On Episode 9 of The Edge of Innovation, we explore what it means to be secure on the internet using encryption.
Jacob: And I’m Jacob Young.
Paul: On the Edge of Innovation, we talk about the intersection of between technology and business, what’s going on in technology and what’s possible for business.
Introduction to Security
Jacob: So, Paul, we’ve been talking about security and anonymity. How do you know things are secure? When I open up my browser, and I use the internet, how does the internet know that the websites that I’m using are secure?
Paul: Basically by asking somebody else. You know, how do I know that this person is a good guy or a good gal. I ask somebody, “What do you know about them?” And somebody vouches for them.
So, you go to a website by typing in a domain name. You know, google.com. Well, the internet doesn’t communicate on domain names. It works on addresses. They’re called IP addresses, or TCP IP addresses. And that’s sort of like your house address. So, if you look at, you live at 123 Main Street, New York, New York, and the zip code, that can help somebody find you. They can say, “Okay, I live in Chicago. I have to drive east. And then I have to get to New York, and I have to find this street, and it connects to that street and to that street and to that street.”
All of those direction points are handled by what are called routers on the internet. But that’s dealing with an address.
Paul: But I didn’t say that. You know, I said, you know, so, I want to get to google.com. If I were to be able to get a hold or in control of what the answer was when you asked me how do I get to google.com, I would have a lot of capabilities to do things.
That’s where DNS comes in, or the Domain Name System. So, the Domain Name System has specifically the responsibility of translating domain names into IP addresses.
So, when you type into your browser, www.google.com and hit enter or actually, most, in most new browsers, as you’re typing it, it’s starting to do it, a query goes out to a DNS server that say, “Can you give me the IP address of google.com. And it’s the one provided by your ISP.
In a magical world, nobody had ever gone to google.com. What happens? That DNS server would say, “I don’t know. But hold on. I have a, another server I can talk to that’s up the food chain.” And it asks that one.
It says, “I don’t know. Well, let me ask another one.” And it does this for a few hops, if you will. But eventually, it’s going to time out, and it’s going to say, “I, I don’t know. Why don’t you go and ask the root servers?”
Paul: And the root servers are monster pieces of hardware that take requests all the time and respond. And when you buy a domain name, you go to GoDaddy, and you buy your domain name, you know, yada123.com. And what GoDaddy does is establishes a pointer in the root server that says the authoritative answer for this domain, the address book for this domain, is located on this server over here in Indianapolis.
A Rogue DNS Server
Paul: At this IP address. So, now let’s go through this again. So, we go and we look at, we look up yada123.com. You go to your Comcast DNS server, and it says, “I don’t know what that is.” It might go a couple of other hops, but eventually, it’s going to say, “I don’t know. Ask the root servers.”
So, I go to the root server, and you say, “Yada123.com.” And it actually asks the Y root server, because it starts with a ‘Y’ and they’ve broken them up. And there’s also, there’s a lot of scalability in there. And it says, “Gee. I don’t know. But I do know that yada123 is held by the registrar GoDaddy.
So, it then asks GoDaddy, “Who has the start of authority? Who’s responsible for yada123?”
And it says, “Oh, it’s this guy in Indianapolis with this IP address.” So, all of that, so that that IP address can come back to your machine. And it can then requery and say, “Okay, Mr. Guy-in-Indianapolis, what’s the IP address for the web server for yada123.com?” And it hands that back. Okay?
So, great. Now, if I can compromise that DNS server… And by default, you use your ISPs. I could also set your DNS server to use a rogue one, and it would ask the question instead of to your ISP to that rogue server. So, I can poison that rogue server through manipulating it, to say, when somebody comes in and looks up yada123, don’t give them the address of the guy in Indianapolis, the, the real sort of authority, give it to this other one.
Paul: So now, instead of coming out with 22.214.171.124 as the IP address, it comes out with 126.96.36.199. And you go to that site, and it says, “Ha-ha. You’ve been tricked.”
Paul: Alright. That’s, that’s… I can do that. And you’re like, “Huh. I don’t understand. That’s weird. It’s not my yada123 site. It doesn’t have my stuff on there.”
A more clever thing to do is I build a clone of yada123.
Paul: And now you think you’re at yada123. You log in, and I then redirect you to the real yada123, but I’ve captured your password and username.
Jacob: Sure. Or even more insidiously, your credit card information.
