[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Linphone-users] linphone - talk about security
From: |
Guillaume Beraudo |
Subject: |
Re: [Linphone-users] linphone - talk about security |
Date: |
Tue, 2 Jul 2013 13:06:09 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hi nmod,
> is linphone effected by the zrtp security vulnerabilities shown here:
> http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html
The issues are in the library itself, not in Linphone.
As a consequence, if you use it, you should update libzrtpcpp with the fixed
version.
Zrtp is not activated on Android; we will activate it on next release.
At that time we will update the zrtpcpp submodule.
> are linphone conversations end-to-end encrypted?
There are several choices:
- TLS + srtp: the encryption is done using the certificate on the server;
- ZRTP: the conversations are truly encrypted end-to-end and requires
participants to check the SAS.
> does the free sip service provide by linphone.org store conversations,
> encrypted or otherwise? what information is logged about users? it would
> be nice when you make a privacy policy!!
We do not store RTP traffic (the media part).
However we store the signaling (inclinding message texts).
For image sending functionnality, the image is stored on the server,
and is normally automatically deleted after 1 week.
Note that text messages and pictures are not encrypted, even when using ZRTP.
This might change in the long term by using other chat methods. Patches
welcomed.
As a consequence, even when using ZRTP you should still be using TLS signaling
encryption.
> is there a portable version of linphone that is self contained?
On wich platform?
Cheers,
Guillaume Beraudo