Big Brother - Part II

So, you came back for more?

Today, I'll start with the good news. There's privacy on the Internet. It's called encryption.
Encryption does exactly that, converts each packet with an algorithm before sending them and decode them as they arrive. Plain and simple. In general, not the algorithms. As you can imagine the algorithms are complex and require passwords, passphrases, certificates. Basically, all passwords with different formats and sizes.
The way to use it is to agree between the two parties that encryption will be used and which algorithm and certificates will be used. From that point, all packets will be encrypted and unreadable through its transit.
Encryption can be aplied at many levels, files, packets, sessions or a whole network. You can type a text message in a code previously agreed with you friend and that message will be unreadable for everyone else. Or you can open a session with a secure protocol like HTTPS and keep all packets in that sessions away from prying eyes. Or you can setup a VPN (Virtual Private Network) and keep all the sessions in that network hidden.
The most common case for Internet users is HTTPS, an encryption wrapper for HTTP protocol. Servers using HTTPS keep their traffic with their clients private. You can see it in action in Gmail's login page, when you go to its page it redirects automatically to the secure HTTPS server.
But does this means that the sessions with HTTPS are 100% secure? Not even close but I think they're good enough.
The main problem is the certificate itself. There are many ways to implement a secure channel between computers using certificates. In the case I mentioned, you turn up into a secure session with a server, but where the certificate came from? You didn't have any at that time. Well, the certificate was sent to you at the beginning of the session. And, most likely, replaced by a new one that is also sent to you but through the session secured by the first certificate. Either way, the key to open all the packets for that session was exposed trough all the transit time. Doesn't seem to make much sense. But, as I said before, is good enough. The only way to get information from that session is to capture absolutely all the session, all of it, because in fact it is a sequence of several different sessions with different addresses. This is not something anyone can do, not something easy to do, so it has to be worth it. Certainly not to access your free email account. At least I hope not, because if someone is after you at this level I want you to walk away from this blog. I don't want them (whoever they are) to get to me through you.
To overcome this problem, people that really really want to have a secure session exchange certificates in private. In that case, you have your certificate beforehand and capturing all the traffic for your session is useless.
This is what's done to setup up a private network, the certificates are generated by a certification authority (public or private) and, hopefully, exchanged using means other than a public network.

And now that you're happy with your privacy, let's go back to the bad news.
The transit of the packets is not the only weak point for your privacy. Let's talk about e-mail. Not all mail servers have secure sessions, and I'm not talking about the free ones, most of the private mail servers don't. But let's say that you use one that has it, some use it only for the login, after that you're dealing with a plain open session meaning that the content of your messages can be seen. And even if the whole session is secure, where are your messages stored?
Think about it, it's not your server, it belongs to someone else. Your messages are stored in there available for anyone with access to that server.
But again, who cares about your free mail account? You.
The average Internet user cares about his mail account, trust it and expect it to be private and secure. And they are in a broad sense. They work fine and nobody is going through them, really, at least I'm not worried about it. And I'm not worried because that's not the point, I'm aware that the Internet is a like public place and that it has to be used with that image in mind. So, my question is what are you storing in your account? what are you sending and receiving?
In a way, the Internet distorted the sense of reality for most people. It's hard to believe the things people write in e-mail, the kind of things they send in pictures, video. And the stuff they save in mailboxes.
And that's exactly the point, e-mail boxes are not secure places. They're controlled by people you know nothing about, people that owe you nothing, people that have no responsibility over the content of your mailbox. Of course they all say that they're responsble, that you're mail is safe, that nobody is looking your stuff, an I'm sure they mean it, I trust them and I've never seen evidence that they lie. But you have no way to know, no binding contract, no technical means to verify the integrity of the content in your mailbox. With real life mail, you put your letter inside an envelope and seal it. This way, the letter can't be seen by third parties and if they open the envelope you can tell. With email, the letter is in plain view for anyone to see. Even if you use encryption, the digital envelope, it can be open without you knowing it. And this is one of the main problems of assimiliating the real world and the virtual one. In the real world, things have a physical nature that make them unique. Even if they're made in series, each piece is unique. In the virtual world, there are no physical things. The packets you send are replicated over and over until they reach its destination and all of them are exactly the same as the first one (not exactly, but the difference goes beyond the reach of this article). At each relay, the packet is destroyed and recreated. The same way, they could have been replicated, stored, recreated and sent without leaving a hint of a trace.
With all this in mind, what would you use your e-mail account for?
E-mail is great, is usefull, is fast, is easy. But is not something where you can put all your hopes and dreams. Not something where all your assets can be managed. Not the key to your bank account.
Going back to the phishing thing, you can see how easy is to get access to your bank online service, your Paypal or eBay account, etc, all things with value, monetary value. And it doesn't stop here. I'm sure that if 90% of those that fell for a phishing scam are using the same password for everything. Now the phisher has the mail address or the user name for that service, if it's just the user name he can get the mail address from the settings of the account. He has the pasword for the service and chances are the same password works for the mail address. Once inside the mailbox, chances are some other valuable services are linked to the same account and the traces of those services are in there, newsletters, subscription confirmations, etc. He just has to try them one by one with the same password, check the messages for the passwords because many of them will send the passwords in plain text over e-mail, or go to the login page and request the password to be sent to the mailbox. Scary, isn't it? Just one little hole in the wall and your whole world is invaded.
The problem is not that we're helpless in the virtual world of the Internet, the problem is that we've lost the perspective of the true meaning of the Internet. I said in a previous article that the main thing that keeps the Intermet togheter is a set of technical rules, and there's nothing in that set trying to make the Internet secure for your privacy or your assets. This is not a flaw on the Internet, it's a flaw in our perception of the Internet. Because it wasn't created for all this, nobody at that time was thinking about it, nobody was able to imagine the incredible growth of the last 20 years, nobody was able to predict that .
The Internet is a great thing, it was meant as a way to connect several computer networks online in order to exchange information fast and easily, to allow access to papers and other files to people in remote locations, to communicate people by means of e-mail, to connect computers that share information to do a job togheter and many other things. It fullfilled al its goals, gave us a lot more than that and keeps delivering.
The Internet is not the problem, we are.

No comments: