Web (in)Security and What Can Be Done

We all like to think that web security is perfect, but we all know better.  You know about spam, phishing, and all manner of malware.  You probably run a virus scanner on your computer.  But what you don’t expect and shouldn’t expect is that the core of our security system would have a flaw.  It does, and has, from the beginning.  What’s more, it’s a known flaw.

How is it your browser decides to trust a site, or to show that lovely lock icon and perhaps a green URL bar when your communication is both encrypted and verified to be to a specific end point?  The simple answer is that your browser provider, Microsoft, Mozilla, Apple, or Google, has made a decision on your behalf that – at least as initially configured – your browser will trust a certain set of authorities– certificate authorities (CAs)– who will validate others.

One such certificate authority got hacked.  Badly.  And because they were trusted by your browser, so might you have been.  Here’s how it works.

  • When you access a URL that begins with “https”, a certificate is sent by that site that is signed by one of the trusted CAs, saying “yes, I agree that this is google.com,” (for example).  If someone gets in between you and Google, they won’t have the private key associated with that certificate, and they won’t be able to validate to your browser.
  • If someone breaks into a CA and gets a certificate for “google.com” (again, for example), and then gets between you and the real Google, they will be able to masquerade.  It doesn’t matter which CA it is, as long as your browser trusts it.  Google needn’t have any relationship with that CA.

This is what happened with DigiNotar.  Not only did they get hacked, but they didn’t notice.  They didn’t have sufficient controls in place to even spot the attack.  That they should have had.

But now there’s something else we can do.  In the Internet Engineering Task Force (IETF), a few folks led by a gentleman by the name of Paul Hoffman have developed an approach where sites like Google can effectively register which certificates are valid for them in an separate alternative authority that we largely trust, the Domain Name System (DNS).  You use DNS to convert site names like ofcourseimright.com to IP addresses like 10.1.1.1.

The group working on it is called “dane“.  Had the dane mechanism been in place in the browser, the attack on Diginotar and Google would have failed, even if Google was a customer of Diginotar (which they weren’t).

When we speak of security we always discuss defense in depth.  That is– never rely on exactly one mechanism to protect you, because at some point it will surely break.  In this case, the attacker needed to (a) compromise the CA and (b) get in between the service and the end user to succeed.  Had dane been in place, atop (a) and (b), the attacker would also have to have compromised Google’s DNS for the attack to succeed.  That’s likely even harder than compromising a CA.

Dane has another potential benefit: in the long run, it may get browsers completely out of the business of telling you who to trust, or it will extremely limit that trust.

This attack also demonstrates that as threats evolve our response to those threats evolves.  Here we understood the threat, but just didn’t get the work done fast enough before a CA was compromised.  I still call this a win, as I think we can expect to see dane even faster than we expected before the attack.

IPv4 address shortage: Who was the first to become concerned?

My own answer is “I don’t know”.  I only know that there were a few of us thinking about the problem in 1989.  Roy Smith raised the issue on the TCP-IP mailing list on November 25th of that year with this message:

Date:      25 Nov 88 14:56:57 GMT
From:      roy@phri.UUCP (Roy Smith)
To:        comp.protocols.tcp-ip
Subject:   Running out of Internet addresses?
	Has anybody made any serious estimates of how long it will be
before we run out of 32-bit IP addresses?  (Silly question; I'm sure a very
great amount of thought has been given to it by many people.)  With the
proliferation of such things as diskless workstations, each of which has
its own IP address (not to mention terminal multiplexors which eat up one
IP address per tty line!), it seems like it won't be too long before we
just plain run out of addresses.

	Yes, I know that 2^32 is a hell of a big number, but it seems like
we won't get anywhere near that number of assigned addresses before we
effectively run out because most nets are sparsely populated.  My little
bit of wire, for example, has 256 allocated addresses yet I'm only actually
using 30 or so.
-- 
Roy Smith, System Administrator
Public Health Research Institute
{allegra,philabs,cmcl2,rutgers}!phri!roy -or- phri!roy@uunet.uu.net
"The connector is the network"

Back then we used IP addresses in a considerably sparser way than we do today.  That message kicked off a lengthy discussion in which nobody seriously was in denial about the potential for a problem.  You can find the whole archive of the exchange here.  There were two concepts that were touched upon.  The first was whether or not we could use the so-called “Class E” space (240.0.0.0/4).  I and others gave this serious thought at the time.  However, the related issue which won the day was that fixed address lengths were an important property to be maintained.  Vint Cerf raised that design consideration as a question.  He also raised the possibility of using variable-length OSI addresses.

