[guardian-dev] Evaluation of ZRTP clients

Dominik Schuermann dominik at dominikschuermann.de
Tue Mar 14 20:28:22 EDT 2017


Hey,

this should be of interest to Guardianproject's Ostel project:
https://www.sufficientlysecure.org/2017/03/15/zrtp.html

We evaluated the ZRTP clients  Acrobits Softphone, CSipSimple, Jitsi,
Linphone, and Signal in regards to their protocol compliance, error
handling, and user interfaces. Our extensive analysis uncovered a
critical vulnerability that allows wiretapping even though Short
Authentication Strings are compared correctly. We discuss shortcomings
in the clients’ error handling and design of security indicators
potentially leading to insecure connections.

I also want to praise the effort put into your Open Secure Telephony
Network (OSTN), which we used as our test network.

As always, I am open for questions and ideas how to fix outstanding issues.

Cheers
Dominik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20170315/5e033d44/attachment.sig>


More information about the guardian-dev mailing list