On 4/27/20 8:13 AM, Christopher Morrow wrote:
(Don't have an answer, but a question or three)
On Mon, Apr 27, 2020 at 10:34 AM Michael Thomas <mike@xxxxxxxx> wrote:
On 4/27/20 7:28 AM, Dave Cridland wrote:
Yeah, I just noticed that Zoom claims to use SIP poking around. The question is not whether it's SIP per se, but whether there will be inter-carrier anything. If there is inter-carrier, then the problem will remain, especially when it traverses an intermediary proxy.
Zoom interoperate with SIP, I think. But they used to interop via XMPP as well, and I believe they use XMPP internally. They stopped external interop with XMPP when Google and Facebook ceased to use it, I think.
Ok, that probably what I was seeing. I wasn't actually setting out to see if they used SIP :)
So, if you setup a service (zoom, for your example here) and you
'guarantee' to your users that the path is encrypted (for instance),
and you enable federation in the XMPP sense, how do you keep your
guarantee?
You can't unless the payload itself is encrypted with keys known by each
end user. That's what my guess is going on with Whatsapp, but I know
nothing about it.
repeat with gtalk or facebook-chat or aol-instant-messenger...
For the shaken/stir conversation what's the actual problem trying to be solved?
I thought; "Did the person I see calling me actually make this call?"
or perhaps: "Is the identity I see really the identity that initiated
the call?"
It's is exclusively trying to bind an e.164 address(range) -- either
directly from a tel: uri, or harvested from a sip: uri -- to the carrier
to whom it is delegated. I haven't read enough of the documents to
understand exactly how they are doing that, but one trip through SS7
land breaks any end to end traceability so I'm sort of dubious how well
this will work in practice. Scammers are not dumb, after all.
Which is why I think it's solving the wrong problem. At least with
email, DKIM and widespread adoption of SMTP-auth gives you a pretty
reasonable expectation that if it says that it came from gmail, it
actually came from a person with access to that gmail account (legit or
otherwise). It would be nice to have a similar level of confidence for
non-e.164 address sip: uris were they to become popular for some reason.
Mike