Encryption as Security
Paul: Yeah. Exactly. So, that’s, that’s what happens. Now we introduce this idea of encryption. And encryption is simply scrambling up information so it’s hard to decode.
Paul: And there’s this thing called public and private key encryption, whereas if you have a public key, if you have my public key, you can send me information encrypted with that public key. In order to decrypt it, I need my private key. That’s how ssl or https works.
Jacob: I see.
Paul: Is it sets these up so that that encryption is happening on the fly, and it’s not impossible to decrypt that on the fly but it’s nearly impossible. It’s very difficult, and you have to be very committed to do it.
At the time where there was some proof of concepts, they were talking like 50 Xboxes working in parallel to be able to decrypt the key, you know. So, it’s not, as I like to say, it’s not trivial, you know.
So, what happens in an HTTPS? So, how do I get that certificate, that public certificate? Well, there’s a key exchange.
But the key exchange happens with a certificate authority. So, yada123, I sign on to yada123. It sends me some information that I then takeâ€”it sends me a key that I take and validate. Okay, because it says, “You can validate this by going to this certificate authority and saying that yes, it’s proven that they are there.” And when I ask that certificate authority, they are a trustworthy organization, and they have issued that key. And they say, “Yep. That’s a valid public key.”
Paul: So, now, that information can be encrypted with that public key. Now, what if I were to be able to compromise that certificate authority? Okay, it’s called a CA for, for short. I could then say, “Okay. You’re giving me this certificate. You’re sending it to me for authentication, and I’m going to authenticate it. Yep. It’s real.” But it’s not. So, the problem becomes if I can get in there and put a certificate authority in there that answered on your machine, hack your machine, and say that, “Oh, this is going to be the certificate authority for all .coms.”
So now when you type in google.com, and all of this stuff happens, I’ve maybe poisoned your DNSâ€“or I didn’t even poison your DNS. I just say… Or you’ve got to go to this place for Google. So, now the key comes back. I can substitute my own key in there, because your browser is then going to go and check that key with the certificate authority that I’ve installed into your system. It asks, it say, “Oh, that’s fine.”
So, now you’re encrypting it with the intruder’s public key, and they are getting that decrypting it, and then re-encrypting it to go to back to Google, after parsing the data.
Security Enforcement and Certificates
And there is a story that I read over the past month about a European country that has forced installation of certificate authorities on all of the machines that are running in their country. So, what that allows them to do is effectively subvert SSL whenever they want to, because they also have the wherewithal to have all the egress points to the country’s internet. So, they could actually filter data and decrypt it. And it is, it is a bad thing to do that. Now, you could also maybe write malware that would put certificate authorities on a machine and things like that.
But basically, so it’s, you know, who do you trust? And the certificate authority is a hierarchy of ways to trust that. And it does have a soft underbelly, you know, not in really it, but in the fact that I can present myself as a certificate authority.
Inside corporations, they create their own certificate authorities, because they don’t want to be dealing with a public certificate authority, pay them $100 or $1000 for each certificate. There are now free certificate authorities, but internally, you want to be able to control all that. You don’t want people to do that.
So, I can set up a certificate authority relatively easily, if I then make the next step of making that available on the internet and getting into your machine and saying, “Trust this certificate authority that Paul set up.” I can basically do anything I want with… And you would never know, because it would be completely encrypted.
There are tools now that are monitoring browsers and settings in them to say, “These certificate authorities aren’t good ones, or aren’t normally trusted.” And so, there’s a whole bunch of politics around that, and you need to be running some of those tools to do that.
A Matter of Law and Encryption
Jacob: So, talk me through the, the European case. Are there more dynamics there that are in play? Or are there ways in which we need to be alert for that for the sake of our business integrity?
Paul: I mean, they have said as a matter of law that you have to install the certificate authority on your PC if you live in that country. So, our government could do that. It doesn’t seem to be the way our government works. That’s sort of governmental overreach in an American’s opinion, uh, you know, but some, I’m sure they justify it in their own way. And it’s their government.
Jacob: I guess that means for any entrepreneur or any business, they have to be working with corporations or entities that are designing their website and doing their online interface, that are highly above board.
