Security on the Internet
Monday, August 16th, 2004So I’ve not blogged in ages. So Sue me. I didn’t want to cheapen this blog with something that might be vaguely interesting, and keep it pretty much at the level of mindless drivel. Anyway, on to my story for today.
Basically, all traffic transversing the Internet should be encrypted. Now the IPv6 people are hoping that this will be using IPsec. However, IPsec’s already showing it’s failings and it’s barely used for anything already. It has trouble with NAT (although NAT-t helps here), it has trouble with anonymous people connecting with a passphrase. (Either a passphrase is tied to an IP, or everyone has the same passphrase), and everyone just firewalls it anyway sigh.
Alternatively we have TLS, which practically every service under the sun supports. You can run TLS SMTP, HTTP, IMAP, POP3, LDAP, even telnet. I believe the IETF have a requirement that new protocols should support TLS. The only one of these which has been widely successful has been SSH, and occasionally HTTP. Practically in the real world, none of the other services exist.
Why? Because it’s hard to get certificates. They cost money, sometimes lots of money. Verisign charge you Snotloads for their certificates, although other places to sell them for much cheaper prices.
A lot of the PKI infrastructure that we use today is based on the old X.509 systems that were developed so long ago, they’re older than I am. They’re based on a “Telco” model where a telco has all the control and manages everything for you. It’s based around a single root and other crazy ideas that just don’t work in today’s Internet.
But, on the other hand, the Internet does have a single root. The DNS root. We even have a specification for signing DNS as far up the tree as we want. We have a specification for storing keys in DNS, well actually we have several for some reason. Yet, noone’s interested in doing DNSSEC for some reason. Once DNS is secured, you can store public keys in DNS and people can use them to connect to you. Now the huge expense in buying and maintaining SSL certs vanishes. Although the problems with not being able to virtual host SSL sites still exists, although with IPv6 this is no longer a real issue. (264 hosts per subnet means a LOT of virtual hosts before you run out of addresses). But, if you have IPv6, you have IPsec.