[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Linphone-users] Telecommunications secrecy
|
From: |
Stuart D Gathman |
|
Subject: |
Re: [Linphone-users] Telecommunications secrecy |
|
Date: |
Fri, 21 Jul 2023 09:53:54 -0400 (EDT) |
On Fri, 21 Jul 2023, Koray Ersin wrote:
In the company I work for, we are interested in using your software.
However, before we proceed, we would like to ensure that the confidentiality
of telecommunications is guaranteed with your services.
Let's assume that you are talking about SIP to SIP calls for starters.
There are two general parts to a SIP call: call setup ("metadata")
and the call itself.
Your clients (not the service) determines whether the call data itself
is encrypted using sRTP or plaintext using RTP.
As far as I know, the linphone.org service is not encrypted, so the
metadata (who you are calling, when, and how long and what ips) is plaintext.
BUT, you do not need to use the service. Do peer to peer calls over
a VPN. For instance, linphone over cjdns ipv6 mesh vpn provides
end to end encrypted call setup and data.
This article describes linphone 3 setup for ipv6 peer to peer at the
end: https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/
There are some issues with getting recent linphone packaged natively
for Fedora (lack of manpower - not a linphone problem afaik), so you may
need the appimage or another distro.
Regular VPNs do not thoroughly obscure IPs, and adversaries with
resources can tease out the end point IPs. If that is a concern, there
is the Tor mesh vpn. But you lose a lot of performance - I doubt
calls would work very well. It is also rumored that alphabet agencies
run some percentage of Tor nodes.
What about SIP -> telco ?
linphone.org does not offer a bridge to telco, but the sponsoring
company does. I won't shill for competing services on their list.
This is generally a paid service.
There is no privacy on telco. You can assume that alphabet agencies
have recorded all your calls, and have a report of when you made them.
Telco endpoints are pinpointed geographically. You could try to obscure
your IP (and therefore your location) by using a VPN service that
promises on a stack of Bibles that there is no log for govt to demand
under a warrant. However, even if they are trustworthy, the govt can
demand logging with a warrant before your calls. (And this is actually
constitutional.)
But they may form suspicions about you based solely on who you talked
to (guilt by association). The call itself is less interesting to them
than the metadata.