We have an excellent thread going here, let's keep it that way. The name calling and provoking of flames is uncalled for.
Peace
_________________ Have Questions? Need to speak to Vonage before signing up? Call: 1-888-692-8074 Both Business and Residential customers can call and speak to a Vonage Sales Rep 24 hours a day.
matth Vonage Forum Master
Joined: Dec 07, 2004 Posts: 281
Location: Williamsport, PA
I'm halfway tempted to give out my IP address and challenge any of you guys to grab a phone call. It's simply not something worth worrying about to me when there are so many other ways to obtain the same information.
Correct.. they would have to be a network admin on the network you use... someone in Sanfrancisco can't do anything with your packets unless they go through the router the admin has admin use over.
Joe user on cox cable can't listen in to me on Verizon DSL.
matth Vonage Forum Master
Joined: Dec 07, 2004 Posts: 281
Location: Williamsport, PA
Here's a quick update that i've been meaning to do since Saturday...
I spoke with one of the technical people and he attempted to assure me that the voice traffic was encrypted. When I told him I've decoded a call that I made to an automated service, he continued to say, Oh no, it's encrypted. When I asked him if he could give me permission to capture our call for demonstration purposes, he agreed, then put me on hold about 30 seconds later. When he came back, he said that the RTP and SIP packets are unencrypted. The only encryption, or customization they use for their protocol is with the actual device authentication to their gateways.
After we spoke more about the problem, and the possible fixes, he decided to place my contact information inside the ticket because I had some potential ideas as to how to effectively deal with these issues. I doubt i'll get a call back, but hey, it was nice to actually hear someone say "You're right, it's unencrypted...".
He said that the general support people there genuinely feel that the traffic is secure, and really don't know anything about encryption or electronic eavesdropping. They need training badly....
So, in a nutshell, the conversations are unencrypted. If you buy a business plan, you're only paying for additional usage, not encryption. If you ever run the chance of discussing private matters over the phone, Voice over IP (VoIP) may not be the technology for you. They do have plans on switching things to SRTP, however that wont be happening in the future.
on a side note, I did find out that they are beta-testing the 'call block' feature, which would disallow callers with 'out of area', or 'private' listed in their caller id. All i have to say about that feature is "YAAAAAAAAAAAAAAAAAAAAAAAY!!!"
Voip == insecure still. Hopefully it will be taken seriously in the near future.
You have got serious issues. Voip is just as secure (if not more) then a POTS line.
POTS line == climb a pole or go to the NID.. call captures Voip == have to be an admin/hacker on a router/bridge device somewhere on the network.
As I stated above.. someone on cox cable can't access my call on ChiliTech Wireless, or Verizon DSL.
Let's look at my tracert:
1 1 ms 1 ms 1 ms 192.168.1.1 2 6 ms 8 ms 7 ms ws-65-173-16-1.wireless.chilitech.net [65.173.16 1] 3 14 ms 13 ms 14 ms sl-gw22-pen-6-1-0.sprintlink.net [160.81.248.77]
4 13 ms 14 ms 15 ms sl-bb26-pen-0-4.sprintlink.net [144.232.5.25] 5 13 ms 15 ms 13 ms sl-bb21-pen-9-0.sprintlink.net [144.232.5.245] 6 20 ms 15 ms 15 ms sl-bb23-rly-0-0.sprintlink.net [144.232.20.32] 7 18 ms 18 ms 21 ms sl-st20-ash-10-0.sprintlink.net [144.232.20.152]
8 19 ms 17 ms 17 ms 144.232.8.18 9 18 ms 19 ms 18 ms so6-0-0-2488m.ar1.nyc1.gblx.net [67.17.64.154] 10 24 ms 18 ms 21 ms vonage-holdings-corp-vonage-toll-free-nwrk.ge-2- -0.403.ar1.nyc1.gblx.net [64.210.19.18]
I am 10 hops from Vonage. To listen in to my call you would have to be an employee/hacker of Sprintlink or GlobalCrossings (or Vonage). So unless you are an admin or hacker ON ONE OF THOSE ROUTERS listed above.. you can't listen to my call. Just because your connection goes THROUGH one of those routers... you can't listen to my call. You have to be ON one of those routers to capture packets...
Oh yeah.. my phone calls are available from 65.173.16.202 go for it
dconnor Site Admin
Joined: Mar 05, 2003 Posts: 2251
Location: The Beach
_________________ Have Questions? Need to speak to Vonage before signing up? Call: 1-888-692-8074 Both Business and Residential customers can call and speak to a Vonage Sales Rep 24 hours a day.
matth Vonage Forum Master
Joined: Dec 07, 2004 Posts: 281
Location: Williamsport, PA
Hey! I got in.. woohoo.... hrmm wow... dan.. what have you been doing.. you've got tons of pirated software on here! Hey hrmmm I've downloaded almost all of these files as well! You have good taste!
I'm halfway tempted to give out my IP address and challenge any of you guys to grab a phone call. It's simply not something worth worrying about to me when there are so many other ways to obtain the same information.
Correct.. they would have to be a network admin on the network you use... someone in Sanfrancisco can't do anything with your packets unless they go through the router the admin has admin use over.
Joe user on cox cable can't listen in to me on Verizon DSL.
That's what I thought I've been saying throughout this entire thread It's people on your network, or the networks that your provider's connect to. Individuals who have access, or obtain unauthorized access to the networks that connect to vonage's servers pose the greatest risk.
