[messaging] Evaluation of ZRTP clients
Dominik Schuermann
dominik at dominikschuermann.de
Wed Mar 15 12:28:06 PDT 2017
Hi,
we conducted a study of ZRTP clients including Acrobits Softphone,
CSipSimple, Jitsi, Linphone, and Signal.
I just published a blog post teaser and a preprint PDF at
https://www.sufficientlysecure.org/2017/03/15/zrtp.html
Please read the full PDF for all details.
We tested protocol compliance, error handling, and user interfaces.
Besides 2 issues that have already been fixed, I would like to start a
discussion about the following topics:
* "shared" MitM attack, where only Signal and Acrobits Softphone are
protected against
* discussion about better security indicators
* besides Signal, no app terminates the connection on security failures,
but instead falling back to insecure connections
In the PDF we propose a set of best practices that hopefully solve most
of the issues.
Cheers
Dominik
--
Dominik Schürmann
Institute of Operating Systems and Computer Networks, TU Braunschweig
Mühlenpfordtstraße 23, 38106 Braunschweig, Germany
Phone: +49 531 3913263
Mobile: +49 171 6581452
Email: schuermann at ibr.cs.tu-bs.de
Website: http://www.ibr.cs.tu-bs.de/users/schuerm
More information about the Messaging
mailing list