OSTN secure VoIP wizard now built into CSipSimple for Android

If you saw our last post about how to setup your own secure voice-over-IP server instance, then this news is for you.

If you are an Android user looking for the best open-source VoIP app, and really need one that can support secure communications, then this post is ALSO for you.

CSipSimple, the previously mentioned “best VoIP app”, now includes a wizard for setting up an account configuration for any server which complies with our Open Secure Telephony Network specification. In short, this means it uses TLS or SSL to secure the SIP signaling traffic, and supports proxying of the RTP media streams for the actual voice or video calls, without in any way interfering with the ZRTP encryption passing through it.

There are currently two OSTN compliant public services, OSTel and PillowTalk, but we hope and expect there to be many more, both public and private, and are very happy that this secure by default wizard configuration is now included in the core CSipSimple project. In addition, by having this support in a multiple purpose client (as opposed to a single OStel-only app), you can simultaneously use multiple VoIP accounts. For example, you might setup a second account with Callcentric, that is less secure, but that would allow you to make calls over the standard telephone system.

Below are screenshots of CSipSimple account setup running on an Android 4 ICS 7″ Tablet.

First, select “Add account”, scroll down to Generic wizards, and select OSTN.

Then enter your username, password, and the OSTN compliant server you wish to connect to.

Once you hit “Save”, the account should be configured, attempt to register, and be ready to make calls.

Learn more about the CSipSimple project: http://code.google.com/p/csipsimple/

Download the latest CSipSimple nightly trunk here.

Many thanks to the brilliant Ooze and R3gis for their continued support.

Tagged with: , , , ,
Posted in News
5 comments on “OSTN secure VoIP wizard now built into CSipSimple for Android
  1. Peter L says:

    I’m noticing that the OSTN wizard does NOT enable the “Check Server” option under CSipSimple’s “Secure Transport” settings.

    As such, it would seem susceptible to a man-in-the-middle attack.

    The manual workaround *seems* to be to:

    1) obtain the “conf/ssl/cacert.pem” from the server and copy it to the Android device
    2) set “Check Server” (under “Secure transport” settings)
    3) set “TLS CA file” (under “Secure transport” settings) to point to the loaded certificate file

    If “Check Server” is set without providing the “TLS CA file”, registration times out.

    The limitation with the above method is that it seems to only allow one CA file and Check Server setting applied across all accounts.

    It would be desirable if the OSTN wizard provided the option to set these for each individual OSTN account, but I don’t know how to do that.

    • n8fr8 says:

      Thanks for the write-up. We are definitely looking into improving support for cert verification in CSipSimple.

  2. lazzarello says:

    This is a limitation in the SSL implementation in both the client and the server. The client could use the operating system CA root certificates. Then the server could install a signed certificate and it would validate just like a https web site. I tried this with the freeswitch trunk a few months ago and it failed. I did not debug further.

    Fortunately, you have two layers of security in a call on an OSTN server, SIPS and ZRTP. If the signalling is middled, chances are you will not end up speaking to the party you intend, at which point you can simply hang up. If the party’s voice is a convincing imposter but they are still middling you, the ZRTP SAS should be different on each side, and you can hang up or ask the party to call you back.

    These scenarios are theoretical at this point. Testing would be a big help to establish additional threat models.

    • Peter L says:

      First off, thanks to all involved in publishing an OSTN recipe for FreeSWITCH. It made setting up a server significantly less difficult.

      For what it is worth, server verification (“Check Server”) seems to work in my testing (Freeswitch 1.3.0; git at commit 00f586ca5a, CSipSimple 0.04). (I only wish CSipSimple formally alerted of the security condition, rather than simply time out on registration.)

      I had to speculate on the “whys” of the decision behind the choices in the OSTN configuration.

      For example, if ZRTP verifies the end caller, why go to the complexity of using TLS?

      Similarly, why enable “proxy media” mode and disable “bypass media”?

      I speculated the answer to both was that it was desirable to cloak who was dialing whom. Having the SIP signaling encrypted in TLS hides the identity, phone numbers, and callee IP address of the individuals making the call. Using “proxy media” also cloaks the IP address of the callee (and improves NAT compatibility at the cost of extra bandwidth at the server).

      So, using all the tricks available in TLS seems worthwhile. If the server verification isn’t performed, ZRTP would presumably prevent an attack, but the advantages listed above are lost.

  3. Hans-Christoph Steiner says:

    For the record, this blog post documents the original testbed setup of ostel.me. That setup is no longer used and ostel.me has been shutdown. Use https://ostel.co for the current, maintained service.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Important Links

You can always get the latest information on our blog. Also, track our activity on our Project Site; and request features or file bugs on our Issue Tracker.

Free and Free!

All of our software is free/libre and open-source. You can find our app downloads, code repos and issue trackers on Github.

Get Apps

Featuring Recent Posts WordPress Widget development by YD