Re: [Tails-dev] VoIP-over-TOR

Nachricht löschen

Nachricht beantworten
Autor: intrigeri
Datum:  
To: Rene Bartsch, The Tails public development discussion list
Betreff: Re: [Tails-dev] VoIP-over-TOR
Hi Rene,

[Please tell us if you read the list and don't need to be Cc'd.
I do read the list, no need to Cc me.]

Rene Bartsch wrote (23 Jun 2014 10:07:42 GMT) :
> OnionCat provides a public overlay network. If a SIP-proxy ist put on top of OnionCat
> any dumb hardware-/software SIP-phone in the LAN can be used.


Yep, I've been maintaining OnionCat in Debian for a while so that
people can easily experiment its usage for VoIP within Tails :)

> On the OnionCat-interface I suggest to use


> 1. DTLS/SRTP with self-signed certificate created from the Tor Hidden Service
> hostname/private key for authentication and encryption


Am I getting your suggestion right that it's about re-using the Tor
HS' private key material inside a (X.509, I guess) certificate used to
authenticate peers with DTLS/SRTP?

Assuming we want certificate authentication on top of what Tor HS plus
OnionCat's bidirectional authentication provides, what would be the
advantage to reuse the HS' key? I'm concerned with feeding it into
processes running with different privileges and attack surface.

Are you positive that the kind of keys used for Hidden Services is
appropriate for DTLS/SRTP? (e.g. key size...)

[... snipping other suggestions that I'm not able to comment on
without properly diving into the subject ...]

> I also suggest to consider RTCWeb as Tor pluggable transport for OnionCat as it is
> encrypted by default, can multiplex multiple streams and ordered mode/congestion
> control can be switched on/off per stream.


Just to be clear, work on supporting VoIP within Tails has been
stalled for a while. The current state of our research can be found
there:

https://tails.boum.org/blueprint/VoIP_support/
https://labs.riseup.net/code/issues/5709

Thanks for all these suggestions! I, for one, would welcome
experimentation results, e.g. based on what you're suggesting, be it
on this list, or as Git patches against the blueprint. I'd love to see
reports of WebRTC over OnionCat!

Best regards,
--
intrigeri