SMBlog -- Steve Bellovin's Blog

Why Isn't My Web Site Encrypted?

Sat, 16 Jan 2010 20:30:53 GMT

In an NY Times Room for Debate posting, I urged a lot more use of encryption, even for routine posts. But my blog and web site are not encrypted. Why not? And can I fix it?

The short answer to the first question is simple: when I set up the blog, a few years ago, I just didn't think about it. The second question, though, is remarkably hard to answer.

Proper web site design uses relative links. That is, instead of writing something like

<a href="http://www.cs.columbia.edu/~smb/blog/2010-01/2010-01-13a.html">...</a>

to refer to the previous post, I should simply write

<a href="2010-01-13a.html">...</a>

That makes it a lot easier to move web pages around. If people only viewed the blog as a web site, I would do that. But many people view it via a variety of RSS readers, which poses several problems.

First, many RSS readers don't seem to do the right thing with relative links. Relative links that work perfectly well on the web site don't work at all via RSS feeds. Maybe my directory structure is wrong for that; still, I haven't gotten it to work. For that matter, links to postings in the RSS feed itself appear to need to be absolute. Again, maybe I'm doing it wrong, but I could never get that to work properly.

I also need to maintain backwards compatibility; I want all old links to continue to work.

There's another problem: if you use https: (i.e., if you use an encrypted web page), you need a trust anchor, a starting point for the certificates that verify a site's identity. Your browser has a lot built in; last time I checked, Firefox listed about 165 trust anchors (sometimes known as "certificate authorities" in this case). What trust anchors do RSS readers use? There only a handful of important browsers; there are many more RSS readers and aggregators. What about search engines? Whom do they trust? (Do search engines even crawl https:-protected pages? Content isn't very findable unless it's indexed by Google, Bing, Yahoo, etc.)

Finally, a noticeable portion of my web site is generated by programs. I'd have to modify the programs and/or their configuration files or wrapper scripts to spit out https: instead of http:, or possibly even create duplicate copies of pages. I'd also have to go back and fix up the absolute URLs when I can. I can't just do a blind substitution, though, because things like BiBTeX entries need to contain the absolute references (to the https: copy?), rather than relative ones.

So what am I going to do? I will indeed upgrade the site to ensure that everything is accessible with or without encryption. It's going to take a while to do that, especially because the semester starts in a few days and I'm not going to have much free time. But remember this: if I can't do a flash cut to ubiquitous encryption, neither can a big web site like Google or the NY Times. Granted, being a web site maintainer isn't my full-time job; on the other hand, my site is a lot less complex.

Google, China, and Lawful Intercept

Fri, 15 Jan 2010 03:44:26 GMT

Like many people, I was taken by surprised by Google's announcement about its threatened withdrawal from China in the wake of continued censorship and attacks that appeared to emanate from there. My immediate reaction was quite simple: "Wow".

There's been a lot of speculation about just why they pulled out. Some reports noted that Google has been losing market share to Baidu. Under those circumstances, cutting losses makes sense. Yahoo and many other Western companies have done that.

I don't think, though, that that's the whole story. Blaming China not for its rules, which the Chinese government defends, but for hacking is an entirely different kettle of fish. That is a move more or less guaranteed to raise the ire of Chinese government officials, and quite likely block the return of Google to China for a very long time. And, of course, there's no reason to think that if China has indeed been attacking Google, this will make it stop -- quite the contrary, I suspect.

There is, I suppose, a line of reasoning that assumes that China will retaliate for the insult by blocking access to all of Google's services, including gmail; this in turn might mean less use of gmail by Chinese dissidents, which in turn would give the government less reason to hack Google. I don't buy it. There are lots of other reasons to hack. The Wall Street Journal says

Much of the data stolen from Google was its "core source code," Mr. Mulvenon said. "If you have the source code, you can potentially figure out how to do Google hacks that get all kinds of interesting data." Among the data, would be the information needed to identify security flaws in Google's systems, he said.

Beyond that, the source code to much of Google's infrastructure has immense value, though I should add the caveat that running an operation of that scale requires a lot more than a code base. All in all, this looks like extremely rare case of a foreign company taking a stand on human rights. In fact, the Wall Street Journal unambiguously credits Sergei Brin for the initiative.

