Slashdot Mirror
Should the Internet Be Secure By Default? (esecurityplanet.com)
darthcamaro writes:
There are lots of tools and different secure protocols that could be used by internet service providers to embed security into the fabric of the internet, making the internet secure by default, but that's not something that Facebook's Chief Security Officer, Alex Stamos wants to happen. Instead of security by default, his view is that carriers should be neutral and let malicious traffic do whatever it wants.
"I believe strongly in the end-to-end principle, I think we should have neutral carriers in the middle and it should not be the responsibility of ISPs to secure the internet," Stamos said in a press conference at the Black Hat USA conference last week.
Slashdot reader Darth Technoid disagrees, calling a lack of security "the Original Sin of the Internet," and speculating that Vint Cerf and Bob Metcalfe "thought that future technology would resolve the issues." What do other Slashdot readers think?
Should the internet be secure by default?
"I believe strongly in the end-to-end principle, I think we should have neutral carriers in the middle and it should not be the responsibility of ISPs to secure the internet," Stamos said in a press conference at the Black Hat USA conference last week.
Slashdot reader Darth Technoid disagrees, calling a lack of security "the Original Sin of the Internet," and speculating that Vint Cerf and Bob Metcalfe "thought that future technology would resolve the issues." What do other Slashdot readers think?
Should the internet be secure by default?
If they had built encryption in from the beginning it would have been obsoleted long ago. Would you still want to be running WEP? Then we'd all have to upgrade our routers every year to stay on the latest encryption that hasn't been compromised. Having endpoint to endpoint encryption is the right answer.
And if that's not enough, we need an open and free internet and we need carriers to not be messing with any of my bits and bytes.
Mike @ The Geek Pub. Let's Make Stuff!
The original intent of the Internet isn't what we see here today. It was supposed to be a military and government communications system to withstand a nuclear war - and used by universities. Meaning, security wasn't even thought of because it was supposed to be a closed system.
I bet they cringe at the .ru domain! Or the .cn one!
And if a new internet is created - somehow - hackers will find a way to infiltrate it because that's what they do: find weaknesses that no one thought of.
How would we get all this entertaining news otherwise?
I tend to rant.
The revisionists claiming that those who designed the Internet were at fault for not predicting future deficiencies should return to using the OSI networks like X25 that were indeed conceived with every imaginable contributor's input -- but that were so unwieldily that they lost out to IP even with the weight of national every national telecom operator behind them. The AT&Ts the France Telecoms, the BTs, etc, all told us that IP was badly adapted to real world and that it would be quickly replaced with "proper" and "secure" OSI networks.
Not encumbering IP with "solutions" to every future possible problem is in large part why we are using IP today, & not X25.
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
Security means different specific things in different specific contexts. Security in transit, which seems to be what this is focusing on, is mainly a defensive step against nation-states. Most of us don't worry horribly about organized crime tapping Internet backbone switches - for now that's the domain of intelligence and military organizations. At that point the entire conversation veers off from science into philosophy - the proper role of the state (if any) in monitoring communications for stuff it doesn't like. This tends to break down better on the newer and cleaner authoritarian / libertarian axis than it does the older and more muddled conservative / progressive axis. Authoritarians want more control so that they can implement and enforce their agendas. Libertarians want less control because they (generally) believe that authoritarian structures - even those created and begun with the best of intentions - eventually get taken over by thugs and then are used for totalitarian purposes.
Help save the critically endangered Blue Iguana
I understand the sentiment, but the risk mitigation is low to none. Intercepting or hijacking encrypted traffic is done all the time, encryption is even used for C2 communications. Whether you have end to end encrypted communication, or even double-blind encrypted communications this does nothing to secure the end points at which that encryption occurs. Concerns around exposure and possible hacking, are much more likely user side followed by server side, than to be intercepted mid stream.
"Dumb network, smart edges" is the key difference between the internet and the many networks it has replaced and is replacing. To give up that principle would just give rise to another dumb network, possibly first running tunnels through the "secure" internet and using it as dumb pipes. The internet is the evolutionary opponent to the "intelligently designed" protocols. It's winning for a reason.
If you can define what that means. But that's not even what the guy is saying. He's saying ISPs shouldn't be in charge of securing customers computers or traffic.
If you imagine what a "secure by default" Internet would do for you, it would protect you from any unintended consequences from your actions. Now imagine how good ISPs would be at doing that for you. Most of them can barely run their own networks competently, much less understand their customers' businesses.
