[VoiceOps] Phone auth for incoming calls?
Paul Timmins
paul at timmins.net
Thu Aug 9 22:32:45 EDT 2018
> On Aug 9, 2018, at 9:47 PM, Brandon Martin <lists.voiceops at monmotha.net> wrote:
>
> On 08/09/2018 04:46 AM, Alex Balashov wrote:
>> Yes, but until and unless your upstream supply chain is doing TLS and
>> you can provide end-to-end security, it's a pointless waste of time.
>
> There's also an argument to be made that I haven't seen brought up for protecting SIP registration credentials either by providing transport confidentiality for a conventional password/secret or by using TLS client certificates. If you're at all worried about an adversary observing your actual comms, I'd be doubly worried about somebody stealing registration credentials and abusing them.
TLS was never about end to end confidentiality. We have wiretap obligations after all. Until the last copper line is dead and gone there will always be a way for unencrypted calls to occur.
TLS is good when you don't want your local IT staff to know what the CEO is talking about, or to wiretap his coworkers (assuming hosted PBX). The likely attack surface for a customer's confidentiality will be somewhere between that handset and you, and you have a means to protect that.
-Paul
More information about the VoiceOps
mailing list