Slashdot Mirror
The Case for Rebuilding The Internet From Scratch
dotnothing writes "I just caught a column on a security site advocating for a total start from scratch as far as certain internet protocols like SMTP. It's an interesting idea and there are some ideas on how to conduct the transition... if everyone would agree on something like this it would definitely reduce the spam (among other things)."
We can't even roll out IPV6. Even Internet2 has some basis in existing standards.
There are some very powerful entities that have a vested interest in keeping things they way they are today. I agree that many of these protocols are being used in ways and volumes never intended by their creators, and a redesign would be highly desirable. But with so many interests involved, how would such an endeavor ever get off the ground???
Stop by my site where I write about ERP systems & more
You could have a new version of SMTP, maybe called SMTP2 that would refuse connections from an SMTP1 server. That would cause most people to change rather quickly, and might even be workable.
Something like IP, otoh, would be best if the new version could coexist with the old version.
If I have nothing to hide, don't search me
The problems with various internet protocols (including the underlying IPv4 protocol!) have been known for YEARS, and have been screamed about by us geeks for YEARS. Nothing has happened, and there is a reason for this.
...then you might have something.
If you want to change the standard, you first must convince people to use your new standard. Now if someone comes up with a shiny new email feature that everyone thinks they *must* have, and it happens to be based on an existing protocol, and there's no way it will work with SMTP, well...
Personally, I'd consider "no spam" enough of a feature, but I think I'm in the minority, unfortunately...
--ZS
-- sigs cause cancer.
spam can not be stopped. period. if you believe otherwise you are misguided. the protocol does its jobs, and the verification of the headers and contect are to be done on the end systems. a challenge system at the backbone level is ignorant.
the only update the internet needs is more IP space and faster connections and Internet2 is already doing that.
MARIJUANA, SHROOMS, X: ONLINE?! - E
redesigning the internet would take away everything that makes it good.
A redesign would be forceed to the best interests of conducting business, not sharing information.
It would not cut down spam, only change the form it takes. SPAM can only be slowed via eduacation. People must learn that SPAM is not the way to buy things.
If business don't like the way the internet works, then they can get together and build there own, down to, and including, laying there own backbone.
The Kruger Dunning explains most post on
And, on the seventh day, of the seventh month, of the two thousand and third year of A.D. a darkness fell.
The "net" fell, first one computer, then another, and another.
The web was being taken down, ripped as if it was a spider's web that a clumsy person had walked through.
A few rebels called "Spammers" held out, but they were soon slienced, then, and forever.
But, then a light shined, a new web was forming, first one computer, then another, and another.
And so the story ends, with a new beginning.
You can't get 3 people to agree on where to eat. How does anyone expect to reach a worldwide agreement on how to redesign something that's become such a huge part of our lives.
The only way we ended up with something as good as we have was due to the fact that it was created by a small group of very intelligent men with much foresight.
With that in mind I suggest we form a task force to look into this matter. That way we can sleep soundly at night knowing nothing will ever actually happen.
This happens to all projects, irregardless of size. Developers will eventually believe that a total restart is the only way to fix problems. It's kinda sad, but I'm as guilty of it as anyone. I don't know how many times I've rewritten a project cuz I didn't like how it turned out, or couldn't fix a bug in the system quite right.
Same thing here.
The fallacy comes in the notion that something can be perfectly engineered. Nature teaches us that a vulnerability will be found, the weakest link will break, and that the internet will have problems in it.
Just cuz you don't like SMTP doesn't mean you should try to take it away from everybody.
Seems like every implementation I've seen first hand of "let's rebuild this super humoungous system from scratch" never goes as planned. Inevitably, there are many unforseen problems with the new system. Some of these problems are due to poor planning. Some are not. Some of these problems will be a tremendous pain to fix. Some will be discovered immediately while others will be discovered months or years down the road. In the end, you may wind up with more problems than the old system and you wonder if it was really worth it. Just my $0.02.
"The Internet was designed to be secure from nuclear attack, not its own users."
The problem is, it's very difficult to protect all of a technology's users from harming themselves with the technology or destroying it all together. Just look at virtually all of our inventions and discoveries: nuclear reactions, cars, CFCs, weapons...you can't generally save people from a technology if a substantial proportion of its users are hellbent on using it to annoy everybody else. I think even an "Internet2" would be unsuccessful unless it was so advanced it could somehow protect itself from its own administrators. But even that has its problems. (Insert Terminator reference here.)
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".
