I came across an article
detailing how to use the Gizmo project client to dial through
Asterisk when the big boss wanted to know if this looked like
something nice for our customers. Initially, the Gizmo looks like an ordninary SIP client, but I noticed the
REGISTER didn't come from a known IP address. Below is a small diagram of what seems to happen.
- At the time of initial login, the Gizmo contacts 18.104.22.168 and talks a bit over HTTPS, so it's pretty impossible to guess what the
talk is about. Then follows some STUN taffic,
some jabber stuff, and some more https.
- All SIP communication is with proxy01.sipphone.com,
relaying it to the Asterisk server.
- RTP Traffic was sent
through 22.214.171.124, a box in Germany.
I don't like this. What is this HTTPS traffic? Why doesn't the client communicate directly with
asterisk? It looks like they want to allow themself to monitor traffic in case they want to. The
fact that it is sub-optimal to add latency by sending RTP across Europe is on thing, but what's
worse is why they're doing it in the first place.
|I got the following answer from Prasad Mahendra from sipphone.com, so I thought I should
show it in the article:|
Roy, I came across this article on the web (http://karlsbakk.net/asterisk/gizmo-project.php)
and I can explain Gizmo's behavior and perhaps alleviate some of your concerns|
Hope this answers your questions/concerns. Let us know your thoughts/suggestions.
- Use of HTTPS: Gizmo uses http/https to log in and configure itself which is
necessary for it to discover the proxy, relays etc it should use which are distributed
- We use RTP relays whenever peer to peer communication is not possible (for example
if you are behind a symmetric NAT). This is necessary or gizmo will be broken/will not
work for a significant % of users. (Perhaps this is irrelevant for asterisk since
asterisk proxies all media? Supporting a secondary SIP service in general however is a
different story and we need to fully take care of NAT traversal).
- Secondary Login (asterisk etc) SIP signals are routed through our proxy for (a) call
history recording in gizmo (so that you can log in with your asterisk user/pass anywhere
and have your call history with you on gizmo) (b) for NAT traversal
Thank you for the answer. It has been added inn full to the article about your system, as
to inform the community of your concerns.
I still fear some people, myself among them, will refrain from using your system, since
sending private data across the world is a security risk not worth taking. You may consider
adding an option in allowing the user the choice of whether or not to send private data
through your system.
Roy Sigurd Karlsbakk