Friday 30 August 2013

Self Signed Security

For many years we have been evangelising the strength of the hierarchical trust model of PKI and putting up large warning signs whenever we see a self-signed certificate.  I think we got it completely backwards, and have been putting our trust in the wrong place.

The entire PKI architecture was designed to solve the man-in-the-middle problem: how do I know you are who you say you are, and aren't someone else pretending to be you.  To do this we created certificates, which are signed public keys.  The theory is that we trust the certificate authority that signed the key, and believe that the registration authority have validated the identity of the subscriber who asked for the key to be signed.

But nearly everything about the theory is provably wrong.

We know that certificate authorities get to be that by paying a tax to browser manufacturers.  They are trusted because of a commercial agreement that is an externality to the users of the system.

We know for sure that we can't trust the certificate authority.  The breaches of Comodo and Diginotar allowed certificates to be minted by a CA that were false.  We know that intelligence agencies around the world can buy wildcard root certificates from CAs that will allow national governments to intercept all traffic.

We know that registration authorities do as little as possible to validate the subscribers, usually requiring no more than an e-mail from the domain in question, or merely trusting WHOIS records.

So what are the alternatives?

Definitely not certificate pinning.  This is not scalable, and doesn't address the underlying problems with the architecture.  It's a band-aid on a gaping wound.

Convergence looks interesting, but I suspect that if implemented as suggested it would suffer from all the same problems.  We now have to trust notaries, rather than certificate authorities, and it ends up looking like the web of trust model from PGP, and that failed dismally.

I propose that the answer is self-signed certificates.  I know that I trust me.  I control everything about the issuing and revocation of my certificates.  And so does every subscriber.  While it is possible to for anyone to mint a certificate that looks like me, they would have to mint certificates for everyone to undertake the current man-in-the-middle attack strategy.  We don't make it less secure for the defenders, but we make it exponentially more difficult and costly for the attackers, and that makes all us more secure.

Sometimes the old ways really are the best.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
 

Friday 23 August 2013

Game of Phones

Apple iOS 7 will be released next month, and it's time for us to once again declare our allegiance to our feudal technology overlords.  Overlords that are starting to feel remarkably like those from the popular HBO TV show.

Blackberry is House Stark.  Solid, loyal, dependable, secure and dead.  Their only hope are their bastard offspring.

Android is House Lannister.  They have spent many years behind the scenes manipulating the empire, and have only recently seen the opportunity to show their power openly.  Technologically dominant, and masters of strategy, they are sure they can think their way to the top, and then hold it.  Security comes through threat, rapid change and the culling of the weak.

iPhone is House Targaryen.  They have come from out of the wilderness and they have dragons, an ancient mystery that has not been harnessed by anyone in living memory.  They also have a sexy leader, and everyone emotionally wants to get behind them.  But after the initial revelations at the end of the first season, there really hasn't been anything new for the last two years.  Security comes through central control and fervent loyalty of the followers.

Windows is House Baratheon.  They were once dominant, but time has passed them by, and internal bickering stops them from really being a force any more.  Because they have ruled in the past, they believe they have the absolute right to rule in the future.  Security isn't a concern, only survival, but only the most loyal followers expect anything other than a spectacular crash.

The thing to remember is that the only winners in the Game of Phones are the main houses.  If you are a peasant or vassal - and in reality we all are - then the best we can do is raise our flag in support of one of the main houses, and hope they don't sacrifice us for their greater good.

Until then, enjoy the ride.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
 

Friday 9 August 2013

War on War on Cybercrime

Be afraid.  Be very afraid.  The UK has just announced that it is losing the war on cybercrime, and needs to consolidate cybercrime policing into a new unified structure as part of a shakeup of the country's policing.

Any time a government declares a “war on something”, it costs money, achieves nothing, and distracts from the real issues.  For recent examples consider the total failure of the “war on drugs”, “war on terror”, and “war on poverty”, just to name a few.  War on cybercrime will be no different.

All of these wars are justified by the belief that the government needs to be seen to be doing something, combined with the unshakeable assertion that they are better at protecting us than we are at protecting ourselves.  I disagree with both sides of the argument.

We live in a world with a higher standard of living, with more freedoms and less crime than ever before.  There is no public outcry to protect us.  The only outcry is that generated by the media and the government themselves.

What we need is better education and the tools to protect ourselves.  We are all being attacked all the time, and we can protect ourselves without relying on an ineffective government oversight body that in the end does nothing but serve platitudes.

We need to declare a war on the war on cybercrime.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
 

Friday 2 August 2013

IPv6 Insecurity

Vint Cerf - one of the founders of the Internet - quipped last year that the current IPv4 Internet is the experimental version, and that IPv6 is the production version.  If this is true, then approximately 100% of businesses are still on the beta release and have no plans to move to production.  How can this be, in a world of 36 month IT replacement cycles, when IPv6 has been deployment ready since 1999?

There are a number of reasons, some technical, some psychological, but all to do with security.

Reason #1: Making unnecessary changes breaks things.  There is no compelling reason even today to move to IPv6.  The total number of IPv6 *only* services is approximately none, so not migrating does not limit anything.  Sure we will eventually run out of IPv4 address space, but I predict we will make do at least until 2020.

Reason #2: Complexity reduces security.  Not everything supports IPv6, so deployment requires a dual-stack approach, which significantly increases complexity, and therefore decreases security.  While this is true today, given a 36 month IT replacement cycle, everything will eventually support it by 2016.

Reason #3: We don't understand it.  This is the real reason for the lack of adoption.  IPv6 is not just IPv4 with longer addresses.  It does some things very differently than IPv4, and breaks the well-understood IPv4 security model.  There is no NAT.  There is no ARP.  Multicast matters.  ICMP matters.  We could fix this today, but it will take a generational change of CIOs to really embrace it.  Maybe it won't be scary by the Unix timestamp rollover in 2038.

Interestingly for those of us with a few grey hairs, we've been here before.  We made this same transition from IPX to IP in our Novell networks 20 years ago, but with one very significant difference.  We didn't dual-stack.  On a flag day we just changed all the configurations and got on with it.  But we can't do that this time, because now everything is interconnected, and the risk of cutting ourselves off today is much higher than the risk of running out of addresses at some point in the future.

IPv6 is definitely the future.  While the future is already here, and not very evenly distributed, for most of us the time is just not right.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com