This is an interesting mental game but nothing more. Pick any complex system that has evolved like the Internet and you will find valiant efforts going into total redesign. Off the top of my head, look at how long Microsoft has been carrying along legacy code, or look at how Intel is trying to make a clean break from x86. In the non-computer realm, our legal system is so snarled sometimes the police just stop enforcing certain laws. How about gridlock in a developing city? Would sure be nice to just start over with new roads where and how we would like them to be, but fat chance.
I would even go far to say that even if you COULD rebuild the Internet from scratch, the effort would be useless. The Internet has been an evolutionary system, adapting to the demands users place on it with ever changing requirements. The changes you would make would be accurate for 0.001 seconds, then would start on its own road to obsolesence. You would see this very same article posted on Slashdot about Re-Redesigning the Internet in 2008.
So have fun with the mental exercise, but this beast will always grow on its own.
Nice idea but you've got a whole lot of machines to support in the transition, not everone would want to upgrade their 68k Mac, BeBoxen or Amiga to run a nother platform with compliant software, so who would get the programs for the old systems working?
:-)
Before you say "just get with the program," think of 3rd world countries non-profit organizations and schools who don't have the money for the new hardware and associated software AND licensing for the related necessary upgrades... ("think of the children cames to mind here..."
Yeah, nice idea... in theory.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
This will not "reduce the spam." That's like saying copy-protection mechanisms will stop piracy. Or that it's possible to make the Internet completely secure. New protocols will take longer to develop than will crackers' methods of exploiting them.
Nice article. I've had similar thoughts, but it's possible to do what this guy suggests using existing, off-the-shelf, technology (and it can all be done open source too).
The argument in a nutshell is that if everybody were using authentication (and encryption would be nice), then everybody could filter spam at the gateway by simply saying, "I don't want to see any un-authenticated mail".
Ok, fine then. Let's all authenticate our email. There are loads of PKI based SMTP gateways. If you're an MS shop, you could even implement this on a per-user basis. There's a lot of security technology out there that isn't being used.
Ask your favourite Win2K network admin this: do they use L2TP and IPSec on all connections between all machines on their network? Probably not. It's kinda crazy that nobody does since this has got to be one of the most sure fire way to improve your security posture because it prevents all passive network scanning from seeing any data of importance.
Similarly, why aren't we all using PKI to sign and encrypt our email. It's nuts that confidential legal and personal messages are sent around the 'net everyday with no encryption whatsoever. When was the last time your mailclient had to use it's S/MIME capability to decrypt a message from anyone? Would your lawyer send you those important documents on the back of a postcard? How about that multi-million dollar deal your company is working on? Would your CEO be happy mailing the paperwork in a clear-plastic envelope that anyone could see?
Seems to me that we need to be smarter and more consistent in using the technology that we have today before we rush out and architect a new solution that will no doubt be full of holes that we can't forsee at the moment. The open standards of the Internet make it both strong and weak. But as they say, "guns don't kill people, I kill people."
Yet another call to hand off the net to some mythical central authority which'll be able to monitor everything we say and do, then use it against us should we ever complain about what the powers that be are up to.
I'll take a pass on this 'solution', thanks. I'd rather deal with spam than make it any easier for anyone to track every single thing I do on the net. Hell, it's too easy as it is, hence the development of things like Freenet....
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Agreed mostly - but I think it would be a great boon if encryption started being on by default instead of off. Mail clients should default to secure smtp/imap/whatever, and show a security warning if you disable to work with a braindead mail provider. Web browsers should start defaulting to https if no protocol is specified. You get the idea. When *everything* is well-encrypted, privacy is much easier to secure.
11*43+456^2
Furthermore, Instant Messanging is designed for quick, well...instant messages. Short little things that might replace a phone call. Email on the other hand can be utilized for long, drawn out topics, that require several pages of typing to argue through. Stuff you don't want an "instant" reply for, because you want the other person to read it, and think about it, and provide a thoughtful reply. You also don't really care if their at their computer at that moment too. If you send an IM, and they aren't present, your message likely won't go through.
Agreed, but...
The writer, Larry Seltzer, complains about spammers abusing his account, and yet his online publisher sticks a link to his email address right at the bottom of everything he writes. I would suggest that if he wants to reduce the flow of junk to his inbox, he start with his own managers.
The point of all this is not to be afraid of posting your email address at the bottom of everything you write.
