The state of Internet security is a constant battle between newly understood threats and the defences designed to deal with them. In recent years, the focus has been on improving the security of transport layer connections, resulting in significant security improvements in the Internet. What additional things should we focus on in the future?
In 2013, surveillance revelations caused the world to reassess how much Internet communications were being monitored, leading to web site owners, browser vendors and the IETF making secure web communications more of a default in the Internet than it was before.
Several things have happened recently that have caused me at least to rethink where the current pain-points and threats are. We have gotten more news about how the Internet world affects the real world in unexpected ways, be it about data breaches, massive credit card data theft, fundamental vulnerabilities in underlying computing platforms, states attempting to influence others through Internet platforms, or the misuse of people’s personal information in order to influence them or the public opinion.
And this spring, two events co-incided to make an interesting contrast. At the IETF, we were debating whether it would be appropriate to reveal some information about latency to underlying networks, when all other information about the user’s session is encrypted. Such latency information would potentially help the underlying networks provide a better service, but some participants took a very fundamental position that revealing any information to underlying networks would be a slippery slope.
If you are interested in this specific discussion, see the IETF proposal (draft-trammell-quic-spin), slippery slope argument from Geoff Huston, and the counter argument from Brian Trammell. But it may be more interesting to think about the big picture:
Contrast this debate about literally one bit of information concerning latency to what was being revealed at the same time about data leaks from one social networking application: personal information about perhaps as much as 87 million people had been obtained through enlisting 300,000 people as users of a personality quiz app. The information collected from those users and their friends (also available to the app) was subsequently used for highly targeted political advertising. In other words, while we engineers discussed whether one bit in an envelope was dangerous information, terabytes of information flowed to the wrong hands inside the envelope.
All these incidents are of course mere examples, and their exact details may leave room for interpretation and debate. However, I think there’s a general issue that emerges from the barrage of leaks.
As with physical security, the pattern of attacks changes as defences evolve. The thief will not enter through a window if the door is open. The general issue is that communications security has taken major leaps in the last five years. First, by surveillance relevations which highlighted the threat. Second, by evolving technology that is easier to take into use and more secure (e.g., through HTTP/2, QUIC, Let’s Encrypt, or TLS 1.3). And most importantly, by web site owners turning secure communications on en masse.
The end result is that wholesale capture of communications on the wire is no longer as trivial as it was before. Consequently, data thieves will prefer other sources if available. And there are plenty of other targets:
- Endpoint devices may sometimes run on vulnerable platforms. For instance, the “Meltdown” issue discovered in early 2018 affected many popular CPUs.
- Software vulnerabilities are a big problem. These vulnerabilities can be, for instance, implementation errors in popular software components such as the OpenSSL Heartbleed bug discovered in 2014.
- Excessive rights granted to many applications increase the amount of software that must be reliable.
- Content provider or advertiser services, cloud systems, or operator databases of user credentials may have vulnerabilities, or may be targeted in attacks.
- Internet of Things system vulnerabilities can affect either the users of the things themselves, or be used as a medium to attack others.
The methods of accessing information through these targets can vary, from technical vulnerabilities to insider attacks to intelligence agency overreaches. And if the social network leak case teaches us anything, it is that far too many parties are trading information in a lightweight manner, from users to social media platforms and various partner services.
Where does this leave us, then? I think it is time again to take seriously what the real world is telling us, and help improve overall security — including things that are outside the pure communications security domain.
Of course, this will not be easy, but it is important because the stakes for the Internet users and our societies are so high.
There are some potential starting points. The first step in recovery is recognizing that you have a problem, and I think it would be helpful to agree that communications security only takes us so far.
The big question is how to get data under the user’s control better than it is today. Just as we spend a lot of effort in making sure that Internet protocols transporting information are secure, we need to pay equal attention to the data and the applications. What can be done to protect the data better, provide better privacy, or to improve portability of data or transparency about its use?
As with many other things, the issues are both technical and non-technical. And co-operation among many parties and across technologies will be needed.
As engineers responsible for building Internet infrastructure and frameworks, what can we do on the technology level? Is there something that can be done? Could we innovate ways in which a user’s information can be kept better in the user’s control, such as potentially encrypted under the user’s control? Or would better tools to track where our data is travelling be helpful?
One improvement area — and here I’m getting a bit more technical — is that most of the current Internet communications security is provided through protecting communications sessions with Transport Layer Security or TLS. It has been an extremely successful technology, and continues to be necessary for protecting our communications. Nevertheless, it is also important to realize its limitations. For instance, it naturally supports a model where decryption coincides with reception; for many problems we might actually want secure data, even when it is at rest, and possibly even through multiple (untrusted) transports. There are tradeoffs in encrypting information at different layers, but I think it is safe to say that we don’t have as much deployment or as good tools for data protection as we do for protecting transport layer sessions.
We will also need to continue to work with improving and analyzing the security software and hardware platforms. And address security issues in Internet of Things systems, be they about the protection of data produced by those systems or ensuring that those systems do not become vehicles for attacks against other systems.
What else can we do?
Acknowledgments: The author would like to thank B. Trammell, G. Camarillo, Z. Sarker, K. Moriarty, N. Widell, E. Fogelström, M. Stålnacke, G. Selander and many others for interesting discussions in this problem space.