Chapter 2: System Settings
69
Certificates
Digital certificates are electronic documents that are used to verify that the system you
are interacting with is legitimate. The PBX uses them in multiple ways:
•
For securing the traffic between the web browser and the web interface of the
system when HTTPS is used.
•
For securing the SIP traffic between the phone and the system’s signaling path
when TLS is used.
•
For your email server when it requires TLS (e.g., gmail).
The system by default generates a certificate, referred to as a self-signed certificate. A
self-signed certificate is signed by its own creator and is responsible for verifying that
it is legitimate. While this provides a reasonable encryption of the traffic, it does not
ensure that the client is really talking to the server, as third-party certificates do (i.e.,
it could also be talking to a person in the middle who is just relaying the traffic). This
essentially means that the traffic is no longer private, and since most Internet brows-
ers are quite strict regarding certificate verification, the user must explicitly accept the
untrusted certificate. Also, some IP phones accept SIP traffic only on connections that
have valid certificates. While the user of a web browser can just click and accept the
certificate, a user of a phone usually does not have that choice and the connection just
fails.
Certificates also allow you to defend your installation against DNS redirection at-
tacks. For example, an attacker might get control over a DNS server (which you do not
operate) and redirect all requests to their server. Although the attacker might be able to
present the same certificate that you have, without the private key that you used when
requesting the certificate from the trusted third party, the attacker will be unable to
establish secure communication. This way, the user agent can determine whether the
host that has been contacted is really the desired host and can then decide to deny the
connection if the public and private keys do not match.
The system supports HTTPS, TLS, and SRTP, protocols which require a digital certifi-
cate and private key for secure communication (the private key will be used for encrypt-
ing messages). Certificates are usually used for web services; however, the same cer-
tificates can also be used for SIP services. The system can support multiple certificates,
which allows you to have a certificate for each domain.
Summary of Contents for ONE IP
Page 4: ......
Page 19: ...Part I Getting Started...
Page 20: ...Part I Getting Started...
Page 47: ...Part II Administering the System...
Page 48: ...Part II Administering the System...
Page 195: ...Deploying the snom ONE IP Telephone System 526...
Page 223: ......