The internet is a wonder, considering how complex and how it all seems to work as well: connectivity around the world quickly and cheaply. Behind the scenes, however, the Internet carries problems generated by the ideals of trust and simplicity that guided the creation of the network. The Digital Security column this week brings five examples. Check out.
1. The “lock” security on secure sites The “padlock” which appears on secure sites (HTTPS address) icon is a really trust on the web. But it is also a problem.
The first problem is that it does not mean that a site is secure. After all, what would a “safe”? Site
In any case, what he means is that the address is not played a fake website and that the connection is protected from eavesdropping. It is perfectly possible for a malicious site to use the lock, since it is not using an address that belongs to another website (and notice that for this, and sitefalso.com.br sitefalso.nom.br addresses are different, ie, a website can still have the lock even if you are trying to impersonate another). To solve this identification problem, EV-SSL, a newer type of certification, displays the name of the institution responsible for the site in the address bar of the browser. Thus, it becomes more evident (although not obvious) that the lock has to do with the identity of the website and not with the “safety” of it in fact.
Another problem is that the certificates that allow a site to display the padlock can be issued by various organizations around the world. All of them are allowed to issue certificates on behalf of any website in existence. For example, there is a separation for a Brazilian institution can only issue certificates for national sites. It’s always “all or nothing”, and there is no system to prevent the same address have two certificates.
This means that if any of the companies in the world that issues certificates to be compromised, the entire system falls apart because the hacker may issue certificates on behalf of any site and thereby impersonate them.
Another problem: when one of these institutions in fact present a safety problem, browsers can be updated to stop relying on it. But some of these companies have many customers that it is unthinkable to remove them, because many of the sites would crash overnight. In practice, therefore, many security lapses go unpunished except for small certifiers whose disqualification has no impact.
Proposed solutions: at the moment, there is no concrete plan to resolve this issue, but changes are being discussed.
2. Routes on the Internet Ever thought how your connection goes from Brazil to Japan?
There is a constant “conversation” between ISPs that determines the “routes” that a connection can take to get from point A to a point B. A provider can communicate that a route is congested, for example, that a route alternatively be used. Detail: all this happens on trust, and unfortunately that trust can be abused. The name of the protocol used for this discussion is the Border Gateway Protocol (BGP).
In practice it is possible that a provider says it is a valid route for a network that does not command it, getting all the traffic and can intercept connections. By mistake or intentionally, can also create a configuration invalid routes, preventing access to certain networks to users of providers who accept the incorrect route.
Proposed Solutions : There are several proposals for a provider can verify with certain degree of reliability if a route is valid or not, but a big change like this requires an immense cooperation of providers.
3. False Electronic connection Various attacks that occur on the internet are based on the falsification of origin of a connection. It is through this fake so-called “amplified attacks” are possible. A hacker sends a connection with false origin of this connection and the answer will come to the address specified by the hacker – who is the victim. So with a small request, the attacker generates a large response, amplifying their ability to attack to overwhelm the target.
This is only possible because some providers accept receive data whose origin does not match the network sends.
Proposed solutions : The solution is in a measure called the BCP38 or RFC2827, a recommendation for network administrators in 2000. Many networks today do not use this setting.
4. E-mail spam and the amount of messages that can be categorized as unwanted, or spam, is falling. Was over 90% in 2009, while current estimates are 70%.This reduction, however, came with certain costs: the construction of complex anti-spam filters, many legitimate messages incorrectly classified and immense unwanted traffic that is received by providers worldwide.
The email is still one of the main forms of transmission of viruses, as well as the entry point used by espionage attacks. The email used as “identity” on the internet, is rarely treated with such security.
Proposed solutions: Bill Gates, founder of Microsoft, said in 2004 that spam would end in two years, ie until 2006. He surely underestimates the problem. Some solutions have been proposed to identify senders, but they were not adopted by all providers and do not solve the spam problem. In Brazil, a measure was adopted that prevents infected home computers to send spam. The measure was successful, but is not used in many countries. Providers also tend not to cut the connection of firms when they use the connection to send thousands or millions of emails, which puts some Brazilian networks among the main sources of the world’s spam.
For the safety of e-mail providers started to provide safe means of access, such as two-factor authentication.
5. NAT address shortage and the number of Internet addresses is finite. This means that there is a limit to the number of computers that can be connected to the network. This problem was “solved” with a technology called NAT, or Network Address Translation. The NAT shares the same IP across multiple computers. The problem is that two computers may not have a direct connection if both are connected through NAT.
Software they need to perform direct connections such as voice and video applications need to use hacks to create “trick” the NAT, making him believe that a connection between the two computers already exist. That depends on a staging server, which is not always available, in addition to forcing developers to include this feature in their software, making complex something that should be fairly simple. Also raises privacy issues, since an intermediate must be involved in something that would be a direct connection.
Proposed solutions : protocols such as UPnP and NAT-PMP have been proposed to allow software systems to automatically configure NAT to enable direct connection to other devices. Many home routers have support for these technologies, however, a serious loophole in UPnP was published last year . The real solution must come with IPv6, which will increase the amount of available addresses. In IPv6 there is room for all computers have a real address on the internet, no need to share. IPv6 was proposed in 1998. Data for February 2014 indicate that only 3% of Google’s traffic comes from a system connected by IPv6.