[SIP Beyond VoIP] Sylkserver Participant Management

Michael Procter michael at voip.co.uk
Tue Jul 16 13:13:22 CEST 2013 

Yes.  A randomly generated room name is reasonably safe against
guessing, assuming a long enough and random enough name.  That isn't
my point.

My point is that protecting against guessing, whilst useful, is not
the only concern.  I gave an example of a simple mechanism to learn
the room name, which will work in most enterprise-like environments.
In particular, devices in those environments are quite likely to both
implement the dialog event package and also permit all subscriptions
to be honoured, since many assume that "the PBX" will look after
security.

I am not suggesting that a more sophisticated conference admissions
check needs to be implemented urgently, simply that you shouldn't rule
it out based on the idea that long random names are unguessable and
therefore secure!

Michael

On 16 July 2013 12:04, Adrian Georgescu <ag at ag-projects.com> wrote:
> Secondly, this is not guessing. This is when someone gave you this information either by accident or on purpose.
>
> I challenge you to guess in which conference server and room I am right now connected to.
>
> Where do you start solving this when you are some random bot over the Internet, what logic do you apply when you have no information at all? Start counting from 1 to infinity and probe all IP addresses in the universe?
>
> Adrian
>
>
> On Jul 16, 2013, at 12:50 PM, Michael Procter <michael at voip.co.uk> wrote:
>
>> On 16 July 2013 11:35, Adrian Georgescu <ag at ag-projects.com> wrote:
>>> How do you try in a sequence a random string?
>>>
>>> wfewbehuwgr3uruo3pi503957823bc56 at conference.sip2sip.info
>>>
>>> is a valid room.
>>>
>>> How to you guess it?
>>
>> SUBSCRIBE to the dialog event package on a device that has joined the
>> conference.  Not all devices support it, but quite a few do.
>>
>> Michael
>> _______________________________________________
>> SIPBeyondVoIP mailing list
>> SIPBeyondVoIP at lists.ag-projects.com
>> http://lists.ag-projects.com/mailman/listinfo/sipbeyondvoip
>>
>

More information about the SIPBeyondVoIP mailing list