ISPs certainly have a role in responding to certain kinds of cyber attacks, like DDOS, or attacks on DNS infrastructure. But they don't really have the ability to protect customers from themselves.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
As the Internet currently exists, it simply cannot be "secure by default." To have such a system you need hardware and software designed from the ground up to be secure, but the current system was designed to be robust, which is pretty much the other end of the spectrum from secure. Everyone at every level of use would have to start all over again.
A better solution might be to have separate networks for those who need such high levels of security; this would be cheaper and far more likely to happen. Still going to be expensive, but it might be a better -- as in possible -- solution.
Everything in the Universe sucks: It's the law!
The problem you not only need "security" but it also needs to be updateable. There is no foolproof software and or complex protocol proofs. There are all sorts of assumptions made which change all the time compounded by implementation errors and outright bugs. It may all be based on logic but you can't guarantee what makes sense today will make sense in twenty years.
So you have to be able to update software and complex digital hardware. That is simply impractical. You can write a law saying pi=3 but that doesn't make it so. By it's very nature it would require some level of all software and hardware being open source such that the security routines and how they work could be changed. Not going to happen.
Everyone though that OSI model would go beyond layer 3. That there would be standard dynamic libraries for end to end encryption and that programmers wouldn't need to be that involves in the minutia of the design. Instead what we got was a role your own and linking to available static libraries idiocy. And https.... nuf said.
I think what is needed is that governments should require programmers both to guarantee a specific lifetime guarantee for where there should be minimums depending on the software. The software should be bonded by an insurance/review company (which will have the code) for that period of time. Programmers and publishers need to be liable for the quality of their products where money is exchanged. There needs to be minimum standards and review.
In an insecure world the best security so far is end to end encryption. Allowing or relying on the ISP to provide the security is just setting a security on the link for that ISP, but when it goes to the backbone it's lost, so is the next ISP.
Unfortunately not all end services that we use are secure because they include data from other sources, often ads embedded in web pages. And the web browsers we use today allows for cross-contamination. This is how sites today detects ad-blockers, they see that the cross-contamination fails.
There are also other types of security, DNSSEC is one that should be applied. But some ISPs interfer with it.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
... I think we should have neutral carriers in the middle ...
No way the current crop of ISPs are going to allow this to occur. It will destroy their plans to charge tolls on any and every aspect of the Internet.
Oh, those silly medieval peasants and all their famines! Why didn't they just eat at KFC?
Seriously, when the Internet was developed, cryptography was in its infancy, connections were physically secured, and the backbone consisted of 16 bit processors with up to 32k of core memory, and I mean core memory. When the web was developed, it was still not really possible to encrypt everything.
Long term, encryption alone isn't the right thing anyway. The next generation shouldn't just have encryption but also peer-to-peer service, decentralized naming, etc. People are trying to build that kind of internet using blockchain technology. You should support it.
The internet is supposed to be a simple pipe. You open and close the 'valves' at your end. Leave everybody else alone.
“He’s not deformed, he’s just drunk!”
If you can define what that means. But that's not even what the guy is saying. He's saying ISPs shouldn't be in charge of securing customers computers or traffic.
That's fine for larger corporate customers who at least in principle should be able to manage to secure their networks. But less sophisticated customers hugely out number the sophisticated ones so there HAS to be some mechanism for helping them to keep their little network and devices secure. If this isn't the ISP then who should it be? I like the idea of smart edges and a dumb network but we cannot assume that every edge has a tech savvy sysadmin on the end of it.
Having endpoint to endpoint encryption is the right answer. And if that's not enough, we need an open and free internet and we need carriers to not be messing with any of my bits and bytes.
I agree but I'd actually go further and say that the only way to secure a network is with endpoint-to-endpoint encryption because how can anyone trust all the network providers in between? Once you send your packet out you have no control where different networks will route it and if it is routed through somewhere like the US, even if that is not the final destination, you know that the government there may potentially look at it.
Pick one - you can't have both.
This sig left unintentionally blank.
No such thing as absolute security or zero risk. The best strategy is to assume that nothing on the internet is safe and proceed accordingly. No one security strategy will work. Everyone using the internet should apply some kind of layered security depending on the value of what they want to protect. Then there are the bots that may not necessarily attack your machine but act as infection vectors and instruments of DDoS. Mitigating these things pretty much depends on how well the user is educated. But most users can't be bothered event to change the default credential of their devices or use password vaults for lengthy random passwords. So does this mean they should be protected from on high? That probably wouldn't do any good if the user isn't educated and concerned. Accessing the internet is convenient and security tends to interfere with that.
