[guardian-dev] Evaluation of ZRTP clients

Nathan of Guardian nathan at guardianproject.info
Wed Mar 15 15:36:48 EDT 2017



On Tue, Mar 14, 2017, at 08:28 PM, Dominik Schuermann wrote:
> this should be of interest to Guardianproject's Ostel project:
> https://www.sufficientlysecure.org/2017/03/15/zrtp.html

Always happy to see this kind of in-depth research.

> We evaluated the ZRTP clients  Acrobits Softphone, CSipSimple, Jitsi,
> Linphone, and Signal in regards to their protocol compliance, error
> handling, and user interfaces. Our extensive analysis uncovered a
> critical vulnerability that allows wiretapping even though Short
> Authentication Strings are compared correctly. We discuss shortcomings
> in the clients’ error handling and design of security indicators
> potentially leading to insecure connections.

Thank you as well for working with Linphone to ensure the
vulnerabilities were addressed. It is still to go to recommendation we
provide for users interested in Ostel.

May I ask why you did not test Linphone on iOS?
 
> I also want to praise the effort put into your Open Secure Telephony
> Network (OSTN), which we used as our test network.

Glad it was useful. Honestly, most credit should go to Lee A. for
continuing to maintain and support Ostel, as part of our larger
community. 

I have been nervous about the state of SIP/ZRTP clients, making me also
concerned about continuing to promote SIP-based communications at all. I
suppose we will follow the reaction to your study, to see how the app
vendors like Linphone and Jitsi respond moving forward.

Best,
  Nathan




More information about the guardian-dev mailing list