WCIT and the ITU?

The International Telecommunications Union (ITU) is making the news these days, in part because there is about to be a treaty conference called the World Conferences on International Tariffs (WCIT). What is the ITU? and what do they do?

The ITU is a specialized agency of the United Nations that focuses on telecommunications. It has four components:

A general secretariat;
A standardization sector or ITU-T;
A radio coordination sector or ITU-R; and
A development sector or ITU-D;

The radio sector coordinates spectrum allocation and so-called “orbital satellite slots”. It also is responsible for standardization of time. The development sector focuses on the special needs of developing countries. The standardization sector has over 150 years set international standards for telecommunications, starting with the telegraph. The general secretariat manages logistics of the three sectors, and represents the ITU to other international fora, and to the U.N.

How has the ITU been relevant to you? There are several key standards that are worth taking note of:

E.164 specifies pretty much what a telephone number looks like, starting with the international dialing code.
G.711, G.719 and others specify how voice is encoded into data.
X.509 is the basis for the public key infrastructure that is in use on the World Wide Web.
D.50 specifies accounting standards by which international carriers bill each other, or so-called settlement rates. There’s real money involved in this one.

This is some pretty important stuff.

The ITU-T was formed out of the CCITT, which was a coordination committee, primarily made of European governments. These days, its membership spans 193 countries. Only governments may vote, although civil society and paying sector members may have some influence.

So what is WCIT? WCIT is a treaty-level conference in which all those lovely accounting rates are agreed upon. But they’re not stopping there. The ITU-T has had a very limited role in the Internet’s development. Standardization and governance over the Internet falls to several classes of entities:

National governments with their own sets of laws;
Standards organizations such as the IEEE, IETF, W3C, and 3GPP; and
Not-for-profit organizations such as ICANN and Internet Registries.

This latter group focuses on what I call “internals”. That is- how do you get an IP address or a domain name? The Internet has grown over 1.25 billion users with very limited involvement of the ITU-T.

Now governments want to take a firmer hand in areas such as how addresses and names are allocated and cybersecurity. That is what WCIT is about.

More about the ITU and WCIT in the future.

Web (in)Security and What Can Be Done

We all like to think that web security is perfect, but we all know better. You know about spam, phishing, and all manner of malware. You probably run a virus scanner on your computer. But what you don’t expect and shouldn’t expect is that the core of our security system would have a flaw. It does, and has, from the beginning. What’s more, it’s a known flaw.

How is it your browser decides to trust a site, or to show that lovely lock icon and perhaps a green URL bar when your communication is both encrypted and verified to be to a specific end point? The simple answer is that your browser provider, Microsoft, Mozilla, Apple, or Google, has made a decision on your behalf that – at least as initially configured – your browser will trust a certain set of authorities– certificate authorities (CAs)– who will validate others.

One such certificate authority got hacked. Badly. And because they were trusted by your browser, so might you have been. Here’s how it works.

When you access a URL that begins with “https”, a certificate is sent by that site that is signed by one of the trusted CAs, saying “yes, I agree that this is google.com,” (for example). If someone gets in between you and Google, they won’t have the private key associated with that certificate, and they won’t be able to validate to your browser.
If someone breaks into a CA and gets a certificate for “google.com” (again, for example), and then gets between you and the real Google, they will be able to masquerade. It doesn’t matter which CA it is, as long as your browser trusts it. Google needn’t have any relationship with that CA.

This is what happened with DigiNotar. Not only did they get hacked, but they didn’t notice. They didn’t have sufficient controls in place to even spot the attack. That they should have had.

But now there’s something else we can do. In the Internet Engineering Task Force (IETF), a few folks led by a gentleman by the name of Paul Hoffman have developed an approach where sites like Google can effectively register which certificates are valid for them in an separate alternative authority that we largely trust, the Domain Name System (DNS). You use DNS to convert site names like ofcourseimright.com to IP addresses like 10.1.1.1.

The group working on it is called “dane“. Had the dane mechanism been in place in the browser, the attack on Diginotar and Google would have failed, even if Google was a customer of Diginotar (which they weren’t).

When we speak of security we always discuss defense in depth. That is– never rely on exactly one mechanism to protect you, because at some point it will surely break. In this case, the attacker needed to (a) compromise the CA and (b) get in between the service and the end user to succeed. Had dane been in place, atop (a) and (b), the attacker would also have to have compromised Google’s DNS for the attack to succeed. That’s likely even harder than compromising a CA.

