|
|
|
|
|
|
by decimalenough
249 days ago
|
|
|
Almost as crazy as email and HTTP being designed without encryption, amirite? SS7 dates from the early 1980s, as do SMTP (1981) and HTTP (1989). In all three cases people build the simplest thing that works and then hacked on it as new requirements arose. The main problem is that the telco world is very conservative and closed-source, so while we've had HTTPS and encrypted IMAP etc for a while now, SS7 hasn't gotten similar upgrades. |
|
|
It's not the same protocol of course and doesn't do the same thing, but it's used in the same scenarios and has a similar level of security and importance.
And both are peer to peer - you can agree with one of your peers to secure your BGP session, but it won't have much impact on the global network, of which your BGP sessions are only a small part. There was a talk recently released from DEFCON33 about the phone system, where it was mentioned that to bypass authentication, spammers seek out carriers with old TDM systems which can't support authentication, and might even be their main customers. This is like that. All of your peerings may be secure, but if you start blocking calls you got relayed from 4 networks away with incorrect metadata, you can't tell if it's fake data or if one of those intermediary networks messed up the metadata on a legitimate call, and you will block legitimate calls and lose customers. Networks are weird systems where politics, not specifications, dominate.