Since I don't have access to the networks that interconnect vonage's servers, I cannot confirm that the interconnects are encrypted. Lets just trust them on that (and I hate to use the word trust). I'm basing my statements on what I've seen, and what other upstream providers can see.
You have got serious issues. Voip is just as secure (if not more) then a POTS line.
POTS line == climb a pole or go to the NID.. call captures Voip == have to be an admin/hacker on a router/bridge device somewhere on the network.
POTS== it's obvious when people climb poles, or fuss with lines around your house or business. That's probably the most insecure portion of the POTS network. Everywhere else you have to be an employee, or granted special access.
VoIP== more discrete, you don't have to physically sit at the house to listen in on conversations.
Remember, this thread is a warning of potential security issues relating to unencrypted traffic. There have been people on this thread that have asked for me to document or provide documentation of this happening out in the wild. All the security buffer overflows within operating systems and applications that have patches and bug-fixes may not have been exploited yet, but they've been fixed before they have been exploited. Do you think Microsoft, Oracle, or other large companies would just let buffer overflows remain in their product until they've been exploited? Would that be practicing "due diligance/due care"?
matth wrote:
As I stated above.. someone on cox cable can't access my call on ChiliTech Wireless, or Verizon DSL.
Let's look at my tracert:
1 1 ms 1 ms 1 ms 192.168.1.1 10 24 ms 18 ms 21 ms vonage-holdings-corp-vonage-toll-free-nwrk.ge-2- -0.403.ar1.nyc1.gblx.net [64.210.19.18]
I am 10 hops from Vonage. To listen in to my call you would have to be an employee/hacker of Sprintlink or GlobalCrossings (or Vonage). So unless you are an admin or hacker ON ONE OF THOSE ROUTERS listed above.. you can't listen to my call. Just because your connection goes THROUGH one of those routers... you can't listen to my call. You have to be ON one of those routers to capture packets...
Oh yeah.. my phone calls are available from 65.173.16.202 go for it
You're correct. You must have admin access in order to capture traffic on a network further upstream. That administrative access can either be granted by the organization, or obtained via unauthorized means. This thread wasn't meant to say "Hey, you ARE being listened to.", it's to let you know that "Hey, there's a potential for people to listen further up stream."
I believe if I go through all the posts in this thread that i've made, i've stated that upstream providers can listen to your traffic, not people running a sniffer in singapore on their local machine, listening to their own traffic. that individual must have access to the packets that's traversing your upstream provider's network.
I'll have to draw up a Visio drawing and post it to illustrate my statements. There has been a few misunderstandings, and violent agreements relating to points I'm trying to bring to the public's attention.
Hey! I got in.. woohoo.... hrmm wow... dan.. what have you been doing.. you've got tons of pirated software on here! Hey hrmmm I've downloaded almost all of these files as well! You have good taste!
[/quote]
heh my ip address is 2.224.128.5. Have at it
matth Vonage Forum Master
Joined: Dec 07, 2004 Posts: 281
Location: Williamsport, PA
Hrmm just a note.. I don't condone pirated software.. that was a joke
GardRailz... ok I see your point... I still would feel better with a Voip line then a pots line.... even if joe kid can't listen... someone at the CO can punch a few keys and listen in on your conversation.... believe me... I've done trouble shooting on our PRIs at work .. I've seen it happen (authorized by me of course...) to locate a problem channel.
So I dunno I guess it's just one opinion against the other. Yes SRTP would be best.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
All times are GMT - 5 Hours
Vonage Service Plans
Vonage VoIP Members
Members New HorpDrype New Today 7 Yesterday 18 Total 63405 Who Is On Site Visitors 215 Members 0 Total 215
1 Unlimited calling and other services for all residential plans are based on normal residential use by single-family household members. A combination of factors are used to determine abnormal use, including but not limited to: the number of unique numbers called, international calls forwarded, minutes used and other factors. Subject to our Reasonable Use Policy and Terms of Service.
HIGH SPEED INTERNET REQUIRED. † LIMITED TIME OFFER, VALID FOR NEW LINES ONLY. RATES EXCLUDE INTERNET SERVICE, SURCHARGES, FEES AND TAXES. As a subscriber to Vonage service, you agree to be bound by the Terms of Service. See www.vonage.com/tos for details. ¤ Where available. The number transfer process takes approximately 10 business days from the time you confirm your transfer request. Alarms, TTY and other systems may not be compatible. Vonage 911 service operates differently than traditional 911. See www.vonage.com/911 for details.
Thinking of signing up for Vonage but have questions? Business and Residential customers can call Toll Free 24 hours a day at: 1-888-692-8074 No Vonage Promotional Codes or Coupon Codes are required at www.vonage.com.
The Vonage Forum provides the Vonage sign up Best Offer Promotion Deal as a means to offset
our cost. If you are considering signing up for Vonage and have found our Vonage
News, Customer Reviews, Forums & all other parts of this site useful, please
use our Vonage FREE Month sign up offer Deal Coupon.
Vonage VoIP Phone Service is redefining communications by offering consumers & small business VoIP Internet phones, an affordable alternative to traditional phone service.
The Vonage VoIP Forum Generated This Page In: 0.57 Seconds and 311 Pages In The Last 60 Seconds The Vonage VoIP Forum
Members
New 
New Today 7
Yesterday 18
Total 63405
Who Is On Site
Visitors 215
Members 0
Total 215
+0.15