Real-Time Communications Conference gets Real

rtc_thumbIt is only a few weeks until this year’s IIT Real-Time Communications Conference kicks off in Chicago, IL at the Illinois Institute of Technology.

I think it is going to be a great conference.  Of course, I’m slightly biased as I helped organize it again this year as a co-chair of the WebRTC and Cloud Communications Track.  I’m also an adjunct professor at IIT – I remote teach a WebRTC class there, using WebRTC, of course!

Here are some of the highlights for me:

  • “The Future of Open Source Software in Telecom” panel, moderated by Andy Abramson on the first day of the conference, Tuesday October 6, 2015 at 1pm.
  • “What’s Next for WebRTC” panel, moderated by Chad Hart of webrtcHacks on October 6, 2015 at 4:30pm.
  • “Simple secure federated identity for WebRTC (your new phone number)”, a presentation by the always interesting Tim Panton on Wednesday October 7, 2015 at 9am.
  • WebRTC and Federated Identity Tutorials on the day before the conference, Monday October 5, 2015 from 9am – 5pm.  Dan Burnett and I will give the WebRTC tutorial in the morning, and Matthew Hodgson from will give the identity tutorial in the afternoon.
  • TADHack-2015TADHack Mini Hackathon, the weekend before the conference, October 3 – 4, 2015.  These are so much fun, and I can’t wait to see what people come up with, especially some of my students…  Who will win the $8k in prizes?  Kudos to Alan Quayle for organizing these incredibly creative events.

Besides these highlights, I always find interesting things in the other tracks, including:

And don’t forget a keynote by Henning Schulzrinne, of SIP and FCC fame, on “5G: What can we learn from the previous four generations?” on Thursday, October 8, 2015 at 11am.

Check out the impressive list of speakers at this years event.

Will I see you there?


, , , , , , ,

Leave a comment

Blackphone Disconnect Secure Wireless VPN

Blackphone LogoAfter my first look, I’m back exploring the other apps on my Blackphone. See my Full Disclosure of my friendship with the Silent Circle guys and my work on the ZRTP security protocol used in the Blackphone. Today I’m trying out the interestingly named Disconnect Secure Wireless application, basically a VPN (Virtual Private Network) service.  Given that this app is all about making connections, having it called “Disconnect” is a little odd.  The name probably makes more sense with their ad and malware blocking services.  According to their FAQ: “Secure Wireless uses AES-256 to encrypt data to or from your device. Secure Wireless also enforces Diffie-Hellman for key agreement/exchange which provides perfect forward secrecy (PFS).” which is all good. Disconnect VPN Plan Out of the box, the Disconnect Secure Wireless application takes you through a short tour of the service.  Essentially, it is a VPN service that can be easily enabled/disabled and also automatically enabled/disabled based on a preference for a given network. It seems this application is only available on Android, as the iOS version seems to not be a VPN but be an add blocker of some type. Disconnect Secure Wireless starts off with a free service of 512MB per month which you would blow through very quickly if you used it for everything.  By putting the Blackphone activation code into the Account screen, you get 2GB per month, which seems reasonable if you use it sparingly, such as WiFi hotspots or when traveling.

Disconnect VPN On/Off

Disconnect Secure Wireless on Blackphone before entering the activation code to get 2GB per month.

Using it is easy – tapping the middle of the screen starts the VPN.  When turning it on, you get two warnings:

Disconnect VPN SettingDisconnect VPN Trust


The first reminds you that, since this is a VPN service, all the device network packets will be routed through it.  Essentially, this app is a Man-in-the-Middle (MitM), although hopefully a trusted MitM. You must tap the “I trust this application.” in order to proceed.

The next warning tells you that once turned on, the VPN will always run for this network, until you turn it off.  This is a good warning from a usage perspective.


