Allicient

How many times have you looked at an apparent security measure and wondered what on earth was going through the mind of the person who implemented it?  Take the example of the humble garden shed; usually constructed from painfully thin wood panels nailed to a dodgy timber frame.  Then you look at the door and you see a padlock that looks like is was bought in a fire-sale from Alcatraz.  In reality, anybody wanting to steal from the garden shed would just kick in a few of the wood panels.

This sad state of affairs is pretty much what we’ve got as far as web and email security these days.  The recent proof of concept that created a real rogue CA certificate using MD5 collisions is a prime example. Everybody has known for quite some time now that MD5 is not collision resistant, it is so broke that collisions can be found within minutes on any standard desktop or laptop. That combined with the normal issues that arise with the use of HTTPS as I discussed previously really does leave web security in a sorry state of affairs.

There are sites that use decent certificate authorities (the ones that issue their certs using the SHA family and do more thorough checks before issuing a cert in the first place), and also implement HTTPS in a proper and secure manner. Most financial institutions, for example, follow good practice. Unfortunately, banks and financial institutions have also tacitly instilled a sense of trust amongst the web user. We assume online banking is secure, and online banking uses SSL/TLS: so other sites that use SSL/TLS must also be secure – and there-in lies the problem. It is in part why phishing sites work so well, we know our online banking is secure and the website in front of me is my online banking site… well, er, it certainly looks the same. How many times have you actually read and checked the warning your browser periodically spits out about certificate validity? For me its 50/50 at best, and I know better.

A fine example of this misplacement of trust was no better demonstrated than in a conversation I had the other day. The conversation in question was about how PGP public keys are exchanged. I’d highlighted that you have to get the fingerprint verified (either in person, over the phone, or by a trusted third-party keysign) before accepting or signing someone else’s public key. The response I received was somewhat dismissive – and this was from a group of information security professionals. Missing that one critical step may seem insignificant but it completely defeats the entire security model, hence rendering the use of cryptography in that situation nothing more than a big padlock on a wobbly garden shed.

So what’s my point? Firstly, technologies that employ the use of cryptography have to do it properly, or not at all. This blasé, half-assed, approach by developers and users alike is actually harmful; it takes hard earned trust from one area and transfers it into a wide-spread false sense of security. The second and more important point is that developers and system designers really need to shoulder much more of the responsbility. It’s not your email provider that’s going to have to deal with the fall-out of your account being hacked, it’s you. The business that’s purchased a cert from a CA that uses MD5 and had a load of their customers defrauded will have its reputation in gutter while the CA sits pretty.

The result of this is that its in our hands. If our browser spits out a warning about a site certificate, check it and find out why, then promply complain to the company in question. If your webmail provider isn’t using SSL/TLS properly then complain, if it’s not fixed then move providers. Probablty the best example of what end users screaming about an issue en masse can do is with Microsoft: for years their products were pretty bad in the security stakes, I would argue that there have been vast improvements since.

While the issue of cybersquatting is generally very well documented, I think we’re just beginning to see the rise of a phenomena far more insidious and damaging – and it is likely to affect the average person-on-the-street much more than it does celebrity personalities or big business.  What I’m talking about is online identity theft, or maybe “profile theft”.  Most of the time when you hear the words “identity theft”, thoughts of horror stories start coming to mind, but have you considered your “online identity”?  By that, I mean social networking or “blogging” sites like Facebook, MySpace, Digg, and the likes – if you haven’t, then it may be something worth looking into.

In the days of olde, and by that I mean anything pre-dating circa 2000, most people didn’t have an online presence as such.  Email was really just beginning to be seen as something nifty, cool or vaguely useful (despite it being around since the ’70s).  When you wanted to contact someone, you’d use the phone, or you could send an SMS message on their funky new mobile phone, you could even write a note/letter.  At a pinch you could even go round to their place.  If you lost contact, you’d likely have to ask amongst your friends or family if they knew how to contact them.  Notice in all of these, you can easily establish someone’s identity – be it via face-to-face interactions, their voice on a phone, handwritting, etc – the act of communication itself carried enough information to identify that person as the person you think it is.

