Information Security Buzz
  • HOME
  • Domains
    • Data Breach
    • Malware
    • Application Security
    • IoT
    • Cloud Security
    • Privacy
  • InfoSec Deals
  • Companies
  • Security Experts
  • ISB Conference 2021
  • Register
  • Log In
Top Posts
Qualys Hit With Ransomware And Customer Invoices Leaked
Experts Reaction On PrismHR Hit By Ransomware Attack
Expert Insight On Ryuk’s Revenge: Infamous Ransomware Is...
ObliqueRAT Trojan Lurks On Compromised Websites – Experts...
Microsoft Multiple 0-Day Attack – Tenable Comment
Experts Reaction On Malaysia Airlines 9 Years Old...
IoT Security In The Spotlight, As Research Highlights...
Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber...
Expert Reaction On Solarwinds Blames Intern For Weak...
Expert Reaction On Go Is Becoming The Language...
Information Security Buzz
Connecting Security Experts
  • HOME
  • Domains
    • Data Breach
    • Malware
    • Application Security
    • IoT
    • Cloud Security
    • Privacy
  • InfoSec Deals
  • Companies
  • Security Experts
  • ISB Conference 2021
  • Register
  • Log In
Security Articles

Who Is In Control Of TLS?

Expert(s): Phillip Hallam-Baker, VP and Principal Scientist, Comodo April 3, 2017
Expert(s): Phillip Hallam-Baker, VP and Principal Scientist, Comodo April 3, 2017

IT security is not very hard at all. Provided, you only consider one security issue to the exclusion of all other concerns. What makes security so difficult is the need to address more than one security issue at once and to balance security concerns with the need to get the job done.

For two decades, the nuclear launch code for Minuteman nuclear missiles was 00000000. Concerned by the threat of an accidental or unauthorized launch, President Kennedy had signed an order requiring every missile to be fitted with a Permissive Action Link requiring the code be provided before launch. Strategic Air Command dragged its feet on implementation, and after being forced to fit the devices by Defense Secretary Robert McNamara, set the launch code to all zeros the minute he left office. SAC understood McNamara’s concern about an unauthorized launch, but their first, last and only priority was to make sure that the missiles were launched if the order was given.

Transport Layer Security (TLS), the cryptographic infrastructure that secures web commerce is caught in a similar tug of war. TLS was originally developed by Netscape Communications Corporation to ‘make online commerce as safe as using a credit card in a bricks and mortar store.’ The name was changed from SSL to TLS when specification was passed to the IETF where SSL 3.0 was adopted as TLS 1.0.

The confidentiality provided by TLS encryption is, of course, a very good and useful feature, but confidentiality isn’t the main security benefit TLS is designed to deliver. Imagine for a moment that instead of buying your food in the supermarket as you would usually do, you could drive off to a shed in the middle of the wilderness where you pay the masked shopkeeper in cash, and he places your groceries in the trunk of your car without anyone seeing. You have perfect secrecy: nobody knows what you have bought or from whom, but this isn’t a secure transaction because neither do you.

Making communications secure is not the same as making transactions secure. Entering a bricks and mortar store in person tells you a lot about the business. If the store is large, the owners will need a large sales volume to make it profitable. If the fixtures and fittings are new, the owners had capital available when they refurbished. Each of these observations provides you with evidence of the value the shopkeeper places on their reputation. A shopkeeper who has invested in establishing a reputation is most likely to want to keep it by being honest and accepting return of defective or even unwanted goods. A shopkeeper that doesn’t seem to care about their reputation is more likely to sell defective or counterfeit goods.

While confidentiality is useful, the design goal of TLS was to make online transactions at least as safe for the customer as traditional bricks and mortar purchases by establishing accountability. This was the primary function of what is now known as the ‘WebPKI,’ the system of digital certificates that allow online merchants to establish their identity and thus be held accountable to their reputation.

If use of the web had been limited to online shopping, the difference between the actual and the perceived design goals of TLS would be interesting but inconsequential. The system as designed works well for its intended purpose. But use of the web is not limited to online shopping, and use of TLS is not limited to the web. 25 years after the release of PGP, the only cryptographic applications that are widely and ubiquitously used on the internet are TLS and its close relative, SSH.

When all you have is a hammer, everything looks like a nail. TLS is actually a screwdriver, but it serves well enough as a hammer that everything still looks like a nail.

Why is this a problem? Well, consider what happened when internet criminals started to use online ads as a means of distributing malware. You have probably seen the ads telling you that your computer is running slow because of some problem. If you click on the link and download the ‘free cure’ you are almost certain to find your machine running slower afterwards because you just infected it with something nasty.

Today, there is absolutely no dispute in the ‘anti-virus’ world that malware-advertising is just another distribution vector. But that wasn’t the case when the problem first appeared. Users were told that malware they agreed to install wasn’t a virus and thus not a problem that anti-virus scanners could or even should address. It was agreed that this was a problem, but it wasn’t a problem the AV vendors knew how to address, and that meant it wasn’t a problem they were willing to accept as their problem.

Information security is easy if you only recognize one problem to the exclusion of all others. And one consequence of the current push for ‘encryption everywhere’ is that computer users are increasingly secure in the knowledge that their web traffic is increasingly opaque to their ISP and even other applications running on the same machine.

Including the programs that AV providers use to detect and block malware-advertising attacks.