Next you get a Connecting message and the middle of the screen turns green and indicates bandwidth usage for the month to date. One interesting thing – while I did notice the bandwidth usage rise with normal web browsing, I did not notice it go up during lengthy Silent Circle voice calls.  In general, for a VoIP call such as silent circle, you can use up to 1MB per minute, depending on the codec.  Perhaps the packets from Silent Circle aren’t tallied by Disconnect against the VPN quota.  Or maybe I just got lucky…

Speed Test Results through Disconnect VPN of 6.6MB/s

Speed Test Results through Disconnect VPN of 6.6MB/s

Speed Test of underlying WiFi/Cable Modem of 24MB/s

Speed Test of underlying WiFi/Cable Modem of 24MB/s



The VPN speed seemed reasonable, although a speed test during a Saturday afternoon isn’t exactly scientific.  Compared to just my WiFi over Cable Modem, it was slower, of course.  The VPN has a location configuration for North America, Europe, or Asia. I’ll need to try it other times of the day to see how well it works.




The default search is also provided by Disconnect, although this can be changed.  A DNS failure in the browser automatically brings up a search window for the failed string.    It does show the Google “G” symbol, however, indicating that it is not an actual search engine. Instead, as described here, Disconnect Search forwards you request to the engine of your choice (Google, Bing, Yahoo, DuckDuckGo, or Blekko) and anonymizes it. You can also use it in any browser at So, Disconnect Secure Wireless does what it promises to on the Blackphone.

There’s plenty more on the Blackphone. Next time, I’ll try out Smarter Wi-Fi Manager or SpiderOak or do a proper review of the Silent Circle suite…

Your suggestions, comments and questions are most welcome!

, , ,

Leave a comment

First Look at the Blackphone

Full disclosure: I am good friends with Phil Zimmermann, co-founder of Silent Circle.  He and I worked together for many years to publish his ZRTP media security protocol as an RFC in the IETF standards body. I also helped him with his Zfone Project.  I’m also friends with Jon Callas, Travis Cross, and others at Silent Circle, who collaborated with Geeksphone to produce the Blackphone.

Blackphone Logo



After tclueconhe Blackphone was announced back in February in Barcelona, I ordered one as soon as they started taking orders, and have pretty much just been killing time ever since then.  I even had a false alarm delivery the other week when I was at the IETF conference inToronto.  Another package with an address that had “Black” in it arrived, and I jumped to the conclusion that it was my Blackphone.  Instead, my Blackphone arrived the day I was in Chicago at ClueCon, on a Security Round Table panel with Phil and Travis.

Blackphone BoxBlackphone AccsessoriesMy first impressions are quite positive: the packaging is good, the phone is nice to hold in the hand.  If anything, it feels lighter than I expected.  And it is black.  Included accessories are USB cable, charger with US and European plugs, and a headset.

Upon powering it up, you are prompted to create a pin or password, then it prompts you to encrypt the phone, which takes about 10 minutes or so.Blackphone Phone Encryption

I’ve been using Silent Circle for a while now on my iPhone, so I recognized the Silent Phone and Silent Text apps.  Silent Contacts was new to me, as were the other pre-installed security apps.

Blackphone Pre-Installed AppsIt took me a little while to get Silent Phone and Text working.  I had forgotten that I had to look up the Product Keys to get the Silent Circle Ronin code to activate the service and create my account.  The Silent Circle apps are similar to those on my iPhone although the user interface is inscrutable.  Why does it show one grey dot when I’m calling then switch to three green dots when I’m connected and ZRTP has been authenticated?  What does “Secure to server” mean?  Hopefully this is an easy fix to the UI to make it understandable.

Next, I need to try out SpiderOak and Disconnect.Me.  Also, I haven’t put a SIM in yet.  My friend James Body has given me a fantastic Truphone travel SIM that I really could have used last month during all my travels…

Look for a future post on these topics.  As always, questions & comments most welcome.

, , , ,

1 Comment

Third Edition of the WebRTC Book

WebRTC BookI am very proud of the Third Edition of the WebRTC Book that came out just a few weeks ago.  My co-author Dan and I have been working on it for months, and it is always exciting to launch a new edition!