The most interesting aspect of the whole affair, though, might be one of the ways the attacker got in. Matt Blaze pointed me at an article that states that the attackers abused the "lawful intercept systems" -- the mechanism that Google uses to comply with subpoenas. If this is true, it represents another major abuse of such mechanisms, probably second only to the Athens Affair, where parties unknown used an analogous mechanism in a Greek cell phone switch to eavesdrop on some mobile phone calls in Athens.

Unfortunately, I can't say I'm surprised that such things can happen. My colleagues and I have been warning for years of the risks of schemes to ease government access. (There are a number of papers and essays on the subject on my web page.) The proper question is no longer whether or not lawful intercept schemes are dangerous; I think that question is now settled. Rather, we must ask this: are the dangers from lack of government access to nasty people's communications greater or less than the dangers from other nasty people abusing these self-same mechanisms? I don't think that that perspective has been adequately addressed.

Given that, another Google announcement -- that they're turning on https by default for gmail users -- is quite intriguing. Six months ago, I was one of the signatories on a letter that Christopher Soghoian drafted calling for just such an action. The official word is that https would not have prevented these attacks:

Sam Schillace, an engineering director at Google Apps, said the shift to default HTTPS was not prompted by the attacks and, to the best of his knowledge, would not have averted them. The move had been in the works for some six months, during which time Google engineers did extensive testing and made numerous technical fixes to enable a smooth transition.
However, the announcement itself was prompted by the attack news. "The Gmail team decided, why wait?" he said. "We want our users to be as safe as we can make them be."

Indeed, if the lawful intercept mechanism was on the plaintext side of the decryptor, the new defense would indeed not have helped. But there are many other threats to communications, and it's a lot easier for the Chinese government (or any other government) to tap communications on its own territory.

This is still a hot, breaking story, and I don't claim to know everything or even close to everything about it. I'm sure that more details will come out over the next few weeks. Brian Krebs has an excellent summary article posted; I hope he'll continue to update it. For the moment, though, my tentative conclusions are that genuine ethical concerns, possibly coupled with ire about the hacking, have led Google to take a step that may not be in their best long-term financial interests. Such behavior by corporations is rare but praiseworthy.

Update: I should have added -- I do receive a small amount of research funding from Google. Virtually all of this money has gone towards student travel to conferences.

Why I Won't Buy an E-book Reader -- and When I Might

Thu, 14 Jan 2010 14:03:42 GMT

There have been many news stories lately about ebook readers. The New York Times said that they were prominently featured at the Consumer Electronics Show. Amazon is pushing its Kindle; Barnes and Noble has its Nook. There are many other aspirants, either on the market now or waiting in the wings. For now, though, I'm sitting on the sidelines.

Many of my objections are familiar. Some readers, like the Kindle, use proprietary formats. The Kindle and the Nook are optimized for buying books from a single vendor -- bye bye, competition, and if the vendor decides that the product is obsolete or the company folds, I'm left with not just another electronic paperweight, I may also lose access to my books. Speaking of which -- could Amazon possibly have found a less-apt target for retroactively not selling something than George Orwell's 1984? You can't make up stuff like that!

The issue of vendor control is a very deep and troubling one. Avi Rubin has pointed out that Amazon decides when or if they're going to update the software on Kindles; this is, to say the least, suboptimal. If you buy a product because it has certain features and the vendor later removes those features, have they violated your rights? To be sure, their lawyer probably stuck some clauses in the shrink-wrap license, but you almost certainly didn't read it...

Then there are format issues. Amazon has their own, proprietary format, which is part of the whole vendor lock-in. I can't give away or lend books the way I can with physical objects, save for the very restricted lending with the Nook. Even then, you can only lend the book to another Barnes and Noble customer. Yes, I understand the publishers' and vendors' motives for imposing such restrictions. They have their own needs and goals, some of them very legitimate. That said, my goal is to optimize for my own interests, not theirs; often, though, theirs and mine conflict, and for now my interests are better served by dead tree editions.

Beyond that, I spend far too much of my life on airplanes. I can read a physical book when the plane is below 10,000 feet; I'm not allowed to use an electronic devices. Yes, it would be nice to cut my carry weight for books on long trips, but even that doesn't quite tempt me.

Given all that, why am I still mulling the idea? I have a lot of books. Strike that -- I have a LOT of books. I don't know how many, even approximately; I do know that they occupy at least 170 linear feet (more than 50 meters) of shelf space. And that's just my books; the family is considerably larger. I want an ebook reader that not only lets me buy new books, but gives me access to my old ones.

