[josh2600]

I very much disagree with your assertion that you care more about the /content/ than the setup. Your content encryption is completely useless if your signaling protocol is exploited.

I don't know why you say you'd hear Mallory's voice; that isn't implied at all. I don't need you to speak to someone else in order to MITM the signed Certificate you hold so sacred.

I'm not trying to be offensive, but I think ZRTP or SRTP don't matter one lick if the cert gets compromised. Without pinning, how do you know your certificate is actually the one you were expecting?

If the Cert gets popped, I don't see how the call could possibly be secure. The entire key exchange is splayed open for the operator to see. Yes, media encryption is unbreakable, but what would be the point of breaking the encryption if you have the key?

Am I missing something?

For more information on what I'm saying: http://blog.cryptographyengineering.com/2012/11/lets-talk-ab...

Edit: In reading Moxie's input in the blog post above, I may be overestimating the vulnerability of the call setup. I still contend that you can't really trust certs, and the only semblance of trust is pinning, but I digress.

[lazzarello]

With VoIP, signaling encryption and media encryption use two different keys. If you have the first, you do not have the second. This is difficult to understand without reading the SIP protocol (RFC 3261) and very few writers of blogs talk openly about it because most people outside of the niche of VoIP only care about HTTPS as the "secure protocol stuff" and stop there.

Here's the trick: SIP has nothing to do with sound or video. It "establishes sessions". The typical SIP dialog flow has a hierarchy of many other protocols. In order, they read like this

SIP->TLS->SDP->ZRTP->SRTP

That dude in the middle is the Session Description Protocol. This describes what will happen in the future regarding the media stream. When the clients agree on this (codecs, IP addresses, ports, etc), a full-duplex session is established between the two peers. The preceding TLS stuff, which depended on a CA is now over. We are ready for round two.

This is what you missed. We haven't even begun sending data over our media socket yet and the security stuff that depends on a central authority is finished.

Now that we can speak to each other, let's do that! But wait! My client has an alpha numeric string on the screen. This is called a Short Authentication String. When you read the SAS to me and I read mine to you, we click "OK" and now our conversation is encrypted. Because we agreed on a key with our words, not our fingers.

If you would like to try this IRL, you can call lee@ostel.co. I'm online right now.