Confidentiality is an important security concern, mass-surveillance represents a serious threat to democracy and civil society. But if we pursue those goals to the exclusion of all others, then pretty soon the users are going to be finding that they have lost all the pictures they took of their children when they were five, unless they pay $1,000 in Bitcoin to a Russian hacker mob.

Ransomware is unique in being the only internet crime that isn’t easily avoided, and nobody is required to make the user whole. The only effective protection against malware advertising is to block the advertising networks that accept adverts from the criminal gangs.

About Phillip Hallam Baker
Hallam BakerHallam-Baker is a Computer Scientist, Renowned for his Contributions to Internet Security, since the design of HTTP at CERN in 1992. He is currently VP and Principal Scientist at Comodo.
Share
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Three Reasons The Security Industry Is Protecting The Wrong Thing

March 2, 2021

Preparing For Tomorrow – Why Weathering The Initial Covid-19 Storm...

March 1, 2021

The Cybersecurity Disconnect: Remote Working Highlights The Need For Improved...

March 1, 2021

For FIPS Sake – Smashing The iStorage DiskAshur PRO

March 1, 2021

Five Solutions To The Information Security Skills Crisis

February 26, 2021

Tightening Security In The Evolving Hybrid Workplace Environment

February 25, 2021

How Businesses Can Look To Prepare For The Long-term Cyber...

February 17, 2021

Keeping The COVID-19 Supply Chain Secure

February 16, 2021

Test, Test And Test Some More – The Importance Of...

February 12, 2021

How Can IAM Help To Secure The Hybrid Workforce?

February 11, 2021

Related Content

  • Three Reasons The Security Industry Is Protecting The Wrong Thing

  • Preparing For Tomorrow – Why Weathering The Initial Covid-19 Storm Isn’t Enough For Security

  • The Cybersecurity Disconnect: Remote Working Highlights The Need For Improved Communication, Policy And Strategy

  • For FIPS Sake – Smashing The iStorage DiskAshur PRO

  • Five Solutions To The Information Security Skills Crisis

SECURELY DOTTED BY

Jake Moore, Cybersecurity Specialist, ESET

"In general, malicious actors now use full-blown extortion tactics to make sure they get what they came for in attacks like this. "

Qualys Hit With Ransomware And Customer Invoices Leaked

Ilia Kolochenko, CEO, ImmuniWeb

"Qualys’s response to the incident is a laudable example of transparent and professional handling of a security incident. "

Qualys Hit With Ransomware And Customer Invoices Leaked

Natalie Page, Cyber Threat Intelligence Analyst, Sy4 Security

"Due to the nature of this organisation, PrismHR makes for an extremely valuable target to an adversary looking to extract sensitive information. "

Experts Reaction On PrismHR Hit By Ransomware Attack

Lewis Jones, Threat Intelligence Analyst, Talion

"Ransomware renders any files it touches unreadable unless, and until, a victim pays for a digital key needed to unlock the encryption on them. "

Experts Reaction On PrismHR Hit By Ransomware Attack

Stephen Kapp, CTO and Founder, Cortex Insight

"An attack like this will not only impact PrismHR but also its customers who will need access to systems in order to pay employees. "

Experts Reaction On PrismHR Hit By Ransomware Attack

Richard Walters, CTO , Censornet

"“Careless clicks sink ships.” "

Expert Insight On Ryuk’s Revenge: Infamous Ransomware Is Back And Stronger Than Ever

Saryu Nayyar, CEO, Gurucul

"The evolution of the ObliqueRAT trojan is a good example of how malicious actors are constantly updating their tools and techniques. "

ObliqueRAT Trojan Lurks On Compromised Websites – Experts Comments

James McQuiggan, Security Awareness Advocate, KnowBe4

"It is essential to conduct red team or pen testing exercises. "

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

Nikos Mantas, Incident Response Expert, Obrela Security Industries

"Data security should be a priority for all organisations today. "

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

David Sygula, Senior Cybersecurity Analyst , CybelAngel

"Organisations must constantly scan for leaked documents outside the enterprise perimeter. "

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

Satnam Narang, Senior Research Engineer, Tenable

"We expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks. "

Microsoft Multiple 0-Day Attack – Tenable Comment

Sam Curry, Chief Security Officer, Cybereason

"Total transparency is needed and they need to hone in on more specific details and be completely transparent with Enrich members. "

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

Florian Thurmann, Technical Director, EMEA , Synopsys Software Integrity Group

"Your organisation won’t be able to determine which of their employees has made a given change in the system. "

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

Alan Grau, VP of IoT , Sectigo

"Best-practices for IoT device security include strong authentication and secure software updates. "

IoT Security In The Spotlight, As Research Highlights Alexa Security Flaws

Jake Moore, Cybersecurity Specialist, ESET

"Sensitive data such as this leaked into dark web forums can have damaging consequences. "

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

WORKING WITH US

About Us

Advertise With Us

Information Security Companies

Contact Us

ISB CONFERENCE

ISB Conference 2021

THE PAGES

Privacy Policy

Terms & Conditions

RSS Feeds

INFORMATION SECURITY EXPERTS

Information Security Experts: Comments Dotted

Register and Comments

Categories

  • Facebook
  • Twitter

Copyright © 2020 ISBuzz Pty Ltd is a company registered in Australia with company number 605 203 772 whose registered office is 14 Alanvale Street, Harrison, ACT 2914.


Back To Top
Information Security Buzz
  • Home
  • Experts Comments on News
  • Security Articles
  • Vendor News
  • Study & Research
  • ISBuzz Expert Panel