Doing Business Securely in an Insecure World
Agosto 7, 2007
By Randy Bush
2007.08.07
What real improvements in security have we achieved? The net certainly
is not a safe place with phishing, DDoS attacks, cross-site script HTML
attacks, etc. But, though these are serious problems indeed, we should
not ignore where we have been successful and try to take some lessons
from these successes.
The Net is a Dangerous Place But We Can Do Things Safely
Twenty years ago, it was considered rude to have a UNIX machine on the
net which did not offer a password-less account with the name ‘guest’ so
that any passer-bye could use it. People with ten years or less
experience do not believe me when I tell this to them.
Times have certainly changed. The net is a much less secure place. In
an environment where attacks are continuing events, where operating
system and application vulnerabilities are discovered daily, where
bot-nets of 100,000 zombies attack, we still conduct financial and other
private transactions worth billions of dollars.
How is this? Basically, we have deployed tools and protocols which
enable secure transactions in an insecure world. This is a similar
philosophy to that where we have built a reliable network from a set of
unreliable components; circuits fail, equipment has errors, etc. But
the packets route around the failures. What are the successful
protocols/tools?
Secure Sockets Layer / Transport Layer Security (SSL/TLS)
One would not consider sending credit card or other personal data over
an unencrypted link. Encrypted and usually authenticated browsing, e.g.
https as opposed to http, are the base on which almost all internet
commerce is founded. Even when the transaction is not using a browser,
TLS, the new name for SSL (so that the IVTF could make a
‘contribution’), is used underneath most client/server exchanges.
SSH
Can you imagine telnetting to a remote system today? The resulting
exposure to attack, password interception, etc. has made telnet a thing
of the distant past, along with rsh, rcp, etc.
The SSH protocol and tool-set, and SSHv2 in particular, now dominate
this niche.
IPSec
VPN technology allows safe deep business transactions with branch
offices, trusted vendors, traveling employees, telecommuters, etc.
IPSec in particular provides not just seemingly private channels, but
encrypts the data flowing over those channels, which MPLS, ATM, etc. do
not. Circuit emulators such as MPLS and ATM are vulnerable to tapping,
aside from being topologically fragile; they are VNs not VPNs.
Pretty Good Privacy (PGP)
PGP allows us to exchange signed and strongly encrypted email where the
content is non-repudiable, i.e. the sender can not claim that they did
not send it. PGP can also be used to encrypt files on one’s hard drive.
This free tool is so powerful that the US Government tried to suppress
its export even more than their normal efforts.
It is also worth noting that trust in PGP is non-hierarchic; i.e. there
is no central authority. PGP entities attest to each other’s identities
in a ‘web of trust’ as opposed to a hierarchy. So it is quite
decentralized, immune to compromise of ‘root trust anchors,’ etc.
X.509
X.509 certificates and the public key infrastructure to support them are
used in browser authentication. The problem here is that, as they are
totally hierarchic, they are as reliable as the Certifying Authority
(CA) which issues them; and the commercial CAs which issue certificates
have little financial incentive to really validate identity. There have
been notable compromises of the X.509 certificate hierarchy.
Use of X.509 certificates for attesting to IP Address Space ownership
will start coming into use at the RIRs and ISPs in 2008.
S/MIME
There is a second, far less used, email signing method which is used to
some extent in the corporate world. Its function is similar to that of
PGP, but it relies on an X.509 certificate hierarchy.
Summary
There are free, open source, tool-kits for all of the above. And they
are incorporated in browsers, email packages, etc.
This is not to say that there are no security issues on the Internet.
Certainly
o SPAM,
o DDoS,
o The Estonian DDoS,
o The root DNS attack of 7 February 2007,
o etc.
are all very real and are serious problems. But, thanks to the good
folk who gave us the protocols and tools I listed above, and the
applications which use them, we can walk safely through a dangerous city.
Again, as we can build a reliable Internet out of unreliable components,
we can build secure applications and services which work well in today’s
highly insecure environment. This is a big win.
-30-