I certainly don't want to repurchase all of my old books. In an intellectual property sense, I shouldn't have to; after all, I've already paid the "license" fee for the copyrighted content. Right now, I just want to upgrade the medium. Besides, some of the books are quite old, when they were much cheaper they would be if purchased today: the book in my backpack right now for reading on the train to and from Manhattan cost me $1.50 when it was new, more than 40 years ago. Still, I don't see an economic model; there's not that large or lucrative a resale market for them, and almost certainly not enough to pay for new, digital editions, even assuming that they're now in print electronically. Still, that's what I really want.

I strongly suspect I'm not the only one in this position. People who read lots of books are the natural market for high-priced ebook readers. The first vendor to solve the library problem will probably win a lot of sales, all of the other issues notwithstanding.

Intercepting U.S. Surveillance Videos

Sat, 19 Dec 2009 02:07:26 GMT

The other day, the Wall Street Journal broke the story that Iraqi insurgents were intercepting video downloads from U.S. Predator drones. Wired's Danger Room Blog reports that it's not just drones' transmissions that are at risk, it's most U.S. warplanes. CBS News says that the Pentagon has known about the problem for at least 10 years. This is a shocking breach of security. What happened? From the outside, it appears to be a combination of factors. I suspect it was a combination of three factors: the difficulty of doing video encryption when the platform was designed; key management; and cost.

The Predator has been around for about 15 years. Video rate encryptors weren't very common in 1995; it's quite possible that adding one would have added significantly to the cost and weight of the aircraft; that in turn would translate to significantly increased cost. Was it worth it?

In 1995, the U.S. did not perceive itself as facing major enemies. The U.S.S.R. was no more; Russia was still perceived as friendly, though that relationship was strained by the Balkan campaign. Besides, its military was in disarray. China wasn't seen to be rising as fast as it is now. Who was left as a military foe? Just a bunch of 3rd world countries and rag-tag insurgents, right? Surely they couldn't intercept U.S. military communications...

That may or may not have been true back then. But lots of ground stations were built to that spec, creating a huge installed base of inherently insecure gear. And times changed.

As we all know, sophisticated electronics are a lot more common now, as is the expertise to develop them. Even if the Iranians -- the party blamed for developing the interception technology -- couldn't do it in 1995, perhaps they can today. Certainly, there's plenty of evidence of advanced Iranian electronic warfare capability, as well as their willingness to export it to their friends. The ability to intercept, then, is now commonplace; the ability to upgrade quickly is gone.

Another possible problem is key management. Suppose the signals were encrypted. How do you distribute the decryption keys? The video downlink is broadcast; it's not just a matter of two peers exchanging keys. There are a number of ways to do the key management, but the simple ones are vulnerable to a single ground station being compromised and the complex ones are, well, complex. Depending on how it's done, there may also be an operational problem: do the soldiers in the field have the training to load the received keys into the units, while properly protecting them from capture? If that task is hard enough (and I of course have no knowledge of how NSA would design the gear, or even if it would be external), the tradeoff might be very simple: how many lives would be lost because of key management flaws versus lives lost because of intercepted traffic? Of course, the answer to that question depends critically on the ease of interception, and that has changed over the years.

There seems to be some disagreement about whether the drones' signals are being picked up directly or via a satellite link. Danger Room speaks of line-of-sight transmission; CBS says that the Predators can switch to satellite uplinks and that it was satellite downlinks that were intercepted because the military is buying time on commercial satellites.

I'm not impressed by the argument that there's no problem if low power, line-of-sight signals are used. If the Predators are flying at 1500 meters, line of sight -- in flat terrain -- covers a radius of just under 140 km. And a good antenna can compensate for low transmission power.

In any event, there's a problem now. Saying, as the Air Force has, that "As we identify shortfalls, we correct them as part of a continuous process of seeking to improve capabilities and security" isn't helpful.

The Real Face of Cyberwar?

Sat, 12 Dec 2009 00:02:17 GMT

Anyone who reads the papers sees stories -- or hype -- about cyberwarfare. Can it happen? Has it already happened, in Estonia or Georgia? There has even been a Rand Corporation study on cyberwarfare and cyberdeterrence. I wonder, though, if real cyberwarfare might be more subtle -- perhaps a "cyber cold war"?

A case in point is the recent release of hacked -- stolen -- emails on climate change from the University of East Anglia. A British publication, The Independent, has published a story saying that Russian secret services may have been behind the hack, for diplomatic reasons.

