That doesn't sound very convincing. You can't just have some icons tell you that you're secure, how do they know if someone's MITMing you?
You can use the already-available ZRTP, that requires each user to speak a phrase to the other, so you can verify by hearing the other person's voice. Discretio doesn't do any of that, so how does it know you're not talking to some random attacker?
I saw that, but I didn't see any explanation on how it works, and I'm pretty sure it's impossible to have security without verification. I can't read the code to verify that, sadly.
Curious to hear from someone working in a company who says things but not show it's true.
In fact, if i say i am rich, tall, blond with a famous sense of humour, you are ready to believe me, but if i don't say anything but i prove it, you refuse to believe me... strange.
Discretio doesn't say anything of this kind but show the entire client software source code. Do the same please.
Basically the client connects to SIP server using ssl connection authenticated on both sides.
When placing calls the clients A and B are negotiating SRTP session key using DH key exchange. It is done
over SIP (and not over RTP channel as in ZRTP).
Each client upon registration generates public/private key pair and submits a CSR to the registration service which signs it and stores the public key (which is later used to authenticate the above mentionned ssl connections) in the SIP server's DB...
The server has no access to the client's private key nor to the SRTP session key
Yes, with the cooperation from CA the MITM is still possible. We however will provide server code to especially paranoid clients so they can build and run the software on their own machines... This way they can have garanties against certificate tampering.
And we're working on an alternative solution when even cooperating CA will not allow MITM...
Well, this tech is derived from the project which was designed to meet specs of one of our clients.
We did propose ZRTP during design phase, to the client but they security analysts decided against it. They affirm that given the state the current state of art in speech recognition and synthesis ZRTP can be vulnerable on impersonation during short code validation phase for the attacker with sufficient resources.
I'm personally doubtful, but one thing i'm sure about, is that this client security experts have access to info and resources which are not available to me.
You can use the already-available ZRTP, that requires each user to speak a phrase to the other, so you can verify by hearing the other person's voice. Discretio doesn't do any of that, so how does it know you're not talking to some random attacker?