Although it is now two years out from the landmark disclosures about network surveillance, the interest in and desire for reliably secure communications continues unabated. Presently, Skype persists as the most used VoIP platform, particularly in the English-speaking market; its competitors include WhatsApp (which is not well suited to match business needs) and LINE (which is still trying to gain traction outside of its home region).
But, the existing solutions are not secure. Skype received a score of 1 out of 7 from the Electronic Frontier Foundation's Secure Messaging Scorecard, with WhatsApp receiving a 2. (LINE was not scored.) In the case of Skype, the aforementioned disclosures provided new insight into the inner workings of the Skype platform, and the extent to which Skype is vulnerable to — and explicitly designed for — the interception of use information.
What's wrong with Skype?
Even before the Microsoft purchase in 2011, structural problems in Skype security had been observed, many of which remain unpatched. Foremost among these issues is the ability for the IP address of any Skype user to be discovered by only knowing the username, an issue that has remained unpatched since 2010. Worse, this flaw has resulted in the promulgation of multiple ID services that advertise "blacklisting" services for a fee to prevent your ID from being identified.
Reporting by The Guardian following the disclosures two years ago indicated that Microsoft acted to break the security of Skype to allow for decryption and interception by US government agencies. According to The Guardian, the NSA "tripled the amount of Skype video calls being collected."
How does Ring address these issues?
Ring is the next generation of the SFLphone project produced by the Montreal-based open source software firm Savoir-faire Linux. Through 10 years of development as SFLphone, it has refined the features typically anticipated in a VoIP client — compatibility with SIP and IAX, multiparty calls, call-recording capabilities, support for various codecs, and separate user interfaces for GNOME or KDE desktops to match user preference. With the rebranding to Ring, it adds a Windows and OS X client, and completely redesigns the networking system through which users connect to each other.
Ring uses OpenDHT (a distributed hash table) to connect users instead of a centralized SIP server system such as Asterisk. OpenDHT is an implementation of the same decentralized, peer-to-peer system used in BitTorrent's distributed tracker, as well as the Coral Content Distribution Network. For comparison, the founders of Skype originally worked on the Kazaa filesharing application. Skype initially utilized a derivative of the FastTrack protocol used in Kazaa, though this has changed somewhat since the program was first introduced. Additionally, components now use MSNP24, a derivative of the protocol used in the now-defunct MSN Messenger.
OpenDHT allows Ring to bypass the server-client methodology by passing along user information to each user. According to an interview on the Savoir-faire Linux blog with Guillaume Roguez, the Ring project director:
With Ring, each account is identified on the network by a personal digital footprint commonly called hash — a unique code of 40 letters and numbers linked to an identification certificate and a pair of asymmetric keys for encrypted communications. It registers itself by distributing its identity not to one but multiple equivalent servers — each machine acting in fact as an identity server for others. These machines can appear, disappear and be replaced by others at any time. The table of hashes containing all the identities of connected users and their IP addresses at a given time is distributed to all their machines.
Adrien Beraud provides further insight into the construction of Ring, noting that OpenDHT is itself not an inherently secure design; as with BitTorrent, it relies on the trust of all parties to the network to store and transmit data properly. For this reason, the encryption layer is added on top of OpenDHT, rather than trying to modify DHT to resist interference. As such, Ring utilizes PKCS asymmetric keys to ascertain the validity of the data in transit.
What is the present status of Ring?
Ring introduced the Alpha version of the software in late April 2015 following an internal private test. The focus now, according to Roguez, is checking performance on a larger scale — for which community feedback is necessary. Following that feedback, the plan is for interoperability, by introducing mobile versions. The source is available for security auditing, or code contributions from the public.
Checking your reception
Is security in VoIP communications an important consideration for you? Have you previously used SFLphone on Linux? Does this mission for security and privacy ring true to you — and, will you try Ring on your desktop? Share your views in the comments.
- Security of VoIP phone systems comes up short
- Voice and Hangouts: The opportunity in the enterprise
- Massey University charts early shift to Skype for Business (ZDNet)
- Security and Privacy: New Challenges (ZDNet/TechRepublic special feature)
- IT Security and Privacy: Concerns, initiatives and predictions (Tech Pro Research)
Note: TechRepublic, ZDNet, and Tech Pro Research are CBS Interactive properties.
James Sanders is a Tokyo-based programmer and technology journalist. Since 2013, he has been a regular contributor to TechRepublic and Tech Pro Research.