[tor-talk] TOR Fone - p2p secure and anonymous VoIP tool

Van Gegel torfone at ukr.net
Sun Feb 3 20:54:13 UTC 2013

Hi! Thank you for your comments and tips!
I did not think this project as a finished product for practical use.
This is only a platform to explore the possibility of transmission of
voice over TOR. Also I tried to spend as little effort to research and
choose the best for me platform for their experiments. Using these
results any one can make similar changes to the other supported the
project for example Jitsi.
When I have free time I also try to adapt Jitsi according to your
recommendations but I'm more interested in creating a concept than its
practical implementation in the open source code.
I am also very interested in the topic of anonymous encrypted voice multi
chat. When I have free time I will try to present my implementation (*nix
server + GPG + clients based on the SpeakFrealy or other suitable VOIP
with C++ source), in any case does not aspire to a complete solution.

--- Исходное сообщение ---
От кого: "Fabio Pietrosanti (naif)" <lists at infosecurity.ch>
Кому: tor-talk at lists.torproject.org
Дата: 3 февраля 2013, 18:00:31
Тема: Re: [tor-talk] TOR Fone - p2p secure and anonymous VoIP tool


On 2/3/13 2:49 PM, adrelanos wrote:
> Hi!
> I haven't seen TOR Fone discussions on this list. Description (selection
> by adrelanos, see TOR Fone homepage [1] for original text).

While i appreciate the effort, i think that the approach of TorFone
(http://torfone.org/) is not good and cannot scale for several reasons:

a) The TCP connection between two host over TorHS is already end-to-end
encrypted with no need of additional encryption
b) PGP encryption is not required
c) The PGP source code used is "abbandonware" and is subject to known
security vulnerabilities (likehttp://www.cvedetails.com/cve/CVE-2000-0678/) and probably others
d) The PGPFone code use is "abbandonware" since +13 years and should be
reasonably subject to vulnerabilities
e) The PGPFone protocol even if opensource is an unaudited, not
conforming with today's de-facto ZRTP's security requirements
f) The system is not cross-platform, not easy portable, not easily
maintainable (it cannot goes over Linux or Tails for example)

For the reasons explained above, i do not consider the Torfone software
something i would recommend to use.

So, as a consideration i think that Torfone developer to look for a
different approach, by using best-of-breed open-source multimedia
system, re-writing TorFone with a completely different design.

The most reasonable and maintainable approach is:
- Use Jitsi  (http://www.jitsi.org)
- Introduce RTP over TCP support to Jitsi (to have RTP voice flow works
over TCP rather than UDP)
- Introduce Socks5 support to Jitsi (to have TCP
- Adjust the jitter buffering of jitsi to works over Tor latency
- Extend XMPP & Jingle support to works P2P (something is already there,
it should be relatively simple)
- Fix minor UI stuff

With such approach you would have:
- A cross-platform, opensource, secured voip client
- A maintained and mainteinable source code
- Using standard protocols with minor modifications
- ZRTP encryption (if you want, but it's not needed due to end-to-end
encryption of Tor Hidden Services)


* Useful consideration about VoIP over Torhttps://guardianproject.info/2012/12/10/voice-over-tor/* Anonymous push to talk over Torhttps://guardianproject.info/2013/01/31/anonymous-cb-radio-with-mumble-and-tor/

More information about the tor-talk mailing list