voipy wrote:
MD5 hashes are compromised.
This means our plain text SIP login information can be intercepted
I have been a user of Freephoneline for years
Yet this information seems new to you. You weren't aware SIP passwords being hashed is standard practice. Otherwise you wouldn't have made that statement so glibly. And now you're making no reference to using a randomized nonce. That is, the hash value isn't the same for each session. You can't just capture a session and resend it to login. Nonce, in this case, is a MD5 unique string used for each registration session and generated from a secret phrase and time stamp. The nonce value has limited longevity and can't be used again. As such, the method of attempting to produce collisions and then authenticate is unlikely to work, and, in turn, you don't appear to understand the content of the links you're posting nor SIP authentication. What other methods could I try? FPL SIP passwords are not real words. Consequently, dictionary attacks are ineffective. Would a brute force attack work? Yes, but it would likely take several months, at best. Actually, I think it would take years due to temporary IP bans. In other words, brute force would be tedious.
so that our accounts couldn't be compromised to make phone calls
being low hanging fruit
Having used this service for more than 10 years while lurking around here and elsewhere -- and now being a volunteer moderator -- I can tell you that the majority of people who have their world credits drained, which is rare, are port forwarding, using DMZ, otherwise using insecure routers, or having their website portal username and passwords compromised due to a fault of their own making. In other words, no, the "low hanging fruit" is hardly randomized hashes. And unless I had tons of World Credits (I don't), the payoff would be small.Trying to obtain FPL SIP passwords from MD5 hashes is laughable, unless the sole purpose is to prove it can be done; the cracker would have to be an absolute fool.
Would I like to be able to change my own SIP password without having to submit tickets? Sure.
Am I against FPL offering encryption? No. Why wouldn't I want more features? But it wouldn't be useful for 95% of my calls (I can encrypt my end if I want right now anyway) because the other end would remain unencrypted.
Do I think that will happen? No. FPL is pretty much out of development for features. If anything (I'm doubtful), it might be introduced for Fongo Home Phone or Fongo Mobile users first. There's no profitable incentive, unless they were to charge money to access that feature. They would need a certain number of customers willing to pay for that feature as well before the cost of implementing it breaks even. Adding that feature would need to attract paying customers. Another popular SIP service did introduce encryption not too long ago, and I'm still uninterested in using that service more frequently than I have in the past.
Am I deathly afraid of my SIP Password being hacked? No.
Times change
The context is the media gateway. Nothing you've written changes the fact that conversations are completely unencrypted when they're sent to PSTN. At best, you've introduced a red herring, which you might not have done had you understood the context of what you were responding to.
Returning to your original post. . .
our conversations aren't secure
Your conversations aren't secure no matter what you do once they reach the PSTN. You either have end to end encryption, or you don't. Encrypting one end of the call does not make it secure, but it can provide someone with a false sense of security.
With respect to this forum, and this opinion is my own, I would prefer to see htttps, at the very least, and am very sympathetic to your criticism. However, I note that didn't deter you from creating an account and posting here, which begs the question why (unless there's some sort of agenda for promoting another service) since if you really want your voice heard, you could submit a ticket instead of posting on a forum that you have strong concerns about involving security and one that employees are not obliged to read. They might read your post, and they may claim they monitor these forums. But if you want to make sure that at least one employee reads your suggestions, I would submit a ticket:
https://support.fongo.com/hc/en-us/requests/new. I'm not sure if my stating anything further regarding security and this forum would be frowned up by an admin, so I'll just leave it at that. But the criticism certainly isn't new, and years later, nothing has changed. Also, I edited your post to show you were responding to bridonca, originally, about the forum.