The thing is, the guy never even came close to coming up with a valid justification for replacing the Internet... spam is in of itself not a good reason. There are all sorts of protocols and standards that would be great to replace: - DNS - get rid of telnet and make SSH the standard - replace FTP with SFTP or SCP - clean up the port 80 mess and put more control back into the firewalls I'm not fluent enough on IPv6, but I'm willing to bet the networking folks would love to take a crack at replacing TCP/IP and coming up with a better plumbing, on which the protocols could be built upon. Do that, screw backwards compatibility and I'm sure the replacement will be better than anything we see today. Of course, then some dumbass small company will claim to own a patent on this, and we'll be even more screwed....
---- Meh.
Before running off to change everything how about just getting people to follow the rules we have.
For example one requirement of the SMTP RFCs is that everywhere a domain appears in an SMTP conversation it must be fully qualified AND it must resolve. Unfortunately that requirement is rather widely ignored. Just set your mailserver to reject EHLO/HELO greetings that don't conform and you will bounce lots of spam as well as tons of legit email.
Like the cockroaches they are, spammers rely on hiding in shadows. If legit mail-server operators stuck to the RFCs detecting, filtering and tracking the shady ones out would be easier.
No, it's not perfect, but at least I could do things like check the EHLO against the connecting IP to see if the other server is lying.
I would be absolutely delighted if AOL, Earthlink, Hotmail, Yahoo, MSN and other large mail handlers started being very RFC picky in what they allow. This would force a mass cleanup of non-compliant servers and would make my job a lot easier.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
Yes. Is it practical? That's a different matter entirely.
IF it was to be done, it would have to be done bit by bit, protocol by protocol. You could take SMTP, start work on it, keeping developers in the loop all the while so they could work on incorporating the protocol into their programs. Once the protocol is finalized, you could leave a period of time for developers to finish their programs, then release the new programs and put the new protocol into effect. Of course, rebuilding the internet this way would take a long time.
On the other hand, you have to acknowledge the fact that the internet does behave like a living organism. The internet is very flexible, capable of growing and adapting to meet many different needs. It's a prime example of the fundamental concept of chaos theory: behind chaos, there is order. Do we really want to mess with something that works?
God, no - encryption on by default is the last thing we need. 90% of Internet users don't want encryption, and would only be hurt by it. How, you ask?
- Encrypted HTTP content can't be cached for faster web browsing. Most of it is public anyway. What's not can use HTTPS.
- End-to-end encrypted SMTP messages can't be scanned in transit for viruses or malicious code.
- It stuffs up troubleshooting. Any self-respecting netadmin has a packet sniffer and knows how to use it. Do you really want to implement key escrow and keep all your workstation keys on your laptop so that you can see why connections to the file server are failing?
Encryption is a wonderful thing where it's needed, but sprinkling it all over the Internet will cause far more headaches than it's worth.
The internet is as flexible and free today as it is simply because it grew up before it was on the radar of the marketing and legal arms of corporate America, and the legislators they send campaign donations to. We're very fortunate about this; an open architecture is what the Internet is "stuck" with, and it's proving difficult for those who would replace it with a closed arcitecture to work against that history.
You had better believe that if we rebuilt the information superhighway from scratch, it would have in place all the controls and restrictions that the various entertainment industry wants, and would be run on standards and protocols which are closed and proprietary. (Many likely from Microsoft, but they would probably be "magnanimous" and licence other proprietary protocols from other companies who have influence with legislators from other states.) In the end, you would not have nearly the flexible and open Internet we have today, but rather something much closer to the one-way "content delivery" system that the entertainment first thought the Internet was, and is now trying to legislate the Internet to be (once they realized that it wasn't naturally that).
-Rob
Of course, copyright proponents would love to inspect the contents of Internet traffic as well, and they would put huge money into getting these provisions into the specs.
Unfortunately the things I mention are not the stuff of crappy science fiction, but rather what has been going on so far wherever certain interests can have an influence. Thanks but no thanks. I'd rather keep hitting the delete key more than a hundred times a day and keep my spam and my privacy wherever I can.
Of course, it was never really supposed to be anonymous, and real e-mail anonymity is only possible if you forge headers and if your mail-server admin doesn't care. Speaking of not caring, I don't care about the anonymity problem.
Sure, your IP address may be in the headers, but to resolve it to an identity still takes the cooperation of your ISP. People use webmail accounts all the time with the expectation of anonymity. People use email to leak rumors and expose secrets, like with the Halloween documents. A friend of mine uses her Hotmail account on a mailing list for domestic abuse victims. There's lots of good reasons to hide your identity online, and I won't give them up just as a quick fix to the spam problem.
