Security threats abound throughout the Internet. How does this affect how we use wireless communications, and what can be done to improve things. Do we trust our network operators to keep our communications safe and secure, or have we become desensitised to share our most intimate secrets with any organisation that wants them?
Privacy vs Security
It is said that the most common lie on the Internet is “I have read the terms and conditions”, ticking the box prior to using some new feature or service. We may unwittingly sign up to draconian agreements, such as permitting any photo we upload to be sold and used elsewhere, sharing our contact details, locations, and other personal details. We may not realise how much of this data may be sold or shared through third party data brokers. The reward we get is free services, such as email, social networking and Wi-Fi internet access. No level of data encryption or security limits this – it’s all driven by the commercial business model that we want everything for free. It’s estimated that Facebook would cost around $8/year on a subscription basis, removing the need for any adverts or data brokering, but I doubt that would have allowed them to grow to 1.5 Billion users.
Telcos, both fixed and mobile, tend to have a good reputation for data privacy and generally don’t share our details unless legally required to do so. Public Wi-Fi providers may fall into either camp, with some venues insisting that their “Free Wi-Fi service” is only available in return for your contact details while others provide free unrestricted access without registration.
Assuming that you are happy with the privacy and protection of your data for the websites you use, the next step is to ensure that it can’t be intercepted or corrupted when accessed wirelessly.
Securing the data connection
IPsec is a well known method of sending data secretly between internet devices. The protocol provides methods to verify (authenticate) that the connection is with the correct trusted party, and encrypts data sent to prevent it being intercepted. It’s used most visibly on your web browser, showing a green padlock when HTTPS is successfully connected. A larger green bar is shown for sites which have been more extensively validated. Less visibly, it’s also used for connections to email servers, between small cells and the core network, for Wi-Fi Calling and other transfers.
HTTPS is now used by default on many of the most popular websites, including Facebook, Google, Netflix and Youtube. It’s taking up a rapidly growing share of overall internet traffic and will exceed 50% on wireline broadband by end 2015. That will largely be driven by Netflix, which currently takes up 37% of all North American internet bandwidth at peak hours. I’d expect a lower proportion for cellular networks and smartphones, dominated by YouTube, Facebook and Email.
The early versions of IPsec used SSL (Secure Shell Layer) which has had a number of high profile flaws exposed and is no longer recommended. SSL Version 3 was superceded by TLS 1.0 (Transport Layer Security) and most recently TLS 1.2. All modern browsers support TLS1.2 although the majority of websites are still using TLS1.0. There have also been advances in the size and type of encryption keys used. It is thought that some Nation States can break 1024 bit encryption in real time but not yet 2048.
Secure websites have to buy X.509 certificates from one of the 1200 or so trusted Certificate Authorities. Most simply involve an email check that the owner does indeed control the domain and cost between $10 and $50. More thorough checks are used for EV certificates (Extended Validation) which cost $300 or more, and light up the green bar on browsers.
There is some concern that fraudulent certificates may be circulating (e.g. you connect to a spoof bank website which shows up as a secure, padlocked site), such as this example from the Netherlands in 2011. Various technical solutions have been proposed, and in the latest Google has initiated a Certificate Transparency scheme to track all issued certificates and detect fraudulent ones. This has been initially adopted by larger websites such as financial institutions. Whether this approach succeeds is more down to political concerns than technical ones.
SSL Certificates are about to become a lot cheaper and easier to implement
The EFF (Electronic Frontier Foundation) is a non-profit keen to encourage wider take-up of encryption. They are trialling and will publicly launch a free service (LetsEncrypt.org) to automate and issue SSL certificates in September. A software agent running on the target webserver will handle all the negotiations, verification and certificate installation automatically. It’s not unreasonable to expect that in the medium term this could be embedded into the opensource Apache and Nginx web server software that drives the vast majority of websites.
While that might not bode so well for the lucrative business of issuing SSL certificates, it could dramatically increase the take-up of encryption throughout the web.
Using a VPN
One way to increase security is to use a Virtual Private Network, which uses IPsec to encrypt all data (email, web browsing etc) between your computer/smartphone and the network. Large enterprises often have such features installed by default on employee laptops and smartphones, tunnelling traffic back to their corporate network and which then appear as though connected locally in their home office.