"Gentlemen, you can't fight in here! This is the War Room!" -- Dr. Strangelove
The problem with embedding security protocols in the network itself is the same one we've seen with network capacity: the providers have little incentive to upgrade once they've invested in the initial roll-out. If we embed security at the level of the ISPs and backbone providers, we'll have a massive problem when that security is inevitably broken (whether by malicious action or simply advances in computing power making the algorithms it uses obsolete). We'd also likely see major abuses, either by laziness (your Linux OS isn't supported, we won't allow it to connect) or greed (good-bye routers, you'll have to connect computers directly for security to work and that means paying per computer to connect them). Good-bye having your own domain, for security all email has to be routed through your ISP's mail servers which only support your ISP's email addresses or you'll have to use webmail interfaces which also put you at the mercy of a mail provider (eg. no S/MIME signed/encrypted email unless your mail provider supports it and you give them your private key). And in general I distrust any claims that ISPs and backbone carriers will implement any kind of security correctly, they won't even implement current security measures like spoofed-address filtering.
And what kind of security would we gain? This idea can't protect us from malicious actors gaining network access, ISPs can still sign up customers and there'll always be ISPs who can be fooled by false IDs or who won't look too closely at the background of a customer offering them money. It can't protect us from false identity claims, see above. It can't protect us from malicious content, we've already seen that in the way new exploits get past software designed for the sole purpose of detecting malicious content.
I'm fine with the network enforcing things like default encryption of traffic, but it should be a case of IP-level protocols requiring endpoints to encrypt traffic (eg. all IPv6 traffic requires AH and ESP or the routers will reject it). Authentication should be done directly between the parties that need to authenticate, eg. your email provider issues x.509 certificates for it's users certifying they're who they claim to be (or at least own the address they're using), DNS registries issue certificates certifying that an email provider or mail server operator controls the domain name they're using to send email and so on. Example: if I'm operating my own mailserver for silverglass.org, I'd create my own master issuing certificate and get it signed by either my domain registrar (who'd be using a certificate signed by the registry) or the .org registry saying that my certificate is good for issuing certificates within the silverglass.org domain. Then part of turning on a new mail user would be me issuing them a certificate valid for the email addresses they've asked for. I'd also be issuing the server certificates for my own mailservers. During email handling (receiving a message from my server or delivering a message to it) one check would be "Is this server's certificate valid for the relevant domain for the message?". When you signed or encrypted email messages, you'd do so using a certificate I'd issued to you (saying "This is the true owner of the email address sending this message.") or another one issued by a party who knows your identity (eg. one from your employer saying "This is really our employee and he's shown us ID proving he's really X."). And as far as malicious content goes, well, we already have AV software in use but I've found that the only people who don't have a problem with malware are the ones who refuse to directly handle content from outside or unknown/unexpected sources. The only solutions I have are a) use less complex formats that don't require hairy error-prone code to parse and b) run programs that access that content in a VM that doesn't have unmediated system access (most OSes now are capable of running lightweight VMs or containers). No, languages won't solve the problem of vulnerabi
Should the roads be secure by default?
Yes I want an internet that is secure by default. No this does not involve the carriers. I personally think this starts with distributed, federated identity meaning that your presence on the internet can be known to others but only to others you trust. Think BitCoin but for identity.
For example, imagine you made your own authentication realm that was just a presence on the internet. You would create identities within it that represent you and people that you trust along with this trust relationship. It would also store data regarding your interactions with others in some way. This could then be exported by you under your supervision to other entities that would use it to determine if they trusted you or not. With cryptographic protocols and fingerprints you would be building a long-term history of trusted actions much like how we interact face-to-face.
The goal would be to remove identity from places like Facebook or Google. OAuth, X.509, PGP/GPG, and some other technologies either get us close or do parts of this right now. It's just not in an easy-to-use cohesive bundle that you can stand up on a mobile phone. My idea would also be unwelcome at commercial sites unless they are truly willing to negotiate attribute release. Ideally I'd like something like 2-way EULA that allows me to know and alter what data these companies collect on me and how they use it.
Until we start treating the internet like a real place where real people interact in real ways I'm not sure we'll be in the right frame of mind to solve these issues.
You can't actually find stuff on the Internet any more, because the first 2,500 search results do not even contain the search terms you used, but things you might conceivably been thinking of buying if you were someone else in a parallel universe.
If you want "secure" as in privacy you might want to write it on paper and carry it there in person. I would suggest you avoid putting it in an electronic format of any kind.
You might also wish to buy a tin foil hat from my Ebay shop - in case the thoughts leak from your brain.
