e2e all the way (Re: Another entry in the internet security hall of shame....)
Dave Howe
DaveHowe at gmx.co.uk
Sat Aug 27 13:26:13 EDT 2005
Ian G wrote:
> Steven M. Bellovin wrote:
>> Really? You know that the public key you're talking to corresponds to
>> a private key held by the person to whom you're talking? Or is there
>> a MITM at Skype which uses a per-user key of its own?
> yes, this is the optimisation that makes Skype work,
> it is (probably) vulnerable to an MITM at the center.
Almost certainly though, the authorities of whatever government holds a VoIP hub
are going to start insisting that traffic is interceptable at that hub. of
course with SIP, unless you are proxying both ends, you are doing direct
client-to-client links anyhow (so any crypto must be e2e, by definition); again
however, unless there is some sort of PK retention in place, mitm attacks and
attacks on the initial key negotiation are possible.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list