how to:How To Make More Secure Online Phone Calls
VoIP is a widely used, simple and inexpensive way to communicate. But how safe is it? The most popular platform, Skype is advertised as an encrypted end-to-end software that cannot be intercepted. It’s therefore likely that many social activists using it feel more safe while using it than when using, for example, Gchat or SMS. But Skype is owned by a commercial company, so interested software engineers cannot investigate the security of its protocol for them selves without owners' consent.
Here are some of the points that activists looking for a good voice communication option should keep in mind.
Step 1.
Understand your adversary: who might be spying on you?
Whether or not you are safe on Skype (or any platform for that matter) depends on who you want to be safe from. If you trust Skype Limited, Skype seems relatively secure against casual adversaries. Obviously, if your adversary has jurisdiction over Skype Limited, you'll have to take extra precautions.
Step 2.
Skype safety may be contingent on location.
Rebecca MacKinnon notes that if you're in China and use the joint-venture version of Skype distributed by the Hong Kong-based company, TOM Online, the chat function is definitely not secure. Where else might it be the case that the version available in your region will have a different set of security issues than in a given other region?
Tip!
Watch out for targeted malware - just because what you are downloading looks like a secure version of Skype and says it is a secure version of Skype, doesn’t mean it is.
Step 3.
Be careful who you’re chatting with - it may not be who you think.
Just because you recognize the name of someone who contacts you does not mean they are that person. Usernames have to be unique, but “Full names” do not. So anyone could create an account with the name of your best friend and take advantage of the trust that this affords them. As Nathan Freitas, founder of the Guardian Project, writes:
Anyone can impersonate you, contact your friends via chat, gain their full trust, and very quickly send an infected file transfer to them or ask them any question they'd like. This is not theoretical - it has happened countless times within Tibetan activist groups, who rely upon Skype pretty heavily (unfortunately).
Secure digital organizing is about more than the tool itself - your behavior, such as triple checking that the person you are talking to isn’t an impersonator, or using different passwords for separate platforms - is just as important!
Step 4.
When chatting on a VoIP platform like Skype, know that it is not as secure as using OTP with another chat client - that's because you can't modify Skype chats with added security capabilities such as in-stream encryption. You can do this with AIM or GTalk by accessing those platforms through using in Pidgin or Adium.
Step 5.
If you can, use an option known to be more secure. Here are a few examples:
- Red Phone for Android (made by Whisper Systems) is only available for US and Egypt
- OSTN: Open {Secure, Source, Standards} Telephony Network defines a standard for VoIP service to be end-to-end secure.
- Ostel: Public testbed of the OSTN project. Uses TSL or SSL for securing traffic from SIP and supports proxying of media for voice or video calls.
- CSIPSimple: Basis for using Ostel on an android client. A detailed walkthrough on using them together can be found here.
- Twinkle: GNU/Linux softphone using SIP. Secured with ZRTP and SRTP.
- SFLPhone: Encryption using SRTP, ZRTP, SDES key exchange, and TLS encryption.
- Jitsi: Secured with SRTP, ZRTP using XMPP/SIP. Supports SIP, AIM, Facebook, and GoogleTalk among others.
Some services can not prove their security or have a history of exploits. Try to use the following services with caution.
- ZFone: A more secure VoIP option built by the creator of PGP, the most widely used email encryption software. Zfone uses something called "ZRTP" and (note!) can be used with other VoIP clients such as Google Voice (as long as RTP is enabled). It cannot be used with Skype. Update: The most recent version was released on 22 Mar 2009. In addition, since January 2011, it has not been possible to download Zfone from the developer's website since the download server has gone offline.
- Mumble: Mumble is a free and open source VoIP server software that only allows for client-to-server security. Mumble itself does not host servers (or even run mumble.com). The only way to have a secure server is to host and secure it yourself. You can also preview a list of hosting options here.
- Silent Circle: An all-star team of cryptographers, founded by Phil Zimmerman (the creator of PGP), are attempting to provide end-to-end encryption between a broad range of devices. This service is proprietary and subscription prices range upwards from $20 USD a month. Much like Skype this is a corporation and their best interests may not be in union with yours. With code that is not open source defects may not be as apparent or readily fixed.
- Ekiga, Empathy, oovoo, Ventrilo, Teamspeak: While they may be dependable chat and VoIP clients they are insecure with little or no encryption. All information is broadcasted and can be retrieved by a third party.
Want to add a tip? Share it in the comments, add to the Secure VoIP wiki or join the conversation on Twitter using the hashtag #SecVoIP.
Related How Tos
How To Protect Your Online Security in Cyber Cafes
How to bypass Internet censorship
How To Support Syrian Internet Users by Setting Up a Tor Relay
How to get past Internet filtering (if you aren’t concerned about being detected or monitored)
How to Surf the Internet Anonymously With Tor
How to make free calls and send free texts with Viber
How to use “I’m getting arrested” app for Android to notify your family
How to Communicate Anonymously with Vibe
How to Disable Facebook’s Facial Recognition Feature
How To Use Collage to Outsmart Internet Censors
Related Case Study
Oops! Looks like there are no related case studies. Know of one? Share it.
Share Your Lessons Learned and Suggestions!
blog comments powered by Disqus