[messaging] Evaluation of ZRTP clients

Dominik Schuermann dominik at dominikschuermann.de
Wed Mar 15 12:28:06 PDT 2017


we conducted a study of ZRTP clients including Acrobits Softphone,
CSipSimple, Jitsi, Linphone, and Signal.

I just published a blog post teaser and a preprint PDF at
Please read the full PDF for all details.

We tested protocol compliance, error handling, and user interfaces.

Besides 2 issues that have already been fixed, I would like to start a
discussion about the following topics:
* "shared" MitM attack, where only Signal and Acrobits Softphone are
protected against
* discussion about better security indicators
* besides Signal, no app terminates the connection on security failures,
but instead falling back to insecure connections

In the PDF we propose a set of best practices that hopefully solve most
of the issues.


Dominik Schürmann
Institute of Operating Systems and Computer Networks, TU Braunschweig
Mühlenpfordtstraße 23, 38106 Braunschweig, Germany
Phone: +49 531 3913263
Mobile: +49 171 6581452
Email: schuermann at ibr.cs.tu-bs.de
Website: http://www.ibr.cs.tu-bs.de/users/schuerm

More information about the Messaging mailing list