Privacy vulnerability

[Guillaume Roy]

Hello Richard,

Thank you for this highly invaluable service. However, I have noticed a privacy vulnerability that could be fixed.

The prefixes of the custom domain's SIP addresses as well and their corresponding SIP addresses are exposed in plain text in the DNS records. Therefore, humans or bots could scan DNS records and potentially abuse these addresses at almost zero cost. Due to SIP telephony still being somewhat of a niche, I am unaware of spammers/scammers harvesting SIP addresses but it would certainly be a concern if the technology became more mainstream. It would be much more difficult to manage than email spam.

One could mitigate this problem by adding numerous TXT records with invalid prefixes and SIP addresses among the valid ones but that's not an ideal solution.

This problem could be fixed in different ways: (1) generating a unique code for each prefix and each SIP address through encryption but not changing the structure of SRV and TXT records or (2) using a secure non-public database containing domain names, prefixes and their matching SIP addresses (no TXT records).

I hope this post may be useful to prospective users of SipCloak and for future development of the service.

Cheers,

Guillaume

Victoria, Canada