X-Cypher, SIP VoIP, stupid propriatory crapola

Thomas Shaddack shaddack at ns.arachne.cz
Thu Jul 29 02:33:29 PDT 2004

On Thu, 29 Jul 2004, Dave Howe wrote:

> Thomas Shaddack wrote:
> > Sounds like an anonymous Diffie-Hellman session key, wrapped in marketing
> > bullshit. Usable, but susceptible to MITM.

> Unless I am reading this wrong, it is much, much worse than that - it seems to
> say that, unless you are running your own server (which requires a DNS entry
> and server rights, etc), the session key is being generated at the central
> server and *issued* to the two parties - with all the third party compromise,
> LEAK order problems and sheer poor design issues that implies.

Didn't thought about this. Noticed the "generated by server" thing, but 
thought it'll be a local process collecting entropy from some hardware 
source. Yes, your Honor, I admit I am guilty from assuming lack of 
stupidity on the vendor side. :(

> SIP *has* a crypto negotiation field in the protocol - why aren't they using
> that, instead of "rolling their own"?

Perhaps because they don't want to make a really secure system, aren't 
aware about this possibility, were politely told to not use it by some 
Third Party, don't know how to do it this way...?

Maybe it could be a good idea to ask them.

More information about the cypherpunks-legacy mailing list