Here comes World IPv6 Day!

As you may have read in the press some time ago, the world is running out of IP addresses.  Really the world is running out of the current version IP addresses.  An IP address is the means by which your computer and my computer can communicate with each other.  Addresses are similar to phone numbers in that if we each have a unique number we both can call each other.

How is it we’ve run out?  Quite simply the IP version 4 address size is fixed at 32 bits, which allows for at most a little over 4 billion simultaneous computers to connect.  Through the use of some sneaky tricks we are able to connect well more than 4 billion under the assumption that not device needs to be able to communicate with ever other device, but that game is getting a bit overplayed.

And so over fifteen years ago, the Internet Engineering Task Force (IETF) created IPv6, which has enough address space to stick an address on every speck of sand we have in the world.  More precisely IPv6 can handle 2128 or 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses. 

NOW THAT’S A LOT OF PASTA!

Nobody wanted IPv6 way back then when we had plenty of IPv4 address space, but now that we’re out of IPv4 addresses, it’s moving day. That’s because we’ve become mobile, and computers have gotten smaller.  Not only can a cell phone access the Internet, but so can your printer,  a car, a boat, a camera, your television, washing machine, many game systems, and many other things.

Tomorrow is World IPv6 Day. Many service providers and web sites will be enabling the next generation Internet Protocol tomorrow to see what works and what breaks.  Will this inconvenience you even just a little?  Probably not.  Here’s why: your home gateway almost certainly doesn’t support IPv6, unless you’re a geek like me, in which case IPv6 day might inconvenience me.  But I had to go to quite some inconvenience already to get IPv6 into my home, so what’s just a little bit more?

Anyway, it’s all one big test to see how painful moving to IPv6 really is, and to see what breaks and what needs fixing.  As service providers and web sites kink out bugs you’ll be hearing more about IPv6.  Eventually, much like you did when you moved to high definition television, you’ll probably need a new router.  If all goes well, the only difference you’ll notice is that eventually services like Skype and iChat AV will improve.

By the way, this blog is IPv6-enabled!

As if On Queue: Google accounts attacked from China

The BBC reports today how China is rejecting Google’s statement that attacks on its users originated from China.  It’s very fair for China to call into question from whence attacks originate.  The best Google can really authoritatively say is that they saw attacks coming from a particular set of IP addresses that happen to be registered to a network that resides in a particular location, in this case Jinan.

However, the attacks targeted individuals said to be Chinese dissidents or adversaries.  In this case, as the BBC writes, while it is very difficult to state with assurance that the attacks were made by the Chinese government, the technique used, spear phishing, leads one to believe that this attack was in fact paid for, in some way, by a government.  Spear phishing involves learning about a particular individual, and then crafting a message that that person would think came from someone they knew, and convincing that person to view an attachment that itself contains a virus.  That virus must be relatively unknown, or virus checkers will pick it up.  The cost of spear phishing is high, and the monetary pay-off tends to be low.  Therefore, it is a good fit for an intelligence organization.

In addition, as I wrote not long ago, Cambridge University investigated a break-in of the Office of His Holiness, The Dalai Lama.  Those attacks also seemed to originate from China, they were also targeted against an adversary, and worst of all, China apparently acted upon the information stolen by applying diplomatic pressure against those countries who invited the Dalai Lama.

At the very least, China bears some culpability for allowing the attack.  Here we have a government that does not believe in the free flow of information, and so they are known for monitoring everything.  How, then, did this attack escape their notice?

Is hacking Skype a human rights violation?

Not twenty four hours ago did I write about how the Pentagon is going to announce how cyber-attacks could be casus belli.  Now the Wall Street Journal reports that an Egyptian intelligence agency was monitoring Skype communications of dissidents.  Let’s first agree on a truth.  No one’s right to privacy is absolute or ever assured.  However, plotting the peaceful overthrow of a government (in America we call that an election) should not be subject to snooping.  If we can go to war over hacking, should we not then also stand up for people’s human rights to peacefully and privately express their views?  Ronald Reagan used to rail on how the Soviet Union wasn’t free.  He was right.  Now here we are in age of the Internet.  What do his words mean in today’s context?  The free flow of information is  a human right.  It’s not absolute if, for instance, you’re talking about robbing a bank.

By the way, the Egyptians did not break Skype’s encryption, but instead seem to have infected the system of the dissidents.  That’s something Skype can only partially control- that is, if the infection was spread by Skype’s Instant Messaging capability, then they do bear some responsibility.  But if it was spread by other means, then there’s really not much they can do.