Sent from my ASR33 using ASCII
The job of ISPs is to deliver packets quickly, not to waste time encrypting, an exercise that would be bound to disappoint because governments will insist on a clear stream, and they are one of the biggest threats.
But encryption is not security. We already have great end-to-end encryption (and don't governments hate it?) The weakness comes at the two ends. Saying that the Internet should provide security for us is like saying banks should provide financial responsibility for us, or that roads should provide safe driving.
Secure Internet comes from well written programs. Well written programs can be secure even though the whole world is looking at the data streaming past and trying to modify it for fun and profit.
Newall
The big mistake that so many ppl believe that TRUE TOTAL security is possible. It is not. The reason is that new approaches to defeat a security will be found. ALWAYS.
What is really needed is the ability to change security quickly.
For example, the DOD recently asked for ideas on how to secure the net and communication as a whole. With plug-gable architecture that can negotiate with the other side on what protocol and what settings, is the only possible solution.
Likewise, for IOT and with our appliances at home, there should be a 'button' that connects between say a POE from the applice and can then deal with wifi, or zwave or nuwave or blue tooth, or simply IPv6 over cat5. Down the road, if the house is updated, then the 'button' is changed.
And anybody that believes that the net can be 'secured by default' is not really into security, but is just a PHB.
I prefer the "u" in honour as it seems to be missing these days.
another simple question with a simple answer. Yes.
The phrase "Original Sin" isn't applicable. The technology for packet switching predates the technology for the encryption Darth Technoid would like to be applied to the packets. If you want to talk about making a transition from where we are now to something different, you can't just say "secure by default." You have to be very specific about the design of the technology for where you want to end up and then about the transition process to get there from where we are now. Otherwise, it's like asking "should all school lunches come with universal health protecting pills for free." Whether or not you agree is irrelevant if the pills don't exist.
What is a "secure" internet?
Secure for whom and against whom? If we let the government define what is safe and secure for us as citizens, we might be in for a totalitarian authoritarian run type of internet.
We're already fighting viruses and worms, a "safe internet" won't secure against that, this is what we do on OS level to protect our computers, and that needs updating all the time - nothing is ever going to be 100% secure.
But if you mean security against pr0n, hate-mail, cyber bullying, fake news and whatnot - you need to start on citizen level - not censoring the roads, blocking countries and communication - that's borderline dictatorship. Education is the way forward, not censorship.
What this world is coming to - is for you and me to decide.
Years ago, in mostly adoring interviews with Vint Cerf and Bob Metcalfe about security, I asked each of them how they screwed up so badly on security.
They didn't. Jonathan Postel screwed up when he wrote RFC 821.
By early 90's inaction to correct this was no longer Jon's fault. Today given 35 years of time having elapsed on a network with billions of users inaction is a "sin" anyone who can write a program that compiles is now on the hook for.
They both didn't think that mattered quite as much as I do. Thus, I feel that the lack of security design is the Original Sin of the Internet.
It really doesn't matter.
Most operators don't route packets over random anonymous physical links they know nothing about nor do they partake in BGP sessions in a similarly unqualified and unfiltered manner. Operators are not perfect. They can be influenced by error, indifference, poor judgment, saboteurs and governments just the same. A certain amount of trust and competence among operator community enables the Internet to function at all (e.g. Reasonably successful chance of global delivery of packets from peer A to peer B). It just isn't expressed in any field of any IP layer protocol header nor is it enabled by fancy algorithms. Security is enforced physically by professional relationships and aligned business interests.
I don't see that happening any time soon, what with IoT DDoS bots, increasingly massive data hacks and so on.
Blaming the Internet itself for these things is like blaming baseball bat manufacturers whenever someone decides to wield them as bludgeons.
My thought is that the Facebook CSO is wrong, in that end-to-end security requires eternal vigilance at all levels of the stack and through the system.
The point of end-end security is minimization of what is required to be in the trusted path and still have a system remain trustworthy. Trusting operators with unaligned interests is nonsensical. Attempting to secure everything means your wasting massive amounts of resources that can be better focused on shit that actually matters increasing likelihood of mission failure.
On global scale there is simply no viable alternative to E2E nor is there a substitute for tools to practically enable users to create and manage their own trust relationships amongst themselves "for better or worse".
