Send in your ideas. Deadline October 1, 2024

Last update: 2010-09-17

End: 2012-01


DNSSEC for Jitsi (SIP Communicator)

Jitsi (formerly known as SIP Communicator), is a Java based open source VoIP and Instant Messaging client supporting various protocols such as SIP and XMPP. Trying to not being just another SIP Client it incorporates security mechanisms like ZRTP for encrypted media streams (audio, video, desktop sharing, etc.) and OTR for instant messages.

While these technologies provide a high level of security for the user data, the signaling metadata is blindly sent to the servers returned from DNS a query. Securing the connection to the server through TLS helps, but the connection can still be compromised when a rogue certificate can be obtained (for example from a government CA). At first sight signaling data seems not important, but looking at the newest developments in the Far East and North African countries it implies that some unfriendly people might only be interested in the metadata.

DNS is responsible for converting names into network addresses to locate servers. Users usually receive the addresses of DNS servers from their internet provider. As conventional DNS provides no security mechanisms, a rogue DNS can very easily supply the user with faked responses to requests and therefore redirecting him to an arbitrary server. Jitsi, or any other client application, relies on the replies from the DNS servers. When a VoIP account is configured to use a specific server, it passes all traffic to the address obtained from the possibly rogue DNS server. Transporting the metadata over TLS to the server does not really solve the problem as some governments run certification authorities that are trusted by the operating systems and web browsers. A malicious server would therefore silently be able to listen to all metadata traffic.

This is where DNSSEC comes into play. DNSSEC can guarantee the integrity and authenticity of replies. A DNSSEC aware client can be sure that a validated response is the one intended by the owner of the requested domain name. This avoids nearly all situations where a server tries to redirect the client to a malicious server.

The project will add client side DNSSEC validation and certificate checking to Jitsi, thus making end-to-end SIP communication secure.

Run by FHNW, the University of Applied Sciences Northwestern Switzerland.