Everything is broken. Just ask any security engineer. Way back in 1998, the members of the hacker collective L0pht testified to Congress that they could take down the entire Internet in 30 minutes by abusing BGP, the Border Gateway Protocol, an obscure but critically important routing system. That was seventeen years ago and BGP is still vulnerable. Everything is terrible.
OK, granted, the Internet has survived those seventeen years–but more by luck than by design. In theory almost any ISP could wreak havoc on it. Last year someone used BGP’s vulnerabilities to steal $100,000 from Bitcoin miners. Two years ago, infamous spyware purveyors Hacking Team used BGP to hijack IP numbers it didn’t own. There are frequent reports of massive amounts of Internet traffic taking dubious routes through faraway servers. In 2008, Pakistan accidentally knocked YouTube offline for two hours with a BGP misconfiguration. Etcetera, etcetera, etcetera.
It’s not just BGP. The Domain Name System that maps domain names to IP numbers has been fundamentally vulnerable to various attacks since birth, and attempts to secure it began in the nineties. Secure DNS, catchily named DNSSEC, is a real live thing used by … probably less than 13% of DNS validations worldwide. Its counterpart, BGPSEC, is … still awaiting final specification.
Again, DNS and BGP were well known to be highly vulnerable last century.
Wait, it gets worse! Even the fixes are dubious. Both DNSSEC and BGPSEC rely on the same kind of hierarchical trust system of certificates and certificate authorities that SSL and TLS rely on. For browsers, at least, that system is “hopelessly broken.” Your browser trusts scores of “root certificates,” any one of which could be hijacked or compromised.
Certificate pinning and forward secrecy help a lot, but the root problem remains: hierarchical trust systems are, well, hierarchical. If a certificate authority is compromised–which is in no way a theoretical concern–then everyone who trusts that CA is screwed to some degree.
Feeling bleak yet? Just wait! I’m just getting started. Those are giant gaping abysses that underpin the security of the Internet itself, papered over with flimsy catwalks made of cardboard and duct tape. But even if you do manage to securely connect to the site you wanted to reach, a whole new slew of problems erupts. You probably have Flash installed and automatically running on your browser. You poor, poor, fool.
You may even have Java running. You really shouldn’t. But even if you’re doing everything right on your end, and connecting to the right server, there’s a terrifyingly high chance that they are enforcing all the security of a kindergartner’s pillow fort. Here in the year of our Common Era 2015, semi-major web sites are still storing their users’ passwords in plaintext, rather than salting and hashing them as they really, really, really should be. (eta: an expert friend reminds me that this is old-school thinking; better yet to use bcrypt.) And, of course, a lot of those passwords are probably “Password” or “12345678”. At least use decent passwords, please, or better yet, a password manager.
Online security is a classic Pandora’s Box —
— but don’t forget the last thing Pandora found in there. There is, indeed, hope.
You can turn off Flash. You can turn off Java. You can use a password manager. We can conceivably, eventually, replace hierarchical certificate authorities with decentralized blockchain-based services. We know how to improve our collective security. We just haven’t bothered to do it for the last 20 years, because security is hard, and gets in the way of getting anything else done. I like to hope, though, that we’re all finally beginning to realize that we’ll all benefit tenfold from our collective investment in, and deployment of, real security.
Too optimistic? OK: let’s just hope that we collectively realize this before we’re forced to do so by a series of genuine disasters. In 1998 taking down the Internet would have been no big deal. But as software eats the world, the security stakes get larger every year.