Commercial VPN services are also available to smaller businesses and individuals. This LifeHacker article picks out five providers, including some with free basic services. They can also prove useful if you want to appear to be in another country (e.g. to bypass BBC iPlayer national restrictions).
Some of the Public Wi-Fi services also come with a secure VPN service.
IPv6 isn’t relevant yet…
You might think that the new version of IP (IPv6) might have some immediate implications but I can’t see that it will.
Take up of IPv6 is still very low, despite years of highlighting the shortage of IPv4 address space. Google tracks this for their own servers, currently 7% worldwide and is most advanced in the USA. In Europe, BT, the UK’s largest fixed internet provider, doesn’t support it for residential users. Many web hosting datacentres still don’t offer the capability yet.
W3 Techs report that only 6% of websites support IPv6 today, and I’d expect far lower percentage of traffic uses the protocol today overall.
The Domain Name System maps website names (e.g. thinksmallcell.com) to web server IP addresses, and these lookups can be intercepted. DNSSEC adds a security check to avoid that, but to date has had minimal takeup. Paypal.com is one of only 0.44% .com websites that has bothered to put this protection in place. Exceptions include Czech, which leads the world with over 60% penetration, with Sweden and Netherlands running over 40% each. This strongly worded argument makes the case against DNSSEC while others make the case for it.
…while HTTP Version 2 will rapidly become widely adopted
The HTTP 1.2 protocol used to deliver webpages isn’t terribly efficient. Google had a project to improve it called SPDY (pronounced Speedy) which formed the basis for HTTP Version 2. The latest versions of Chrome and Firefox browsers can already support HTTP/2 and the next versions of leading web servers will also do so before end 2015. Around 7% of websites already use either SPDY or HTTP/2 and I forecast rapid take-up by the large/popular sites and a slower migration by smaller ones. It could halve the time to display the average webpage by parallel transfers,
We can expect this to be a seamless and painless transition, which will ultimately result in faster web pages as the technology is deployed. Older websites will continue to be accessible with the current protocols. In both cases, it will rely on the TLS stack to secure the connection first. This is optional – quite a backdown from an earlier proposal that all connections using HTTP/2 would be encrypted – but all current implementations do require it. Both Chrome and Firefox have said they plan to mandate encryption with HTTP/2.
Traffic management is more difficult when you can’t see what type it is
Network operators don’t want or need to know the actual content of each data flow to manage their networks. But it helps enormously to know what type of service is being consumed. Video, voice and email have quite different characteristics which impact how each stream should be prioritised and traffic shaped. This isn’t about Internet Neutrality (which argues against discriminating access/quality of service to different websites), but instead more about making best use of the capacity available for all users.
Many networks identify and transcode traffic which is inefficient, such as rendering real time video more suitable for the small screen. This helps reduce the load on the network and avoid wastage. This task becomes much more difficult if the traffic is encrypted, and more complex where new protocols are added.
Nevertheless, encrypted traffic levels are likely to increase dramatically in the short term as more and more websites adopt HTTPS by default.
Another important consideration is the ability of telcos and others to inject adverts into the data stream on demand. This isn’t possible for encrypted browsing sessions and that may have been one reason HTTP/2 didn’t mandate encrypted connections.
Data privacy isn’t widely appreciated by the public, who are revealing and sharing enormous amounts of personal information. This is a commercial and regulatory issue, not a technical one.
Data security continues to evolve, with stronger protection and procedures available. Websites, browsers and internet connected devices need to adopt the latest protocols. Streamlined mechanisms are becoming available to make that easier and cheaper.
Users can protect themselves by using HTTPS where possible. Connections through cellular networks should generally be much more secure than ad-hoc Wi-Fi, where a VPN service would provide greater protection.
Business models which fund free Wi-Fi can determine different levels of data sharing and ad serving. End-to-end encryption will affect and possibly disrupt those business models; network operators need to ensure they don’t betray or abuse the trust of their customers, which justify their paid services.
Small Cells, which use IPsec to connect with their central servers, already have high levels of security built in. This is in addition to any end-to-end encryption used by web and email clients on your smartphone or tablet.
Reference Book: Future Crimes: A journey to the dark side of technology - and how to survive it Marc Goodman
Reference Book: Bulletproof SSL and TLS Ivan Ristic
ThinkSmallCell Article on Enterprise Small Cell Security by Design
Free website audits for: