John Fremlin's blog: A new information security stone age: the no-Santa clause

Posted 2011-04-29 22:00:00 GMT

[And now a guest post from my good friend, Thomas Köppe.]

We have been taught that the internet can be made to keep our bank data and our work documents and our love letters secure (whatever that means, but who doesn't want to feel secure?), as long as we look out for the little padlock in the address bar. But a major link in the security chain that makes all this happen has been compromised. The attitude of our modern information society is dangerously askew.

Last month, one of the so-called certificate authorities (CA), which issue the cryptographic certificates that websites use to prove their authenticity to the user, and which contemporary browsers are practically hard-coded to trust, has been involved in a major security breach. The US-based CA, called Comodo, was conned into issuing fraudulent certificates to an unknown entity (presumed of Iranian origin) for major websites including (but not limited to) Google, Yahoo, Skype and Mozilla. Anyone who holds such a certificate, which browsers trust automatically, can pretend to be that website and link themselves into your communication, eavesdropping and perhaps tampering with the information you believe to come from the genuine source.

In the wake of the recent security fiasco at Comodo [1a, 1b], I was at first pleasantly surprised that this event made it into the mainstream news [2a, 2b], but then it struck me: Almost everybody who is going to get this news flash from any of the mainstream sources will respond (if at all) with a perplexed frown, a mental shrug and move on to something more tangible or relevant to their lives. The Comodo hack has demonstrated one of the greatest weaknesses of the way we currently deal with trust on the internet, which has potentially profound implications, but it will be nigh impossible to get anyone concerned about this, let alone change their every day Internet behaviour.

In fact, whenever I do suggest to friends and colleagues things that could help make their information security a little more robust, it is almost invariably clear that they won't change their behaviour, given that everything works just fine as it is, and they have nothing to hide. (For those interested in the details: for example, SSH is another secure protocol that is generally accepted to do a very good job, but the price is that the user has to make a trust decision every time they connect to a new peer.)

At this point I would like to invoke what I call the No Santa Clause: nothing is free. It was once considered a milestone on the way to adulthood to shed one's belief in a universal benefactor who would bring things and ask nothing in return. Yet, in a turn most curious, our modern society seems to be turning this on its head, and when faced with computer technology, enlightened, educated adults are now more and more of the conviction that they should just get lots of stuff for free.

Before the advent of computers, it was generally possible for most people to understand large parts of their every-day environment, or at least know in principle how they could come by the understanding. A. C. Clarke's sufficiently advanced technology was certainly not magic to us, and while an uncontacted South American tribe might be genuinely incapable of fathoming what makes a car move, none of us consider cars magic and could, at gunpoint, explain the basic idea of a combustion engine. But it is worth remembering that the combustion engine is just a miniature version of a steam engine (as are nuclear power plants), and steam engines have been around for centuries.

However, with the advent of computers, we are facing a new situation, quite possibly a first in the history of civilisation. To most people, modern computers and networks are quite literally magic. We have simply no idea what makes them work. All we know is that if I edit my Google Spreadsheet in London today, I can open a browser in Calcutta tomorrow and continue writing. How does any of this work? I don't care, it just does, leave me alone. More and more of modern people's lives are being transferred entirely into the cloud, this magical vapour that has your photos and knows your friends wherever you are.

But wait — a service which allows you to access your entire life from anywhere in the world, instantly, and safely and securely? This really is a big deal, a huge service! And now we must wake up and realise that there is no Santa Claus: This service is not free. Perhaps (for the first time since the inception of money millennia ago) this service does not require us to pay money. But what it does require is responsibility.

The world of online information processing and security is a complex and complicated one indeed. But it is where most of our lives are now taking place. Just like we demand car drivers to pass a test and drive responsibly, we absolutely must demand of everyone who uses computers and networks as integral parts of their lives to do so responsibly. And this simply requires a certain extent of understanding of the subject matter. Security design is an art that nobody understands at this point, and there are no secure systems. (Anyone who claims otherwise is either dishonest or incompetent.) As security experts repeatedly put it [3a, 3b], everyone in the security chain avoids making the critical decisions and passes the burden around like a hot potato, until it eventually lands in the hands of the _one_ person who is least capable of making the right choice: The user. Anyone who has wildly clicked browser certificate warnings away in anger knows what I mean.

For the first time it would appear that many people are using tools that are way above their own level of competence, but they do so with little worry or desire to improve that competence. People's attitude has made a leap for which I struggle to find a historic precedent: from having observed at the end of the last century that computers can make some things easier, we have suddenly and inexplicably leapt to the immodestly entitled assumption that computers should make everything entirely free and easy. Nowadays, a suggestion that one should think about one's tools before using them will only earn you confused looks, and possibly accusations of elitism, neediness or lack of a sex life. Companies that specialise on making tools for people who like to work above their limitations have certainly helped foster this attitude, but what happened — why do we believe that everything should be easy and just work?

I think complaining of our collective failure to understand security design is not helpful. Sure, there are a lot of things hardware and software vendors could improve. But ultimately, questions of security and trust require the user, you, to make a decision, and you will need enough basic understanding of How Stuff Works to make those calls. As it stands, our civilisation has come full circle, and it is no longer the Amazonian tribe (who doesn't use SSL), but it is us modern, enlightened people for whom most of our everyday technology is now so advanced that it is magic. If we continue to build a world in which the inner workings of most of our waking lives are understood only by a tiny elite of wizards, we may truly be coming around to face a medieval future. Santa hopes you have been good.

Post a comment