Dane has another potential benefit: in the long run, it may get browsers completely out of the business of telling you who to trust, or it will extremely limit that trust.

This attack also demonstrates that as threats evolve our response to those threats evolves. Here we understood the threat, but just didn’t get the work done fast enough before a CA was compromised. I still call this a win, as I think we can expect to see dane even faster than we expected before the attack.

Here comes World IPv6 Day!

As you may have read in the press some time ago, the world is running out of IP addresses. Really the world is running out of the current version IP addresses. An IP address is the means by which your computer and my computer can communicate with each other. Addresses are similar to phone numbers in that if we each have a unique number we both can call each other.

How is it we’ve run out? Quite simply the IP version 4 address size is fixed at 32 bits, which allows for at most a little over 4 billion simultaneous computers to connect. Through the use of some sneaky tricks we are able to connect well more than 4 billion under the assumption that not device needs to be able to communicate with ever other device, but that game is getting a bit overplayed.

And so over fifteen years ago, the Internet Engineering Task Force (IETF) created IPv6, which has enough address space to stick an address on every speck of sand we have in the world. More precisely IPv6 can handle 2¹²⁸ or 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses.

NOW THAT’S A LOT OF PASTA!

Nobody wanted IPv6 way back then when we had plenty of IPv4 address space, but now that we’re out of IPv4 addresses, it’s moving day. That’s because we’ve become mobile, and computers have gotten smaller. Not only can a cell phone access the Internet, but so can your printer, a car, a boat, a camera, your television, washing machine, many game systems, and many other things.

Tomorrow is World IPv6 Day. Many service providers and web sites will be enabling the next generation Internet Protocol tomorrow to see what works and what breaks. Will this inconvenience you even just a little? Probably not. Here’s why: your home gateway almost certainly doesn’t support IPv6, unless you’re a geek like me, in which case IPv6 day might inconvenience me. But I had to go to quite some inconvenience already to get IPv6 into my home, so what’s just a little bit more?

Anyway, it’s all one big test to see how painful moving to IPv6 really is, and to see what breaks and what needs fixing. As service providers and web sites kink out bugs you’ll be hearing more about IPv6. Eventually, much like you did when you moved to high definition television, you’ll probably need a new router. If all goes well, the only difference you’ll notice is that eventually services like Skype and iChat AV will improve.

By the way, this blog is IPv6-enabled!

Android Phones the next security threat?

Take it as an axiom that older software is less secure. It’s not always true, but if the code wasn’t mature at the time of its release- meaning it hasn’t been fielded for years upon years- it’s certain to be true. In an article in PC Magazine, Sara Yin finds that only 0.4% of Android users have up to date software, as compared to the iPhone where 90% of users have their phones up to date.

This represents a serious threat to cybersecurity, and it should have been a lesson that was already learned. Friend and researcher Stefan Frei has already examined in great detail update rates for browsers, a primary vessel for attacks. The irony here is that the winning model he exposed was that of Google’s Chrome.

What then was the failure with Android? According to the PC Magazine article, the logic lies with who is responsible for updating software. Apple take sole responsibility for the iPhone’s software. There are a few parameters that the service provider can set, but other than that they’re hands off. Google, however, provides the software to mobile providers, and it is those mobile providers who must then update the phone. Guess which model is more secure? Having SPs in the loop makes the Internet more insecure. Google needs to reconsider their distribution model.

How to get a Time Capsule to actually work in IPv6 without wireless

I have an unusual home configuration, in that I have a routed network. If you don’t know what this means, stop reading now as you are wasting your time. While the Apple Time Capsule advertises IPv6 capability, getting it working is rather difficult. To start with, if you do not use the wireless capability of the device, the controls are really non-obvious. For another, the Time Capsule appears to ignore the default route capability in routing advertisements. Hence a manual configuration is required:

Time Capsule Configuration

Looking to the left, one must select “Router” from the IPv6 mode and not “Host” as one might logically expect. Then, because RAs are not being handled properly, one must manually enter the default route (the long way).

Finally, because you are supposed to be routing, you need to enter some address for the “LAN” side. My prefix is 2001:8a8:1006::/48. Note I’ve dedicated a bogus network ::8/64 to the effort. All of this allows me to do what should have happened automatically; not your typical Apple Plug-N-Play style, is it? For a company that claims to be IPv6 Ready, I’d say Apple still has a ways to go. Sadly, they’re better than most.