29 Jul
2004
29 Jul
'04
4:22 a.m.
Thomas Shaddack wrote:
Sounds like an anonymous Diffie-Hellman session key, wrapped in marketing bullshit. Usable, but susceptible to MITM. Unless I am reading this wrong, it is much, much worse than that - it seems to say that, unless you are running your own server (which requires a DNS entry and server rights, etc), the session key is being generated at the central server and *issued* to the two parties - with all the third party compromise, LEAK order problems and sheer poor design issues that implies. SIP *has* a crypto negotiation field in the protocol - why aren't they using that, instead of "rolling their own"?