Now consider the situation we have today.  You want to find someone, you can use a multitude of online services from Facebook to Friends Reunited – that person may even have their own website.  You might be able to do a Google search and find online tracks left by them.  Unfortunately, there is little inate information carried online to actually identify a person unless you are directed to a specific URL or profile by someone you already trust.  So, what’s the problem; you can just make sure you’re a little more careful when you make contact with someone to make sure they are who you think they are.  But that belies the true natrue of the problem: other people may not use such stringent checks.

This might not seem a risk until you consider the scenario where someone else creates accounts and profiles in your name.  They may even take photos from your own legitimate profiles, or use publically available information about you to make it more convincing.  Somebody you knew years ago who is trying to look you up may inadvertantly make contact with the forgery (which if taken to an extreme could have some pretty serious consequences), or the impersonator may put up false information on the forged profile which is damaging to your reputation.

Preventing this is fairly difficult due to a number of factors:  there are a lot of sites where you can network or “locate” people, which means a massive work load if you wanted to check for impersonations; even if you manage to do this, then its difficult to get the forged profiles or accounts removed; it’s much easier and quicker for an impersonator to create new profiles or accounts, so you’re fighting a losing battle; any damage may already have been done – to use an old axiom, its like trying to lock the barn door after the horse has bolted.

The problem is basically down to the loss of authentication information that was present in the ways we used to do things.  You would recognise a person’s voice or handwritting, but that’s not there in an anonymous email or online profile.  Passing on of contact details also had a certain amount of inbuilt protection as there was an assumed trust in the person giving you the information and an ultimate authentication when you actually talked to the person you wanted to contact.  Ironically, a partial solution to this problem has been around since the early ’90s with the advent of a bit of software called PGP (Pretty Good Privacy), which was principally designed for secure email communication between people who didn’t have a secure channel to send passwords or encryption keys (the software’s designer, Phil Zimmerman ended up getting brought up on arms charges by the US government because of it, and is often praised for promoting free speech).  PGP brought with it the concept of a Web of Trust – which basically means that if you have met your good friend Bob in real life, then you can in the electronic world state that fact, in a very secure and unforgable sense.  Assuming both Bob and yourself have done this with your whole social circle, then if someone Bob knows wants to email someone you know but hasn’t yet met, they can email with some certainty that it is the correct person – and not have to meet in person or talk on the phone.  A simple situation where this would be useful is that one of Bob’s friend’s lives in the US but wants to do business with someone you know – timezones are difficult, so being able to email off-spec and know for certain its the correct person is a useful thing.

When I was in my early teens, I’d actually obtained one of the very first versions of PGP (through a 2.4Kbps modem dialup to a BBS… ahhh the days).  Immediately, I’d recognised the importance of the Web of Trust construction.  Unfortunately when you are still at school and all your friends live within a three mile radius, it has somewhat limited applicability.  I do however think this concept has yet to really manifest in the psyche of the general internet public, and when it does, we’ll approach our online relationships in a completely different manner.

Its all fine and well for me to talk about using webs of trust, but the problem exists now; so what can you realistically do?  Well, for starters create your own profiles on the major social networking sites.  You don’t have to use them, but having them established is a good start.  It means that if someone malicious creates a profile in your name then anyone looking for you will see a duplicate and alarm bells will be raised.  The second piece of advice would be to get at least a minimum number of people you talk to on a daily basis to be on your “friends list” – an impersonator will find this hard to do with people you talk to everyday and will increase the authenticity of your profile.  The third piece of advice actually flies in the face of the prevailing thoughts on identity protection: publish a physically verifiable contact detail; a mobile number would even suffice, just enough so that someone that wants to contact you can phone and actually determine its you.  If you’re worried about your personal details, “Pay-as-you-go” mobiles come in at little over £15 now, just use that as your online contact.

** Update, Tuesday 23rd September 2008: to see just how dangerous online impersonation can be, have a look at this article. This debarcle happening on Wikipedia no-less, who would have thought it. Ah-hem. The article here is also useful for background.