[h323implementers] [Openh323gk-users] Thoughts on H.323 encryption or Why your AES encryption might be worth nothing
jan at willamowius.de
Mon Sep 23 13:24:04 EDT 2013
Simon Horne wrote:
> I am not a fan of TLS as it has the inherent issue of being hop-by-hop.
> Unless you can verify the entire signaling path is secure then it is
> useless. Certainly you can verify from you endpoint to the gatekeeper is
> secure but what about beyond that. Certainly for small closed deployments it
> can be useful but for large adhoc network it can be problematic.
I do agree that end-to-end encryption would be even better. The people
making endpoints could make that happen. ;-)
But TLS also has 2 big benefits:
- is pretty easy to implement on to of an existing stack with H.235.6
(I did all the TLS work pro-bono as a side-project with no
- TLS doesn't only protect the Diffie-Hellman exchange, but also all
the meta data of the call (who is calling who and when)
> Many years ago I developed an idea [...]
> TLS is not implemented other than with GnuGk.
Maybe thats one of the big problems, that nobody has implemented any
protection of the Diffie-Hellman exchange since H.235.6 was passed
(2005 ?), even so it explicitely mentions the need for TLS (or IPSec).
I fully agree that TLS has trouble scaling to a global solution, but
that shouldn't be an excuse to leave all users unprotected in all
situations for so many years. There are many scenarios we can easily
solve by implementing the specs properly that are already in place.
Jan Willamowius, Founder of the GNU Gatekeeper Project
EMail : jan at willamowius.de
Relaxed Communications GmbH
Geschäftsführer: Jan Willamowius
HRB 125261 (Amtsgericht Hamburg)
More information about the h323implementers