Tuesday, October 26, 2010

The Web Was Never Safe, But We're Realizing It Now

It is generally agreeable that the Internet is not a very secure place. Some of our most confidential information is sent flying across the world in almost plain sight of everybody else, not to mention there are people actively at work trying to get that information. The only real defenses we have against this insecurity is encryption and permissions. Even antivirus programs are nothing more than scanners that alert you after you have been compromised. This has been almost the axiom of Internet communication since the beginning, but apparently we are only truly getting a sense of this problem right now.

Recently, Eric Butler, a freelance software developer from Seattle, released a proof-of-concept Firefox extension called Firesheep. The extension sniffs out cookies from your browser session and uses it to gather information from various "secure" websites. Web applications as popular as Facebook can be easily compromised by simply stealing the session id for the user, whether it be through the Firesheep extension or interception of the network data as it goes to the user. As Butler himself says, "Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely?" It is quite astounding how it took this long to realize exactly how at risk we are in the current world of computer security, and the worst part is that this is entirely caused by corporate and consumer ignorance.

Take Facebook as an example. Facebook does not encrypt their login page, so from the start your password is being sent unencrypted across an open network connection. Once you log in, the connection is still not encrypted, and authentication of the client is only determined through a session id stored as a cookie in your browser. (In case you did not know, that cookie is transferred unencrypted to and from your computer as your session takes place.) All Facebook would have to do is enforce SSL encryption on its site and the entire service would be ten times as secure, and the solution is not exactly difficult it implement with the human and computer resources Facebook has in its control. I apologize for singling out Facebook, though, as there are numerous other sites with the same problem. So why then do our current systems continue to remain so secure? The answer comes in two parts: the company and the user.

SSL encryption is costly. It uses CPU time and takes up more server load than normal. It also requires more human resources to try and work encryption into the core of the service. In other words, more money spent. A company does not want to spend more money than it has to. Furthermore, more server load means less users served in a given amount of time. In other words, less money earned. So to sum it all up, encrypting your website means more money spent and less money earned: not exactly the most exciting feature to add to your service. So why even add security features in the first place if they just cause pain and misery? Well, the sole motivation for a company to add security features is that they can advertise these security features in order to bring in more users, and more users equals more money (in most cases). So looking at it from a business perspective, you only need to implement as many security features as you can advertise to your users. Unfortunately for everybody, SSL encryption does not fall into this category.

People are ignorant of computers. They do not care what SSL encryption is, what SSH tunneling means, or even what the difference between Firefox and Internet Explorer is, as long as they can access the services they want to and do it in a quick, efficient, and seemingly secure manner. This fact is never going to change, nor would anybody want it to change. No matter what device you take, a computer, a screwdriver, an iPod, even a pen, there are going to be a group of people who make them and a group of people who use them, with some overlap in between. Trying to get everybody into that first group would be like trying to get everybody who writes to make their own pens. Not only is it ridiculous, but it is counter-productive to progress. Anyway, so many people do not care what encryption is, as long as the website they are going to says they are "secure" and "private". Other good key words are "fast" and "free". So since SSL encryption does not matter to the user, the sole motivation for a company to implement it has just been extinguished. It is the combination of corporate greed (to use a more blunt term) and consumer ignorance that is sending our Facebook information into Firefox extensions.

Unfortunately, things are not changing anytime soon on the corporate side, so it is up to the user to be aware and protect himself or herself. Believe it or not, Facebook actually does have an encrypted site; it just does not load it by default for the reasons aforementioned. The same applies for many other websites. So using a browser extension like HTTP Everywhere will force you to use the secure versions of the site, thus protecting your information. In addition, you would probably benefit from a service like LastPass. Rather than have one password for everything, have random passwords for individual sites and lock them under one master password. This can save you from mass fraud like that faced recently by Louis Gray (sorry to call you our Louis, you were the only example I could find). And the most important thing of all: use common sense and stay awake. There is nothing more helpful to your security and privacy than just looking around and hearing what's going on. Combining these tools can hopefully drag you our of the horrible stockpile of plaintext data.

No comments:

Post a Comment