This time, if it was indeed the FSB behind the leak, it could be part of a ploy to delay negotiations or win further concessions for Moscow. Russia, along with the United States, was accused of delaying Kyoto, and the signals coming from Moscow recently have continued to dismay environmental activists.

We comonly associate warfare with armies that use so-called "kinetic weapons" against each other and against the opposing country. That need not be the only form warfare can take. Zhou Enlai, for example, once remarked that "diplomacy is a continuation of war by other means." In the science fiction realm, Poul Anderson wrote a story "State of Assassination" (also known as "A Man to My Wounding") about war being replaced by a state of assassination. Instead of brute force attacks with atomic weapons, countries have switched to killing each others' leaders. But one side has gone a step further, and started targeting others.

As the Rand report has pointed out, "certainty in predicting the effects of cyberattacks is undermined by the same complexity that makes cyberattacks possible in the first place" (p. xiv). The report goes on to stress how unclear the effects of a massive cyberattack would be. Perhaps this sort of narrowly-targeted operation, in support of "diplomacy" is the real future of warfare.

Congress and Peer-to-Peer Filesharing

Fri, 20 Nov 2009 04:34:19 GMT

Some members of Congress have gotten extremely upset about peer-to-peer filesharing. Even the New York Times has editorialized about the issue. The problem of files leaking out is a real one, but the bills are misguided.

Fundamentally, the real issue is that files are being shared without the user intending that result. This is not a weakness unique to peer-to-peer software; more or less any mechanism for publishing files can do that. The real problem is that the targeted software -- whatever it is; the news stories full of outrage haven't identified which package or packages are implicated -- is bad software, either because they share files the user hadn't intended or because they make it too hard for the user to understand what will happen. Given the sub rosa nature of much peer-to-peer software, perhaps this is not surprising; developing good software is remarkably difficult. Perhaps Congress should instead decriminalize sharing of music and video...

I digress. The real issue I'm addressing is bad legislation. Quite apart from my general concerns, the bills are just poorly drafted.

The first bill, H.R. 1319, is in many ways more reasonable: it mandates notice to the user of what is happening, and bars software that is difficult to remove. However, it stumbles badly when trying to define peer-to-peer software:

the term `peer-to-peer file sharing program' means computer software that allows the computer on which such software is installed--
(A) to designate files available for transmission to another computer;
(B) to transmit files directly to another computer; and
(C) to request the transmission of files from another computer.

As best I can tell, any web browser is covered by that definition.

The newer bill, H.R. 4098, does a much better job on a workable definition, though it's fun to try to twist it into knots, too. I particularly like the way software "designed primarily to operate as a server that is accessible over the Internet using the Internet Domain Name system" is not covered; who would have thought that the DNS had such mystical shielding properties?

The problem with H.R. 4098 is that it bans the wrong thing. Yes, NASA's use of BitTorrent would be permitted because it is "instrumental in completing a particular task or project that directly supports the agency's overall mission", but NASA employees probably wouldn't be allowed to download such files on their home computers because the bill seeks to block "the download, installation, or use by Government employees and contractors of such software on home or personal computers as it relates to telework and remotely accessing Federal computers, computer systems, and networks". In other words, you can either view such files or you can save the government money by using your own computer to work from home.

I should add a personal disclaimer: I, like most professors in the sciences and engineering, receive substantial goverment grants and contracts; that technically makes me a government contractor, as best I can tell. Am I covered? My students who receive stipends from such grants?

For those who are wondering if this bill is really just another ploy by a paid shill for the content industry, campaign finance records do not seem to support the notion. According to OpenSecrets.org, while Rep. Towns (the introducer) did indeed receive considerable campaign funding from from PACs associated with content owners, he has also received a lot of money from PACs associated with companies like Verizon that have not been particularly sympathetic to the content industry's demands. I do not think that that claim is supported by the data.

Overall, what we have here is too much firepower being aimed in the wrong direction. If the incidents are taking place from home computers, the solution is to provide government employees with the government-owned equipment -- and government-provided sofware, support, and system administration -- to let them do their jobs properly. Using poorly managed or maintained machines carries many more security risks than just peer-to-peer software; I could make a very good case that such software is the least of the security problems. If the incidents have taken place on office computers, the issue is really a management problem: employees are making more than the normal and acceptable de minimus personal use of their employer's equipment. There is also likely a problem with the quality of systems administration in such organizations. Again, those issues pose many more risks. These are real problems; focusing on peer-to-peer software won't address them.