Evaluation of ZRTP clients
this should be of interest to Guardianproject's Ostel project: https://www.sufficientlysecure.org/2017/03/15/zrtp.html
We evaluated the ZRTP clients Acrobits Softphone, CSipSimple, Jitsi, Linphone, and Signal in regards to their protocol compliance, error handling, and user interfaces. Our extensive analysis uncovered a critical vulnerability that allows wiretapping even though Short Authentication Strings are compared correctly. We discuss shortcomings in the clients’ error handling and design of security indicators potentially leading to insecure connections.
I also want to praise the effort put into your Open Secure Telephony Network (OSTN), which we used as our test network.
As always, I am open for questions and ideas how to fix outstanding issues.