IMHO the biggest weakness of the current Internet is that every packet must contain the full source and destination. I'd like it to be more like a Russian doll-style, every node on the source side should only give a reference and the destination should be unwrapped layer by layer. So if I want to send a packet from 1.2.3.4 to 5.6.7.8 my node should send to 1.2.3.x and only relay to 1.2.x that "someone" from 1.2.3.x wants to contact 5.x with an ID, from 1.2.x it'll relay to 1.x that someone from 1.2.x wants to talk to 5.x, then 1.x will relay to 5.x that someone from 1.x wants to talk to a 5.x node, 5.x will decrypt and find 5.6.x, 5.6.x will decrypt and find 5.6.7.x, 5.6.7.x will decrypt and find 5.6.7.8. I'm sure there's a lot of complications involved, but it would make breaking a single link much less valuable.
Live today, because you never know what tomorrow brings
Nobody gives a shit about Rust. Rust doesn't fix LOGIC issues.
Two people standing in a field having a conversation - that's the default human condition. Are there eavesdroppers? Are their communications subject to interception? Can somebody demand that somebody follow them around and write down everything they say or demand that all of their conversations are relayed via a biased third party?
All of those are "no", so all of those things are violations of the default human condition (what some call "human rights" though that unnecessarily complicates matters). The violations themselves are unethical, so there's no need to look further for political theories.
Human technology should reflect basic human ethics and work to maintain, if not improve, the default human condition, so, yeah, the Internet should at least enable communications that are secure by default, if not necessarily require them.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The whole point of security is that I can verify it. If I can't, it is not secure, period.
Putting the carrier in charge means I can't. When they turn of encryption and authentication during nightly maintenance and forget to turn it back on - nobody will be the wiser.
Assorted stuff I do sometimes: Lemuria.org
Let applications decide what needs security, as it always was.
The principal of a tool doing one job the best it can is still a good paradigm.
Internet transit providers should only worry about about providing transit.
Imagine if all of our internet security was as screwed up as the broken CA system for https is!
The result is we would need end to end encryption running over the resource eating but not actually trustworthy default security (with the deliberate hole for governments and organized crime)
.
What the Internet is, was, and is supposed to be was laid out a long time ago and in a very non-ambiguous way and it's worked famously for a long, long, LONG time.
It's wonderfully working as it was supposed to do.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
A good example is the telephone network. It tries to have some security features, such as having identifiable source numbers. In reality that doesn't work and leads to false assumptions about the network.
Essentially you cannot outsource security.
The approach of the Internet is much saner. Just have a dumb network and have the endpoints do the actual security. This also allows for swift upgrades in security and for custom solutions addressing the specific security problems.
The public internet is unsecure by intention and design. Remember the origins of the internet, DARPANET etc? Independent of being literal truth the old story that "The first crime on the internet, was to use the internet for anything other than military reasons." speaks volumes and is grounded in reality.
A main motivator for the U.S. military opening up the internet to outsiders was to spy on them. Given that background there is fundamentally going to be no-way to securely access the internet. Trying to, is like trying to hold back the tide. You will not win.
What you CAN do is temporarily secure small little fiefdoms. This is to me akin to reclaiming land from the sea, yes it can be done by nation-states but individuals are best advised to be aware of the line is and respect it.
Yes, the internet should be secure by default. However, that's a different question from "should ISPs be doing it?"
ISPs are not trustworthy, so any "security" imposed by them is meaningless. The internet should be secure by default through the protocol definitions, and enforced the same way that all internet protocols are enforced: if you don't conform, then you can't really talk with anybody.
I define "secure" for my own communications.
"Secure" means that nobody can understand or modify my communications without my express intention that they can do so.
When ISPs are literally snooping on everything you do because they can then all the encryption in the world means NOTHING. We need an Internet where the ISPs keep their little brown noses to themselves and out of everyones business; their role in a publicly-accessible Internet should be to provide connectivity to the public, not act as an 'advertising platform' in the interests of companies. Now, if ISPs want to provide broadband services for FREE to everyone then I can see where they'd have a right to snoop and insert ads and all the shit they do right now. But I'm PAYING for it? And they're DATAMINING me and selling that to other companies, so they can try to sell me shit I don't even WANT? Screw them.
Sure, and modern C++ prevents certain types of bugs, while allowing raw speed when needed. We also know that C++ isn't a passing fad.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
I'm not sure why people are trying to frame this in such a weird way, but agreed with the sentiment overall.
It's not like ISPs should be against security, or that they shouldn't adopt secure practices... it's more like that they should not interfere with Internet traffic at all because it's not their right to do so.
That's what the neutral argument stands for.
The minute you make ISPs responsible for all sorts of things regarding the Internet is the moment they appropriate it, and then you are gonna get nick and dimed for everything, have your access interefered in all sorts of way to profit from your access, and you'll end up paying one way or another for having ISPs responsible for things they shouldn't.