Protecting VOIP conversations

Yesterday I wrote about a new unannounced wi-fi voip phone from Linksys, the WIP 300. I am excited by the fact that it appears to be the first wi-fi VOIP phone out there that has a built-in browser (which would likely allow it to connect through most public hotspots that require users to log in or that require users to click through an initial page). Since then I’ve listened to a couple of podcasts about VOIP security and the difficultly of building in functionality to protect (encrypt) the conversation, particularly when products of different manufacturers are utilized. Here’s a thought – why not build in a PPTP VPN client?

Sure the initial implementation of PPTP by Microsoft was very flawed. However, most of the holes have been plugged up over the years. From what I can tell, while not as secure as IPSEC, PPTP’s major weakness right now is that the strength of the protection it provides is very dependent on the encryption key (password) selected by the user. Use of PPTP with a long and random password should provide sufficient protection for most applications. So, if Linksys or other VOIP wi-fi handset manufactuers built in a PPTP client, the handset would be able to create a secure VPN connection to a home or home office computer or compatible router, and would then be able to access that user’s preferred VOIP service provider. While not providing end-to-end encryption, it would protect the conversation from interception at a wi-fi hotspot, hotel, or other public location. The reason I’m suggesting PPTP over IPSEC is that most consumers can either easily run a PPTP server on their computer (its built into Windows XP), can buy an inexpensive router that includes PPTP server functionality, or can subscribe to a public PPTP VPN service provider. IPSEC is more difficult to set up and may require a more expensive routers/firewall appliance.