc) and RTPproxy takes
> care of media so that each sip end-point talks to public IP addresses of
> the media/signalling proxy rather than NATed clients speaking directly
> to each other, (which is a nightmare for various reasons).
>
> Some Problems:
> - -Mobile phone specific:
> - -- mobile phones vary greatly in their ability to run sip clients
> using
> crypto. I've seen sip clients use 100%CPU with awful audio quality on a
> few phones including high end samsung models.
> - -- The latency on 3G is typically around 1 second. Expect horrible lag
> etc. Using WiFi is the only way to go unless you are lucky enough to be
> on 4G.
>
> Non mobile phone specific:
> - - ostel's only server is in the US, latency is about 120ms. Not so
> good
> if you are in Europe. We could build our own :-).
> - - If you are going to build an ostel system I suggest you include the
> topology hiding setup from my wiki or elsewhere in your Kamailio config.
> SIP leaks IP/location information unless you make an effort to obfuscate
> it.
>
> - - The above solutions don't have a media mixer + we're using end
> to end
> encryption so things get a bit complicated if you want to have more than
> two people in a conference. I can think of two solutions:
> 1) Use a SIP client with mixing capabilities (e.g. jitsi ) to initiate
> conversations with each of the people you want to conference in. I tried
> this a couple of years ago it was buggy, CPU hogging and the quality was
> a bit hit and miss for more than 4 users in a conference. Also, because
> of the topology a lot of bandwidth is used on the mixing leg. You can't
> get around the last issue but they may have fixed some of the other
> ones:
>
> https://jitsi.org/GSOC2011/__ConfCallChatting
> <https://jitsi.org/GSOC2011/ConfCallChatting>
>
> 2) Use a Freeswitch server hosted at a data centre to do the mixing:
> This solution should work OK but adds a fair bit of complexity. The
> advantage of hosting at at a DC is that no single user has to
> send/receive a large number of unmixed audio/video streams. N.B.
> Freeswitch acts as trusted man in the middle. If the freeswitch server
> is not physically secure then it can be used to tap calls :-(
>
> Hope some of this is useful.
>
> Cheers,
> John
>
>
> Seems a bit of a 'holy grail' this fully encrypted, federated,
> open-source VoIP, as in my experience (medium+ level techie), at best
> you may get reasonable/good call quality using standard apps and
> protocols, but that tends not to be easy to get working in the first
> place and mileage varies wildly with different software/hardware
> clients. Basically, unless you really know what you are doing, there is
> no 'off the shelf' solution that is readily accessible to all who wish
> to use it. But maybe that is about to change! The infamous Kim Dotcom of
> Mega* fame has in recent times been making a big noise about all this
> data encryption, and freedom to keep you online data secure, he has now
> just announced that Mega will soon release a:
> "fully encrypted and browser based video call & chat service"
> to rival Skype:
>
> https://twitter.com/KimDotcom/status/549429689198968832
>
> There seems on the surface to be pretty compelling reasons to 'trust'
> him (his NZ mansion home spectacularly raided, fortune frozen by the US
> government/Hollywood corp and servers seized etc.), apart from the
> obvious fact that *he is a businessman* so looking for a return. So I
> wonder what people here think about this? I mean, if it works well out
> the box (that I'd like to see!) and is end to end encrypted, it's gotta
> be better than using Skype for the masses who have no hope of setting up
> their own secure VoIP solution right?
>
> A
>
>
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUqC88AAoJELy1jPQ1KER7VKwP/jKVTPYuFcc+bGoI5tQ+TtCC
eZzxrUaAlzt98vl3aCBsmOq+ZJz4W6nqYg1PC3VRDw/Q61GHFDjuQlWeM/6itvsw
NxoKzkBHmQw95PwSB4/TJJaatHT40/BVT+TBwi6yzFH/6edm3rQhqUoOXr0C3uAo
nNzmzE0tLDHuHC930BhWDt5YFpW/nQ3sPtBCUgH0DwBGYcv9OkMgYVjjYg34E5+Q
faSMYe8KD01wXmZckUN3EPTSdIgZKVgLrX5tTIjhU6X7qnGgr21hB4yXQAQjW+YE
6ZUpPLz91h50s7LSAxu6ZcWSrDuVDF5Q+M8uYnUVzXkvfv3ol3IN0n8mwfFwaoLj
IZiyOBK8TIzbldqXy0qzPrXfqV+rVfzV+6+LxG6D3ye/6B/bKNQeRVxVVX9xnsy3
QmAEKY7Euh+puNgygU2npthtwK+RSgQktxE1a0brxV9hiqF5dW4M1dot6f/F09vV
bHx0WGEJIGw3oOWctHQZooG4eZagDwlWsi4iz+B7k5ftwduTT14GAFAqo6Lg4c/7
TD4sd+QgZZ0X+x/tb76IFs17qoNarJuYLp7fm2+UmdDeQu00n3E/J2oJixUh9Jmi
CdwZZYCf1j3R/UwQtz+Kg0DKLi8NtfrokZNLITipdy929Gx+twlQDKEU6HCMEPoS
n8FlTe9EUvFblQkh30qb
=VQaY
-----END PGP SIGNATURE-----
More information about the HacktionLab
mailing list