We worked feverishly during the IETF-89 meeting in London to get all the updates finished – all the APIs, protocols, and standards referenced should be up to date as of then (first week in March).  We also had a lot of fun testing and doing screen captures of the new Demo Application, which now utilizes the WebRTC data channel for Real-Time Text (RTT) between the two browsers.  I’ll write another day about RTT and how much fun it is compared to normal texting or instant messaging in another post.  For us, to make use of the data channel APIs and protocols and show the interoperability between Chrome and Firefox browsers was a lot of fun as well.

16The Demo Application also can now utilize a TURN server for enhanced NAT traversal.  In some circumstances, NATs or firewalls will prevent a direct peer-to-peer Peer Connection from being established between two browsers, and a relay in the cloud is needed.  If the Demo Application fails for you, try reloading the page adding a ?turnuri=1 to the URL and see if it works for you!

Also new for this edition is a description of how to analyze WebRTC protocols on your computer using the excellent open source packet capture and analysis tool Wireshark.  Between Wireshark and various browser tools (try Tools/Developer Tools in Chrome and Tools/Web Developer in  Firefox, or chrome://webrtc-internals in Chrome for lots of useful WebRTC info), you can learn a lot just by playing with WebRTC.  If your application is not working, these tools allow you to debug and analyze what is happening.

Screen Shot 2014-04-02 at 3.40.26 PMFinally, Dan’s introduction to the WebRTC API has been greatly expanded with step-by-step introductions to the various functional parts of the client and server code.  As always, you can download all of our Demo Application code from our book website, and also see it running as well.

We have received so much excellent feedback in the one and a half years since we published the first edition.  We can’t wait to hear from you on what you think of the Third Edition.  We enjoy hearing from you on Twitter, Facebook, or Google+.

, , , , ,

Leave a comment

How to Communicate Securely over the Internet

Today, I published a new Internet-Draft on how to securely communicate over the Internet using a new web technology known as WebRTC and the ZRTP protocol.  Using this technique, Internet users can determine if the National Security Agency, or anyone else, is listening in to their calls placed using a web browser.  There are already a number of commercial and open source products utilizing ZRTP, including Silent CircleJitsi, and others, but this new technique opens it up for all web users.

The WebRTC Book

For those of you not involved in the VoIP or video conferencing world, WebRTC, or Web Real-Time Communications, is a new standards effort to add real-time voice and video communications capabilities to web browsers.  This allows web developers to add voice and video communications with a few standard JavaScript calls.  All the pieces needed to communicate, including codecs and the ability to traverse NAT and firewalls, are built into the browser.  Today, WebRTC is available in the Chrome and Firefox browsers, and in Chrome for Android.  I’ve written a book on WebRTC if you want to learn more about it.

With WebRTC, all media flows are encrypted and authenticated using Secure RTP or SRTP.  Unfortunately, the keying method chosen for WebRTC is DTLS-SRTP or Datagram Transport Layer Security for Secure Real-time Transport Protocol.  DTLS-SRTP on its own does not provide protection against Man-in-the-Middle (MitM) attacks, also known as eavesdropping attacks.    Today, the news is full of reasons why Internet users need such protection.  We now know the surveillance of Internet users is widespread.

The ZRTP security protocol, published as RFC 6189 back in 2011,  was invented by Phil Zimmermann to allow Internet users to communicate securely and privately over the Internet.   ZRTP was not selected as the default keying method for WebRTC, despite it being the ideal candidate.

However, ZRTP can still be used to provide MitM protection for WebRTC sessions established using DTLS-SRTP.  As described in the new Internet-Draft written by myself, Phil Zimmermann, Jon Callas, Travis Cross, and John Yoakum, ZRTP can be implemented in JavaScript and run in both browsers over the WebRTC data channel.  The ZRTP exchange is used to compare the DTLS-SRTP fingerprints used to establish the media flows.  If the fingerprints match, and the ZRTP exchange is authenticated by the users comparing the Short Authentication Strings (SAS) displayed on each browser, the WebRTC media sessions are free of MitM attackers.

