Brad Ideas - Is strong crypto worse than weaker crypto? Lessons from Skype - Comments

SIPs and PSTN incoming calls

Graham Pratt — Wed, 28 Jun 2006 22:53:38 -0700

Hmmmm Skype has not killed voip, i accept all that you have all said above however the plain fact iss, that I want people from outside to be able to call me on my landline number AND my SIP if they want to. Astratel did allow this, but I had issues with their service so left and my current provider does not have voip.

Regards.

Graham.

Still fewer

brad — Wed, 24 Aug 2005 11:03:37 -0700

But the point is that even though the dream of the SIP URL, which was intended to become like an E-mail address for VoIP, did not get realized, the number of people you could call on SIP phones was still too low for Skype to bother allowing it. At the time I did my study a year ago, there were perhaps 5,000 logged on to FWD at any given time, a few thousands more in the other SIP networks. Vonage allowed SIP interconnect for a while but shut it down. (No, calling somebody with a PSTN termination is not calling somebody with SIP, and in any event, Skype did that pretty quickly.)

If you could find their URLs, there are a modest number of companies and institutions that let you call their phone system with SIP, but the number then, and still today, was a few hundred thousands. Skype now reports typically over 3 million actually logged on and ringable, and far more installed.

I mean to have another thread about this, but ask yourself, how many SIP phones can you ring right now with the normal UI of your device? SIP is being used primarily for PoIP right now (PSTN over IP)

It's true: you don't call

Paul — Wed, 24 Aug 2005 04:40:49 -0700

It's true: you don't call people with a SIP URL. It would be like dialing on the PSTN with a TID ("Terminal ID", or the actual line address within the switching network). Do you publish a "Skype URL?" No.

Instead, you dial the interoperator code for your provider and "dial through" to the target subscriber. Much like international dialling. And before people criticize it for its "complexity", it's the same as SkypeOut. Except that you can't do it on a closed system such as Skype.

For example, on Pulver's FreeWorldDialup:
http://www.freeworlddialup.com/content/view/full/333/

Sure, the Skype UI did some things well. And the Pulver.communicator does some things well. And other clients do some things well. But if Skype were open and standards based, then the best UI could win. If any other UIs got the sort of proselytization that Skype has had, we'd all be much better off.

You've confused cause and

brad — Wed, 24 Aug 2005 01:32:43 -0700

You've confused cause and effect. People write about Skype because it is popular and interesting, not the other way around. It got a bit of a publicity pop from its authors' prior success but largely it got there by doing a lot of things right. Simple install, always-works NAT traversal, simple UI, high quality sound codecs.

I challenged the authors of Skype "Why don't you let it call SIP phones?" They answered, "Why, who can you call with SIP?"

Sadly, I determined they were right. There are lots of SIP devices out there, but nobody puts a SIP URL on a business card. The devices all work in their private number spaces or via PSTN connection.

They did put in SIP to do PSTN termination, but they don't let you use it to call SIP phones, and sadly, they don't need to. I had many discussions with many of the leading lights of SIP to ask how many people you could call with a SIP URL, and it's generally accepted it's now a lot fewer people than are on Skype.

If Skype "kills" SIP, it

Paul — Wed, 24 Aug 2005 00:53:45 -0700

If Skype "kills" SIP, it won't be because of anything Skype did particularly well (IMHO). It will be because only Skype seems to get free adverstising from any and every commentator.

It seems that the dozens of standards-based VoIP operators almost never get mentioned by name (although they often get acknowledged as a group), despite their millions of collective users and their increased flexibility in how the applications get used. Naming only one or two seems unfair, so only the proprietary S-word gets cited at all. Or, occasionally, some commentator will try to complain about this or that perceived failure of one of the standards-based operators.

Is strong crypto worse than weaker crypto? Lessons from Skype

brad — Tue, 23 Aug 2005 22:51:37 -0700

A mantra in the security community, at least among some, has been that crypto that isn’t really strong is worse than having no crypto at all. The feeling is that a false sense of security can be worse than having no security as long as you know you have none. The bad examples include of course truly weak systems (like 40 bit SSL and even DES), systems that appear strong but have not been independently verified, and perhaps the greatest villian, “security through obscurity” where the details of the security are kept secret — and thus unverified by 3rd parties — in a hope that might make them safer from attack.

On the surface, all of these arguments are valid. From a cryptographer’s standpoint, since we know how to design good cryptography, why would we use anything less?

However, the problem is more complex than that, for it is not simply a problem of cryptography, but of business models, user interface and deployment. I fear that the attitude of “do it perfectly or not at all” has left the public with “not at all” far more than it should have.

An interesting illustration of the conflict is Skype. Skype encrypts all its calls as a matter of course. The user is unaware it’s even happening, and does nothing to turn it on. It just works. However, Skype is proprietary. They have not allowed independent parties to study the quality of their encryption. They advertise they use AES-256, which is a well trusted cypher, but they haven’t let people see if they’ve made mistakes in how they set it up.

This has caused criticism from the security community. And again, there is nothing wrong with the criticism in an academic sense. It certainly would be better if Skype laid bare their protocol and let people verify it. You could trust it more. Read on…