Security

New features you'd like see on SIP Sorcery
Post Reply
ssathya
Posts: 24
Joined: Thu Aug 13, 2009 1:41 am
Location: US

Security

Post by ssathya » Mon Sep 21, 2009 5:02 pm

My Security concern with Sipsorcery is becoming a reality and AAron has confirmed that at http://sipsorcery.wordpress.com/ (Sept 18th posting). Some people have signed up to Sipsorcery with one intention - spoof into others' account.

This is a great product with thousands of users and I trust we need to address password encryption at the earliest. I have the concept ready (works 75% okay) but I've not submitted my changes to AAron due to two problems. One my code is going to pose limitations for further changes & two once you reset your master password all other passwords in the database need to be manually updated.

The design is use non reversing password encryption for your login. Then use this salted password key to encrypt your other login credentials (this way Sipsorcery can decrypt your password before transmission).

The problem is, as stated earlier, when you change your login password to http://sipsorcery.com you'll have to change all other passwords.


My code was limited to 2 to 3 files in source code but there are some bad practices (check for field name = "password" - ugly :cry: ). I'll leave it to Aaron for better implementation.

Aaron
Site Admin
Posts: 4652
Joined: Thu Jul 12, 2007 12:13 am

Post by Aaron » Mon Sep 21, 2009 9:49 pm

The behaviour I have been observing is a user trying to hack a 3rd party provider not the sipsorcery accounts. The approach being used was to cycle through account names and try each one with a password of 123456. Essentially a brute force approach looking for weak passwords.

The only defence against brute force attacks is to have a strong password (greater than 6 characters made up of numbers, digits and other chars). Using a salt or encryption in the database won't help at all for this type of attack. Those things help if the sipsorcery server somehow gets compromised and an attacker gets access to the database.

Regards,

Aaron

Post Reply