Some secure issues (encryption & SSL)

[Jurik]

Hello  

I\'ve some questions about the security of data.

At the moment you can see in the source code of your webphone the password and everything in plain text without any encryption.

Is it possible to give at least the password encrypted with SHA1 or some other encryption code?

And do you have any tests with SSL encryption done in the past? I think it\'s important to not show everyone the data.

[Babar Shafiq Nazmi]

Hi Jurik,

Yes i implemented RC4 crypt algo in the control for key based encryption. I tested RC4 with PHP and control its working perfect.
SHA1 and MD5 are oneway hashing and control needs clear text from user so i can\'t use them. with RC4 the problem is that the key is still visible in the source, if you or somebody else have any good idea plz share..

Another solution is that you can restrict that userid to specific extensions only from context in asterisk.

Regards,
Babar Shafiq Nazmi.

[Jurik]

Yes - every of our \'test-accounts\' has it\'s own place and password in our extension.conf.

Okay - if only they look in the source code - it\'s no problem, cuz they see their own password. But as soon as a second person gets the source code, it will be possible for the one to use this account information.


:idea:
Does anyone have experience with VoIP and SSL in this situation?
My thoughts are that the ocx holds the datastream and the SSL is just to \'connect\' to the webphone. But the SSL connection has nothing to do with the communication between me (client) and the ocx-file and between the ocx-file and our asterisk-server. Is this correct?

[----------------------------- SSL -----------------------------]
Client -> *Request* -> WebServer -> *Answer* -> Client -> *Send Data (incl. password)* -> ocx-file -> *Request* -> Asterisk-Server -> *Answer* -> ocx-file -> *Send Data* -> Client Browser+Soundcard

[madd_gamer]

I also noticed that if you view source, you can see the account credentials.

What I did to get around it is, I wrote a script that changes all the passwords every nite.  So it doesn\'t matter if they have the password, its only going to work that day.  Plus my site requires you to login with the username you created when registering.

Just a suggestion, I don\'t think its the best solution, but it works with my setup.

[Jurik]

But imagine that you have the chance to call mobile phone with your asterisk-account. That could do heavy damage to your money pocket  

Well, you could give it a credit limit - but you\'d lose this money too.

[Babar Shafiq Nazmi]

Yes thats why i implemented RC4 encryption in it, we are using some pre-defined key embeded in the control and that same key is used with php page which is passing encrypted userid/password to control.

But its not possible to embed everyone keys in control for me. So i think we will discuss some key and use that key in the control by default or add a new feature like this:-

iaxcontrol.encryption=true/false
iaxcontrol.key=\'some private key\'
iaxcontrol.username=\'skljo2j3\'  //encrypted user name
iaxcontrol.password=\'@!#ADd\' //encrypted password

if no key is passed it will use \'somekey\' as default. This is just an idea plz comment on it so i can make it available...

Also about SSL communication with server , i did that for one company as a paid solution. and iaxcontrol is working in a \'tcp encrypted tunnel\' (on web ports 80/8080) for them.

But i don\'t think this is a requirement of normal users


Regards,
Babar Shafiq Nazmi.