Security and Real-time Communications – a maze of twisty little passages, that all look alike. Olle E. Johansson, Consultant in network security and real-time communication – PKI, webrtc, SIP , XMPP, Kamailio and Asterisk expert.
This is an excellent story about SIP & Security. Olle takes us on a journey into a cave, through twisty little tunnels, and towards a little more enlightenment on this critically important topic of end to end RTC Security. Change is happening, however, RTC Security is also growing ever more important.
This presentation is complementary to the TADSummit presentation by Sandro Gauci, “Getting offensive: a different approach to RTC security.” Where Sandro’s focus is on bad actors. Olle focuses on conversations between 2 or more people, and ensuring identity, confidentiality, integrity and authentication across the many devices we use for conversations.
Because Olle has worked on this topic for 30+ years, he’s able present the current situation in an insightful context. SIP brought the telecom and datacom worlds together. Those world’s have very different trust models. Which has resulted in the problems we see today.
This is a long presentation (50 mins) but well worth your time, do take advantage of the fika (coffee) breaks Olle includes in the presentation. Even listening at 2X, there’s much covered, so you need to take a break to consolidate all the insights. I learned much, and Olle freely shares his views on the security standards and their strengths and weaknesses.
I now understand why SIPS: is inadequate thanks to Olle, and the lack of a complete alternative, hence all the twisty little passages Olle refers to. His closing advice is excellent, a clear recipe on how to move towards end to end RTC security, including listening to Sandro on offensive security 🙂 Security is a continuous process, that must be part of the service’s initial design and continuously improved throughout the service’s lifecycle.
Olle has worked with Internet and TCP/IP networking for almost 30 years and is a developer, project manager, documentation writer, trainer and a secret lover of X.509 and PKI. Olle is active in the IETF and has co-authored an RFC and contributed to many. He has spoken at many conferences and trained many, many Asterisk and Kamailio admins. Olle co-founded Astricon, the Asterisk conference. Outside of work he is an oral storyteller and spends a lot of time in his garden back home in Sweden.
After almost 20 years of working with real-time communication: SIP, XMPP, WebRTC, and other protocols and platforms. I haven’t built a standard compliant secure platform once with strong encryption and identity handling. I’ve been close, but no cigar.
Looking at the standard documents for SIP, there are a lot of missing pieces and most of the Open Source implementations are missing large amounts of code to implement both existing security specifications as well as the missing pieces. It’s a mess, and that doesn’t help those who are trying to implement secure real-time communications. We can do better and hopefully we will do better.
While WebRTC mandates encrypted communication channels, it doesn’t mean that all platforms are secure. Also there are as many definitions of “secure platform” as people implementing them.
There are hooks and new solutions to build from, but few implementers get the requirements, time and resources to do this.
Let’s discuss what the issues are, where privacy plays in, the missing support in the standard documents and where to go next.
We will also talk about why we think that the requirements for security are missing in almost every project and how we can change that.
– #MoreCrypto: PKI and TLS
– Oauth2 and OpenID connect, where do they fit in?
– SIP, The session initiation protocol
– SRTP, Secure RealTime Protocol