Tonight I started delving into something I’ve long wanted to – Asterisk, and other Voice-over-IP SIP protocol services. I never did learn any actual telephony protocol knowledge in my 10 years at a phone company, mostly because I was busy enough dealing with IP WAN, GPRS/EDGE, and application protocols needed to do my job. I was on the WAN team, not the telephony side of the business.
VOIP servers like Asterisk are powerful, loaded with tons of features, to the point where you almost don’t know where to start. There are quite a few online guides to getting started, but I haven’t located the one I need yet. I installed FreePBX in a VM to play with it, but there are so many features and options to setup correctly to lock down my server so others can’t abuse it.
My goal is to setup a text/voice/video communications service that my friends and family can use to talk to each other in a more secure environment than the regular telephony network, Facebook Messager, WhatsApp, or anything else. Asterisk can let your SIP clients setup peer-to-peer communications connections, so there is no intermediary system between the two clients. The metadata of who called whom, is still visible to the SIP server, but none of the content passes through any third system capable of monitoring it.
I did setup a Matrix homeserver of my own already, and it wasn’t too hard to do. There are free Windows, Android, IOS, Mac, and Linux clients for Matrix, and it works quite well. The only real problem is the user unfriendly process of verifying encryption keys. The Riot client forces each user to manually verify the keys from every single device you talk to. If I have an iPhone, Mac, and Linux laptop, you need to verify my keys three times. Of course, this is much more secure than something easy to use, like WhatsApp. WhatsApp automatically accepts peer encryption keys without question, which simply enables man-in-the-middle attacks. It does have an option to notify the user when someone else’s keys change, but it defaults to off. Even turning it on only produces a slightly red notification as soon as the chat starts. Most uneducated users would probably just ignore it, and chat away, revealing all their communications to whatever man-in-the-middle may intercept your communications.
I agree, whatsapp never would have become as popular as it has, had they not made thie tradeoff, preferring easy-of-use over strict security rules. Riot has made the exact opposite choice, preferring security over easy of use. I would think the whole thing would be adopted much more widely if they made that choice configurable, on a user-by-user basis. When you install the client, or maybe when you setup your account, ask the user which option they prefer – maximum security, or maximum easy to use. The paranoid of us will not be able to chat with our peers when they get a new phone, until we verify their encryption keys, and my Grandma can chat with her grandkids without even thinking about Encryption.
Tonight, I found the GNU Jami project, which is a free, open-source SIP client available for Windows, MacOS, Linux, Android, and IOS. You can chat with other Jami clients in a peer-to-peer, end-to-end encrypted session, but by default, the call setup depends on some public servers to setup those calls, so all of your communications metadata will still be given away to somebody else. Jami is a full SIP client, so i decided to try setting up a SIP server on my home server. If I can get Jami to use my own systems, instead of the shared Jami servers, to let my clients talk to each other, that will fit my bill.
SIP servers are quite powerful, and software like Asterisk supports all the options I desire. The downside is SIP and Asterisk are full of features and options, and not easy for a newbie to lock down. It’s about time I learned more about SIP. It could provide additional skills I could use to extend my IT career, since I don’t want to retire anytime in the near term.