[SR-Users] it's auth module send clear text password?

Giovanni Maruzzelli gmaruzz at gmail.com
Tue Mar 5 14:32:24 CET 2019 

On Tue, Mar 5, 2019 at 1:12 PM PICCORO McKAY Lenz <mckaygerhard at gmail.com>
wrote:

> thanks for aswer Federico, another, if the communication beetween asterisk
> and kamailio are using public ip, that password are easyl hackaeable?
>
>
yes, they are hackable, exactly like HTTP passwords. Easily, that depends
who the hackers are.

Actually, the method used for password exchange is exactly the same as in
http (nonce + md5).

If you use long enough passwords, is probably almost ok, if you can cope
with the breach that can happen (eg: limit the expenses toward your ITSP
gateway, with a cap, or prepaid).

If you are thinking about privacy, then password are completely useless
with "normal" SIP: both signaling (who you call) and media (the sound of
the conversation) are in clear, and can be listened by anyone (no password
needed).

For real security (and privacy, etc) go for TLS and SRTP (ZRTP being the
uber good).

-giovanni



>
> i read rfc2617 but does are not clear respect security and seems SIP is
> not an easy protocol to secure due relationship beetween both are trusted
> or something similar?
>
> El mar., 5 de mar. de 2019 a la(s) 03:08, Federico Cabiddu (
> federico.cabiddu at gmail.com) escribió:
>
>> Hi,
>> auth module implement digest authentication (rfc2617) so passwords are
>> not sent in clear from the client to kamailio.
>>
>> Federico
>>
>> On Tue, Mar 5, 2019 at 7:07 AM PICCORO McKAY Lenz <mckaygerhard at gmail.com>
>> wrote:
>>
>>> if kamailio doe snot use TLS all the mechanish in atuh module are send
>>> the pasword nude to the network?
>>>
>>> Lenz McKAY Gerardo (PICCORO)
>>> http://qgqlochekone.blogspot.com
>>> _______________________________________________
>>> Kamailio (SER) - Users Mailing List
>>> sr-users at lists.kamailio.org
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>


-- 
Sincerely,

Giovanni Maruzzelli
OpenTelecom.IT
cell: +39 347 266 56 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20190305/0a6e1084/attachment.html>

More information about the sr-users mailing list