That doesn't work for everyone though. If for example you are an HR manager waiting for replies to a job advert, you will be wanting emails from people you have never heard of before, but only on that particular subject.
SMTP means "*Simple* Mail Transfer Protocol". It's the equivalence of a letterbox - simple and efficient. Of course it can be abused for spamming, but so is any successor of SMTP and any different messaging service. As long as it is possible for anyone to send email, it will be possible for anyone to send spam.
The main problem does not consist in trying to stop spam in general (that would be impossible), but in making *anonymous* spamming *very* difficult. Standards are there - but many legitimate operators don't care about a standards-compliant infrastructure, stifling security efforts that would be good enough to keep a lot of spam out.
For example, each IP address should have a DNS reverse record pointing to a valid hostname, which resolves to the same IP address. HELO strings and message ID domainparts should be FQDN and not only "office" or "workstation", the sender's host should be an official Mail Exchange (MX) for the envelope-from domainpart, and so on. This way you could easily - using *existing* standards - make sure that the sender is authentic. Anonymous spamming via open proxies or open relays would be impossible, and spammers using their own infrastructure can be RBLd.
So why invent new standards with millions of people having to switch on, which would take 10 or 20 years? Why not use and push existing standards not only as "nice option" for email communication, but as requirements?
Yes, just like what Verisign would want: $100/year from anybody who wants to send or receive mail. Thanks, but I'll stick with unauthenticated mail and spam.
If that's the sort of thing you want, you can already run SMTP over SSL--you don't need a new protocol for that. Operating systems terminally incapable of building services out of modular building blocks can hard-code SSL into their mail servers. Reasonable operating systems can use something like stunnel for wrapping SMTP. Either way, you get authentication. There doesn't even need to be any complex interaction between the SSL authentication and the SMTP server because SSL can simply verify the identity of the connecting host, and SMTP can continue to use its regular host-based identification.
The other important requirement, according to Yu, is a system for tracking resource usage per sender. Basically this means that profiles should be established for normal amounts of mail sending from different types of users. If you limited normal users to 100 messages per second and major companies to 10,000 messages a second it would be hard for legitimate users to complain, but spamming would be much harder.
We don't need a new protocol for this. Per-user throttling of outgoing SMTP connections could be implemented by ISPs at the TCP level, and per-user throttling of incoming SMTP connections can be implemented by the SMTP server. The reason why this isn't done is because it's largely ineffective: many spammers are beyond such controls for outgoing connections anyway, and limits on incoming connections can be circumvented simply by posing as hundreds of different users.
Solutions to the spam problem are things like CAPTCHAs, intelligent text analysis, and communications pattern analysis. Restrictions on who can send what to whom at the ISP level, or the imposition of authentication fees by ISPs or companies like Verisign, however, are thinly disguised attempts at squeezing money out of users. In addition to being ineffective and increasing the cost of E-mail, they also just threaten the openness of the Internet that has made it so successful in the first place.
SMTP being replace, that's a possibility. But with "trusted authorities" such as Verisign? Never. Those of us already having to deal with Verisign (or Microsoft or whoever) do NOT want something as important as email to be completely in someone else's hands.
SMTP should be replaced by a protocol that requires authentication. That's the biggest probley (open relays) really. Going any further than that will be more of a pain than its worth.
As for everything else (including IPv4), there are too many old clients out there (old meaning unsupported by the vendor). There are enough Windows 95 clients out there, not to mention other systems where upgrades are simply unnecessary otherwise, to where changing the underlying protocol simply won't happen.
Incremental upgrates, sure. We'll probably end up replacing SMTP -- or updating it -- to support, or even require, authentication. In a few years. We may even supplant FTP with SFTP or some other more secure variant.
But to try and simply replace a major, established protocol -- with no backward compatibility -- simply will not happen. There will be enough resistance and reluctance to make it infeasible; then the upgraders will have to begin supporting both "legacy" and new protocols, and we'll be in a bigger mess than before.
So, my opinion is this: we'll slowly, with full backward compatibility, supplant older protocols with updated ones -- perhaps via adding extensions to them (like SMTP Authentication), allowing slow upgraders to catch up as needed. No revolutionary changes will happen, no forced upgrades...
NGWave - Fast Sound Editor for Windows
Frankly, I'm surprised more people haven't ditched postal mail for telephones.
That's right, very different purposes. Besides, do you want the majority of all the internet communication in the world to depend on AOL's servers. I thought we all already understood the need to decentralize important services...
Might I point out that you can have a whitelist for you email as well.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant