Security on the Internet

Security on the

Internet

How do you secure something that
is changing faster than you can fix it? The Internet has had security
problems since its earliest days as a pure research project. Today,
after several years and orders of magnitude of growth, is still has security
problems. It is being used for a purpose for which it was never intended:
commerce. It is somewhat ironic that the early Internet was design
as a prototype for a high-availability command and control network that
could resist outages resulting from enemy actions, yet it cannot resist
college undergraduates. The problem is that the attackers are on,
and make up apart of, the network they are attacking. Designing a
system that is capable of resisting attack from within, while still growing
and evolving at a breakneck pace, is probably impossible. Deep infrastructure
changes are needed, and once you have achieved a certain amount of size,
the sheer inertia of the installed base may make it impossible to apply
fixes.

The challenges for the security industry
are growing. With the electronic commerce spreading over the Internet,
there are issues such as nonrepudiation to be solved. Financial institutions
will have both technical concerns, such as the security of a credit card
number or banking information, and legal concerns for holding individuals
responsible for their actions such as their purchases or sales over the

Internet. Issuance and management of encryption keys for millions
of users will pose a new type of challenge.

While some technologies have been
developed, only an industry-wide effort and cooperation can minimize risks
and ensure privacy for users, data confidentiality for the financial institutions,
and nonrepudiation for electronic commerce.

With the continuing growth in linking
individuals and businesses over the Internet, some social issues are starting
to surface. The society may take time in adapting to the new concept
of transacting business over the Internet. Consumers may take time
to trust the network and accept it as a substitute for transacting business
in person. Another class of concerns relates to restricting access
over the Internet. Preventing distribution of pornography and other
objectionable material over the Internet has already been in the news.

We can expect new social hurdles over time and hope the great benefits
of the Internet will continue to override these hurdles through new technologies
and legislations.

The World Wide Web is the single
largest, most ubiquitous source of information in the world, and it sprang
up spontaneously. People use interactive Web pages to obtain stock
quotes, receive tax information from the Internal Revenue Service, make
appointments with a hairdresser, consult a pregnancy planner to determine
ovulation dates, conduct election polls, register for a conference, search
for old friends, and the list goes on. It is only natural that the

Web’s functionality, popularity, and ubiquity have made it the seemingly
ideal platform for conducting electronic commerce. People can now
go online to buy CDs, clothing, concert tickets, and stocks. Several
companies, such Digicash, Cybercash, and First Virtual, have sprung up
to provide mechanisms for conducting business on the Web. The savings
in cost and the convenience of shopping via the Web are incalculable.

Whereas most successful computer systems result from careful, methodical
planning, followed by hard work, the Web took on a life of its own from
the very beginning. The introduction of a common protocol and a friendly
graphical user interface was all that was needed to ignite the Internet
explosion. The Web’s virtues are extolled without end, but its rapid
growth and universal adoption have not been without cost. In particular,
security was added as an afterthought.

New capabilities were added ad hoc
to satisfy the growing demand for features without carefully considering
the impact on security. As general-purpose scripts were introduced
on both the client and the server sides, the dangers of accidental and
malicious abuse grew. It did not take long for the Web to move from
the scientific community to the commercial world. At this point,
the security threats became much more serious. The incentive for
malicious attackers to exploit vulnerabilities in the underlying technologies
is at an all-time high. This is indeed frightening when we consider
what attackers of computer systems have accomplished when their only incentive
was fun and boosting their egos. When business and profit are at
stake, we cannot assume anything less than the most dedicated and resourceful
attackers typing their utmost to steal, cheat, and perform malice against
users of the Web.

When people use their computers to
surf the Web, they have many expectations. They expect to find all
sorts of interesting information, they expect to have opportunities to
shop and they expect to