Jitsi Short Authentication String

How does this work?  You’ll have to read the ZRTP specification to find out exactly how, but in simple technical terms,  it is because ZRTP uses a technique known as a Diffie-Hellman key exchange augmented with a hash commitment.  This allows the SAS, which can be two words or four hex digits, to prove that a media session has no eavesdroppers present.

We have documented this usage of ZRTP with WebRTC in the Internet-Draft document draft-johnston-webrtc-zrtp.  Hopefully soon there will be some open source ZRTP JavaScript libraries freely available for web developers.

Everyone needs privacy in their communication, and WebRTC with ZRTP finaly provides a real solution to all Internet users.

, , , , , ,


New WebRTC Certification and Training!

WebRTCIf you are involved in the real-time communications industry, there’s no doubt you’ve been hearing about, and investigating WebRTC – Web Real-Time Communications.  WebRTC is about adding a complete audio and video stack to browsers, and exposing these capabilities to web developers through JavaScript APIs.  WebRTC is going to make huge changes in our industry.

The WebRTC Book

I’ve been fortunate to be involved in WebRTC right from the beginning in the standards, and  with my friend Dan Burnett wrote the first book on WebRTC.   Perhaps you have read it?   Although it has been less than a year since we first published it, we recently published the second edition to track the increasing pace of development and innovation in WebRTC.

Now, we are pleased to announce online and in-person training and certification for WebRTC, in partnership with the WebRTC School.   We have put together two training classes:

CWICertified WebRTC Integrator – this is a course for architects, system integrators, and VoIP and telephony developers who want to integrate WebRTC communications from browsers into their existing VoIP and video conferencing infrastructure.  It details all the protocols needed and the principles behind architecting and designing gateways. This course is online right now at the WebRTC School!

CWDCertified WebRTC Developer – this course is for web developers, web architects, and web integrators who want to learn how to use the WebRTC JavaScript APIs to create WebRTC sites and applications.  It details all the W3C APIs and all the components needed to get WebRTC up and running, including signaling, servers, and security.  This course includes actual WebRTC code which runs on browsers today.  This course will available  online at the WebRTC School later this month.

We are very excited to be launching these training classes.  But what is the certification part?  Following its highly successful SIP School Certified Associate  (SSCA) program, WebRTC School is offering certification via online testing for Certified WebRTC Integrator (CWI) and Certified WebRTC Developer (CWD) programs.

I hope these classes will help spread the word on WebRTC!  If you take either of these classes, I’d love to hear from you what you think and what you have learned.


, , , , , , , , , ,

Leave a comment

ZRTP at WashU ACM Hackfest 2013

On Saturday, I gave a presentation and demo of ZRTP at Hackfest 2013, organized by the Washington University in St. Louis chapter of ACM (Association of Computing Machinery) .WashU ACM

A group of about 60 undergrads had gathered in Urbauer 211 to learn about hacking and try it out. I gave a short presentation about ZRTP, the media path keying protocol for SRTP invented by Phil Zimmermann.

I was fortunate to serve as the editor of the ZRTP specification, which was published as RFC 6189 two years ago. I showed how ZRTP allows users to detect the presence of a MitM (Man in the Middle) attacker by checking the Short Authentication String.

Here is a PDF of my presentation.

Jitsi ZRTP SAS Comparison User Interface

Then I used the Jitsi open source voice, video, & chat application to demo ZRTP. Emil Ivov, founder and chief developer at Jitsi answered my ZRTP call, and we checked the SAS. The sequence of steps used to secure the voice & video session is shown in this animated GIF.

Afterwards, I gave away a copy of Counting from Zero, my technothriller that incorporates elements of ZRTP, hacking, exploits, and zero-day attacks.

We then spent the rest of the afternoon playing with Metasploit on an isolated network of virtual Windows machines. It was an interesting day.  Just like at IETF meetings, the biggest excitement of the afternoon was when the cookies arrived!

Perhaps at next year’s session, we can try out VoIP hacking tools such as SIPvicious!

Counting from Zero Book

, , , , , , ,

Leave a comment