[HacktionLab] Open Source / federated VOIP? (johnc)

johnc johnc at aktivix.org
Sat Jan 3 18:04:50 UTC 2015

Hash: SHA1

Tim's suggestion will definitely work for a situation where you trust
the PBX, don't require federation and have techies on hand to help out
with quite a complex set-up. I'd personally use freeswitch though with
SRTP/TLS for encryption rather than having to deal with the added
complexity of a VPN.

>  Seems a bit of a 'holy grail' this fully encrypted, federated,
> open-source VoIP, as in my experience (medium+ level techie) ...

As regards the above comment there are commercially available encrypted
telephone products in the UK that already work :-)

The blackphone was launched at the IP expo in November last year.


It uses ZRTP (designed by Zimmerman of PGP fame) and TLS so it works in
a similar way to the ostel project.

I was also at the IP expo plugging the encrypted VOIP solution that the
company I work for provides. It is a trusted man in the middle system
using SRTP/TLS

As regards Kim's announcement, I'm a little sceptical
> https://twitter.com/KimDotcom/status/549429689198968832

The browser Webrtc standard currently says that you only have to
implement DTLS-SRTP. There is however a draft proposal for ZRTP:


If you use SRTP you end up doing the key exchange in the TLS protected
SIP channel. That means you have to trust commercial TLS certificates or
work out a way of exchanging certs without a man in the middle attack

On 01/01/15 12:17, Acesabe wrote:
>     Message: 1
>     Date: Wed, 31 Dec 2014 16:24:33 +0000
>     From: johnc <johnc at aktivix.org <mailto:johnc at aktivix.org>>
>     To: hacktionlab at lists.aktivix.org <mailto:hacktionlab at lists.aktivix.org>
>     Subject: Re: [HacktionLab] Open Source / federated VOIP?
>     Message-ID: <54A42341.3020606 at aktivix.org
>     <mailto:54A42341.3020606 at aktivix.org>>
>     Content-Type: text/plain; charset=ISO-8859-1
>     Hash: SHA1
>     Hi,
>     The Ostel project is probably the best attempt at doing this so far.
>     https://ostel.co/
>     I demoed a very similar system a couple of years ago at barn camp:
>     https://www.johncahill.net/__wiki/index.php/Skype_like___conferencing_System
>     <https://www.johncahill.net/wiki/index.php/Skype_like_conferencing_System>
>     both borrow heavily from:
>     http://kb.asipto.com/kamailio:__skype-like-service-in-less-__than-one-hour
>     <http://kb.asipto.com/kamailio:skype-like-service-in-less-than-one-hour>
>     Some of the nice things about this approach:
>     - - Easy federation, i.e. alice at domain1.com
>     <mailto:alice at domain1.com> can call bob at domain2.com
>     <mailto:bob at domain2.com> with
>     no additional configuration required.
>     - - You can do ZRTP end to end encryption so you don't have to trust the
>     server or the people running it.
>     - - Easy configuration, ostel have managed to get their config included
>     with the csipsimple SIP app which may be downloaded from the play store
>     etc. You just enter someuser at ostel.co <mailto:someuser at ostel.co> and
>     your password and you are
>     basically done.
>     - -Far end NAT traversal solution. Kamailio fixes up the SIP signalling
>     (rewrites IP's and ports for contact headers etc) and RTPproxy takes
>     care of media so that each sip end-point talks to public IP addresses of
>     the media/signalling proxy rather than NATed clients speaking directly
>     to each other, (which is a nightmare for various reasons).
>     Some Problems:
>     - -Mobile phone specific:
>     - -- mobile phones vary greatly in their ability to run sip clients
>     using
>     crypto. I've seen sip clients use 100%CPU with awful audio quality on a
>     few phones including high end samsung models.
>     - -- The latency on 3G is typically around 1 second. Expect horrible lag
>     etc. Using WiFi is the only way to go unless you are lucky enough to be
>     on 4G.
>     Non mobile phone specific:
>     - - ostel's only server is in the US, latency is about 120ms. Not so
>     good
>     if you are in Europe. We could build our own :-).
>     - - If you are going to build an ostel system I suggest you include the
>     topology hiding setup from my wiki or elsewhere in your Kamailio config.
>     SIP leaks IP/location information unless you make an effort to obfuscate
>     it.
>     - - The above solutions don't have a media mixer + we're using end
>     to end
>     encryption so things get a bit complicated if you want to have more than
>     two people in a conference. I can think of two solutions:
>     1) Use a SIP client with mixing capabilities (e.g. jitsi ) to initiate
>     conversations with each of the people you want to conference in. I tried
>     this a couple of years ago it was buggy, CPU hogging and the quality was
>     a bit hit and miss for more than 4 users in a conference. Also, because
>     of the topology a lot of bandwidth is used on the mixing leg. You can't
>     get around the last issue but they may have fixed some of the other
>     ones:
>     https://jitsi.org/GSOC2011/__ConfCallChatting
>     <https://jitsi.org/GSOC2011/ConfCallChatting>
>     2) Use a Freeswitch server hosted at a data centre to do the mixing:
>     This solution should work OK but adds a fair bit of complexity. The
>     advantage of hosting at at a DC is that no single user has to
>     send/receive a large number of unmixed audio/video streams. N.B.
>     Freeswitch acts as trusted man in the middle. If the freeswitch server
>     is not physically secure then it can be used to tap calls :-(
>     Hope some of this is useful.
>     Cheers,
>     John
>  Seems a bit of a 'holy grail' this fully encrypted, federated,
> open-source VoIP, as in my experience (medium+ level techie), at best
> you may get reasonable/good call quality using standard apps and
> protocols, but that tends not to be easy to get working in the first
> place and mileage varies wildly with different software/hardware
> clients. Basically, unless you really know what you are doing, there is
> no 'off the shelf' solution that is readily accessible to all who wish
> to use it. But maybe that is about to change! The infamous Kim Dotcom of
> Mega* fame has in recent times been making a big noise about all this
> data encryption, and freedom to keep you online data secure, he has now
> just announced that Mega will soon release a:
>  "fully encrypted and browser based video call & chat service" 
> to rival Skype:
> https://twitter.com/KimDotcom/status/549429689198968832
> There seems on the surface to be pretty compelling reasons to 'trust'
> him (his NZ mansion home spectacularly raided, fortune frozen by the US
> government/Hollywood corp and servers seized etc.), apart from the
> obvious fact that *he is a businessman* so looking for a return. So I
> wonder what people here think about this? I mean, if it works well out
> the box (that I'd like to see!) and is end to end encrypted, it's gotta
> be better than using Skype for the masses who have no hope of setting up
> their own secure VoIP solution right? 
> A
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab

Version: GnuPG v1


More information about the HacktionLab mailing list