[guardian-dev] Evaluation of ZRTP clients

Dominik Schuermann dominik at dominikschuermann.de
Wed Mar 15 16:37:23 EDT 2017

Hi Nathan,

On 03/15/2017 08:36 PM, Nathan of Guardian wrote:
> May I ask why you did not test Linphone on iOS?

Good question and I don't have a good answer, it somehow escaped our
attention. We should have included it as an individual app. Because it
is also based on the bzrtp library and has a UI that is nearly identical
to the Android implementation, the evaluation would probably be very
similar to Linphone on Android, especially the issues we have with the
security indicators are true for both implementations.

> I have been nervous about the state of SIP/ZRTP clients, making me also
> concerned about continuing to promote SIP-based communications at all. I
> suppose we will follow the reaction to your study, to see how the app
> vendors like Linphone and Jitsi respond moving forward.

Yup, one reason we did this study was that the ZRTP clients did not
receive enough attention from the research community. As I also just
wrote on the messaging mailinglist, I am particularly interested how to
solve the following issues discussed in the paper:

* "shared" MitM attack, where only Signal and Acrobits Softphone are
protected against
* discussion about better security indicators
* besides Signal, no app terminates the connection on security failures,
but instead falling back to insecure connections


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20170315/fc49cc6a/attachment.sig>

More information about the guardian-dev mailing list