Home / Blogs

Mind the Step(-function): Are We Really Less Secure Than We Were a Year Ago?

Leslie Daigle

In January 1995, the RFC Editor published RFC 1752: "The Recommendation for the IP Next Generation Protocol," which included this interesting perspective on Internet security:

We feel that an improvement in the basic level of security in the Internet is vital to its continued success. Users must be able to assume that their exchanges are safe from tampering, diversion and exposure. Organizations that wish to use the Internet to conduct business must be able to have a high level of confidence in the identity of their correspondents and in the security of their communications. The goal is to provide strong protection as a matter of course throughout the Internet.

The Internet is a security officer's nightmare — so much openness, so easy to capture packet traffic (and/or spoof it!) and send all manner of unwanted traffic. It was built as a research network, hosted by institutes that were 1/ professionally responsible and 2/ interested in working together collegially.

So, in the 19 years since the publication of that statement, have we really failed to address the stated goal?

The gut-reaction answer is "yes!", but I think we should be careful about how we review history. The reality is that there has been slow, steady improvement in the basic level of security in the Internet, in response to known, credible threats. Very few people use cleartext passwords, or unencrypted POP protocol to get their email. We are, collectively, much better at dealing with phishing attempts, at least in business contexts. Networks are operated at business-level reliability, which includes regular monitoring for odd activities. People don't generally experience diversion of or tampering with their traffic — at least not in ways that impede them getting done what they set out to do. So, yes, we don't have strong protection as a matter of course throughout the Internet, but we do have a functioning and functional Internet.

In my opinion, the big difference the past year's revelations about government surveillance make is a step function change in understanding of credible threats. As those threats were not known (or believed), we haven't ramped up to address them; our security mechanisms have not kept the pace we needed.

As we look to address that gap, we should bear in mind our best path to do so that doesn't impede our ability to have that functioning and functional Internet. Andrei Robachevsky recently published "The Danger Of The New Internet Choke Points" on the Internet Technology Matters blog, which explains the Internet Society's perspective on how to achieve security through collaborative stewardship. From the post:

In our paper submitted to the W3C/IAB workshop on "Strengthening the Internet Against Pervasive Monitoring" (STRINT), we looked at the problem of pervasive monitoring from an architectural point of view. We identified some components of Internet infrastructure that provide attractive opportunities for wholesale monitoring and/or interception, and, therefore, represent architectural vulnerabilities.

Can their impact be mitigated? And how? Can the Internet evolve to reduce such vulnerabilities, and what would be the driving forces? What are the forces that could prevent this from happening? We pondered these questions, too, and encourage you to read our paper, provide feedback in the comments below, and engage in the dialog that will be coming up at IETF 89 in London.

We welcome your feedback, too!

By Leslie Daigle, Principal, ThinkingCat Enterprises and Editor, InternetImpossible
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC