[tor-talk] TOR Fone - p2p secure and anonymous VoIP tool
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Sun Feb 3 16:00:27 UTC 2013
On 2/3/13 2:49 PM, adrelanos wrote:
> Hi!
>
> I haven't seen TOR Fone discussions on this list. Description (selection
> by adrelanos, see TOR Fone homepage [1] for original text).
While i appreciate the effort, i think that the approach of TorFone
(http://torfone.org/) is not good and cannot scale for several reasons:
a) The TCP connection between two host over TorHS is already end-to-end
encrypted with no need of additional encryption
b) PGP encryption is not required
c) The PGP source code used is "abbandonware" and is subject to known
security vulnerabilities (like
http://www.cvedetails.com/cve/CVE-2000-0678/) and probably others
d) The PGPFone code use is "abbandonware" since +13 years and should be
reasonably subject to vulnerabilities
e) The PGPFone protocol even if opensource is an unaudited, not
conforming with today's de-facto ZRTP's security requirements
f) The system is not cross-platform, not easy portable, not easily
maintainable (it cannot goes over Linux or Tails for example)
For the reasons explained above, i do not consider the Torfone software
something i would recommend to use.
So, as a consideration i think that Torfone developer to look for a
different approach, by using best-of-breed open-source multimedia
system, re-writing TorFone with a completely different design.
The most reasonable and maintainable approach is:
- Use Jitsi (http://www.jitsi.org)
- Introduce RTP over TCP support to Jitsi (to have RTP voice flow works
over TCP rather than UDP)
- Introduce Socks5 support to Jitsi (to have TCP
- Adjust the jitter buffering of jitsi to works over Tor latency
- Extend XMPP & Jingle support to works P2P (something is already there,
it should be relatively simple)
- Fix minor UI stuff
With such approach you would have:
- A cross-platform, opensource, secured voip client
- A maintained and mainteinable source code
- Using standard protocols with minor modifications
- ZRTP encryption (if you want, but it's not needed due to end-to-end
encryption of Tor Hidden Services)
Regards,
Fabio
* Useful consideration about VoIP over Tor
https://guardianproject.info/2012/12/10/voice-over-tor/
* Anonymous push to talk over Tor
https://guardianproject.info/2013/01/31/anonymous-cb-radio-with-mumble-and-tor/
More information about the tor-talk
mailing list