11

I wonder if voice chat (via public services like yahoo, google talk, skype, etc) is practically secure? Is it possible for the ISP or any middle point? I do not consider hacking the computers, but transmitting data.

Comparing with http, is there something like https for voice chat to avoid any possible spying in the middle? Is it practical to encrypt voice data?

Googlebot
  • 213
  • 2
  • 7
  • Of course it's practical, and secure if done right, but is it worth the effort? And the service needs to support it to work, and also needs a certificate otherwise an MITM is possible. – Thomas Jul 06 '12 at 20:05

5 Answers5

20

At the annual IEEE Security & Privacy conference in 2011, White et al. presented some very involved research on reconstructing encrypted VoIP sessions. The image below shows the overall architecture of the authors' approach.

Although it works only for variable bitrate codecs (most common VoIP codecs are constant bitrate, e.g. G.711), the results are impressive. For details, have a look at the paper.

Architecture of reconstructing encrypted VoIP sessions.

Community
  • 1
mavam
  • 501
  • 3
  • 6
  • 4
    mind = blown. Awesome paper. – Polynomial Jul 10 '12 at 10:44
  • It looks like the compression signature is giving away the information. Keeping the stream of encrypted data at a constant rate would eliminate that attack. –  Jun 13 '13 at 06:42
9

This question is hard to answer without knowledge of who and what you wish to be secure from. Does "practically secure" mean you are unlikely to be eavesdropped? If it does, then Skype (for example) is a good choice, due to it's encryption.

Which country are you in? Some countries have 'lawful intercept' laws which require that authorised law enforcement personnel can use to observe your traffic. See wikipedia - https://en.wikipedia.org/wiki/Lawful_interception. There has been press in this area - an example off the top of my head is that the Russian Government objected to the use of Blackberry equipment in their country, as it was unable to monitor communications. This was later resolved, as access was granted.

It is definitely practical to encrypt voice communications. Skype does this, I know for sure, although I am not sure if other services do. Bear in mind that, sometimes, who you talk to may be more revealing than what you talk about - it is definitely not a simple matter of 'is voice secure'.

randomdude
  • 827
  • 1
  • 7
  • 12
4

Is it possible for the ISP or any middle point?

If you meant is it possible for the ISP/middle point to decipher/decode/snoop on your chat, then the answer is yes. For unencrypted voice transports, all you need is a wireshark plugin to reconstruct the chat out of the pcap files. Check out http://www.panoramisk.com/151/analyzing-voip-with-wireshark/en/

Comparing with http, is there something like https for voice chat to avoid any possible spying in the middle?

You can run your voice chat over SSL/TLS, that will mean that your data will be encrypted. However you won't be able to leverage the authentication part of TLS as unlike a Server-Client communication in websites, chat softwares are peer-to-peer. To leverage authentication part of SSL, you'll need client certificates which will enable authentication of the other party. If you don't have client certificate, then you never know if you are talking to the right person (a MITM can spoof to be the other party). Installing client certificates may be possible in an smaller (corporate) setup but may be difficult to achieve on internet where you can basically talk to any client.

Is it practical to encrypt voice data?

Its very practical to encrypt voice data. Many systems do it. Encryption-decryption overhead is no longer prohibitive to decide against it.

CodeExpress
  • 2,447
  • 14
  • 10
  • "_However you won't be able to leverage the authentication part of TLS as unlike a Server-Client communication in websites, chat softwares are peer-to-peer._" Not true. "_you'll need client certificates which will enable authentication of the other party_" Not true. – curiousguy Jul 07 '12 at 02:13
  • I'd like to know what parts are untrue and why so. When I said chat softwares are peer-to-peer, I said in the context of video/audio chat. Text based chat is still routed through servers but most video/audio chat is done peer-to-peer by the clients. Also why would a client certificate be insufficient to authenticate a chat client to other. Kindly elaborate. – CodeExpress Jul 07 '12 at 06:41
  • I am not saying that these software are or are not P2P. I just don't know the implementation details. Please also note that P2P does not mean that the central server does not have the key role (pun intended). P2P means that a central does not get to route megaoctets of video chat. What I am saying is that **P2P does not imply** that the usual TLS security properties are not guaranteed, given a correct system design. I don't know if these real world chat protocols are secure, I am saying one can design a secure P2P chat protocol (easily). – curiousguy Jul 07 '12 at 07:48
  • (...) I am also saying that **a TLS client certificate is absolutely not need to obtain all these security guaranties**. A TLS client certificate is only possible way to verify the client identity, not the only way. A secure P2P protocol could also use a secret cookie which is generate by the central server and distributed to parties. I am also saying that, given an insecure system where TLS is used, without verifying the TLS server key in the P2P connexion, *just adding a TLS client certificate on top of that insecure system* can not make it secure. – curiousguy Jul 07 '12 at 07:50
  • (...) The usual security properties of TLS are obtained only **after checking the TLS server key**. A P2P protocol design that would not provide *enough information for the TLS client to perform this check for P2P connexions* would then be *insecure at the protocol level* - insecure WRT to the usual TLS properties of resistance to an *active* attacker (resistance to passive recording of packets could be obtained in this case). – curiousguy Jul 07 '12 at 07:54
  • (...) Of course, given a P2P design, who is talking to who is difficult to hide to a passive listener who has access to the directory (who can map user-id to P2P clients IP addresses). This is property of P2P. Some users think revealing their IP address to complete strangers is a serious issue, yet they use Skype. This is of course a different issue that TLS does not cover. – curiousguy Jul 07 '12 at 07:57
3

It is definitely possible to eavesdropp a voice conversation which goes over VoIP. However there are some programs like Skype that encrypt the voice data which makes it difficult and only difficult to tap into but not impossible. It depends on how well-equipped is the eavesdropper and how keen he is. If it is a government then I can make sure that it can, even with encryption in place.

In the digital world everything is possible!

Infinity
  • 131
  • 2
1

Skype used to have a little padlock icon in the bottom-left of chat and call windows, whose tooltip said "This connection is end-to-end encrypted" or something similar. I don't know if that's still the case, but they used to brag about their security. I hope that they are encrypted.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Bran Deditems
  • 11
  • 1