Thursday, August 16, 2007

Security - They'll Do It No Way

I am hacking my way through the House of Lords report into Personal Internet Security and, like most of these things, it is tough going. However I already have views of their discussion of application security.

You see, there are a number of different ways to have insecure applications:
  • Poor (or no) security requirements specification
  • Poor protocol and algorithm design
  • Poor implementation
  • New attack vectors not considered at the above stages
  • Use over new or less secure infrastructure
  • Use for new purposes with greater security risks
  • Users not deliberately bypassing security
Managing all of these, especially the last four, over any extended period, is extremely hard. Managing the first three is hard enough to have been beyond all operating system and all bar the few best (and most expensive) hardware vendors to date.

Look at the User Datagram Protocol - designed for simplicity and low overheads. No security considerations at all. It is now used in a number of critical internet infrastructure components - including DNS (Domain Name Service), which makes the whole thing more-or-less useable.

Look at email - it mostly works absolutely fine, if you treat it as a postcard. But there were fundamental issues - originally, your email came to your terminal (it was acting as an email server), so you didn't need to fetch it via POP or IMAP - which transmit your password (which may also be your user account password) in clear text. Or the requirement for sender identification, the lack of which makes spamming so easy. Or what happens if you give somebody else your email authentication details? Or attached executable files (including data files with executable components.)

None of the last four are within the control of the application designer or vendor and none of them, with the limited exception of some things around new infrastructure, are within the control of the end-user's ISP.

So this requires a degree of co-operation to get it all right - users, ISPs and vendors. Difficult to arrange, isn't it? Now, if the government tried to impose a solution, through legislation or regulation, we know it would all got to ratshit.

And, of course, you need to consider that, for anything we already use, the first four battles have been comprehensively lost. As their Lordships acknowledge:
We see no prospect of a fundamental redesign of the Internet in the foreseeable future.

It reminds me of the Director who insisted that I redesign the world-wide email system because somebody had sent spam with his email address as the putative source.

No comments:

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.