Paul: Well, up until recently, SSL was sort of an option, or HTTPS. SSL stands for Secure Sockets Layer, or HTTPS is HTTP, hypertext transport protocol secure. And what that does is it uses these keys. Over the years and it’s been relatively complex to implement an SSL certificate and it’s gotten a lot easier. Just recently, something came out which was really, it’s a revolutionary idea, is a project called “Let’s Encrypt”. And basically, they have produced a new certificate authority that is going to offer free, easy to implement SSL certificates. And so we did it on a site today, and it took like a minute to do that. Google has also said that you get extra points if your site defaults to SSL.
Now, Google is an actor in the world stage of the internet, and they’re usually a good actor. And that’s a statement they made back in early 2015, maybe even ’14 to say that we’re going to consider that a better thing and rank you better. What they’re doing is they’re trying to make the veracity, the faithfulness of the content that’s out there, continuous. So, security is a good thing. Encryption and security is a good thing.
So, the point is, is that you have to go to an extreme level of effort to compromise an SSL certificate. That may become easier over time. But it’s still a lot more work than to trick HTTP. Because there’s nothing in the browser, and there’s no mechanism to tell you that that is not an authoritative message from the right server. SSL helps you do that. And that’s what the green lock is and the secure site. It gives a human some assurance that you’re talking to the right site. That’s really all it is.
Now, humans make mistakes and certificates can expire. And what do you do? And I’ve been in that situation where you need to use a website, but they made a mistake and their certificate expired. Do you trust that? Because, could it be somebody else that’s certificate has expired and all these different things? So, Google is sort of mandating this SSL, and if you have a website and you’re out there, you should be running default SSL now. Certainly with Let’s Encrypt.
Paul: Now, just before we go on, there are different levels of encryption in that Let’s Encrypt is basically, it’s just encrypted.
Paul:There is also ones that verify the identity of the company that you are connecting to. And that’s where you get the green bar or the green… That they have gone to an extent to say, “We’ve actually found the people or the corporation that are responsible, and they exist, and they can be tracked. They can be found. There’s someplace we can go and get them.”
Whereas a Let’s Encrypt just says, “It’s encrypted.” It’s not easy to snoop that data, but now when you get that green bar, that that authorization, it’s saying that these are actually who they say they are in the certificate. Because you can open up the certificate. I encourage people to click on that green bar. And you can see all the identity information of who the company is.
Jacob: In the green bar that you’re talking about, where is that located?
Paul: In the browser there’s usually a green next to the url. You’ll see a green signification, a little green area where you can click on the lock and it will show you who authorized them and what the information is that they authorized.
For an Entrepreneur
Jacob: I got you. So, I’m just envisioning an entrepreneur, and let’s say that she is trying to put together her company. A dynamic she wants to have on her research for a CTO for the company is going to be something along the lines of is the person she’s trying to hire in this situation familiar with these categories, familiar with SSL, familiar with these dynamics of encryption, levels of encryption as a point of just basic integrity for the company that she’s trying to launch, found.
Paul: Well, I think there’s a couple of different things. I’m not a huge sports fan, but let’s talk about what do you know. Do you know about football?
Jacob: I’ve heard of it.
Paul: Well, most people would say, “Yes, I do.” You know, and it’s it, but there is a huge spectrum of somebody knowing about football.
Paul: They may know the teams. They may know the mascots. They may know all the rules. And so, when you ask somebody, and this is a tremendously difficult thing. DNS is three simple letters. SSL is three simple letters, but they’re very complicated. Actually DNS is very complicated, and it can be messed up really easily. And when you mess it up, it propagates all over the world. And then you have to un-mess it up, and it has to propagate again. And you could be in a situation where you’ve broken your DNS, and people can’t get to you.
Paul: So that the implications of the depth of understanding that your technology hire or who you’re working with, can have tremendous implications. Really significant, your site can be down. And these has happened to big companies. So, it’s not like just because you’re a small company this might happen.
Jacob: Well, it’s happened. I remember building a website five or six years ago, and within the first 30 days, it got compromised. And we weren’t able to recover it, because of the propagation and all that stuff. We just had to drop it and move on.
Paul: Interesting. So, if you’re trying to hire somebody to deal with your technology issues, they need to be aware of these things. Or better, know somebody that’s aware of these things. Because nobody can be an expert in everything. It’s rare to find somebody that has a depth of knowledge across that. So, you want to partner with somebody that knows where to get the answer or how to find the answer. And also, not to take the first answer they get.
Paul: Because it is very much like peeling an onion. There are lots of things. You know, I end up asking questions of people, like, “Why do you want to do that?” Because I’m trying to understand what their intent is. If they say, you know, “I just need you to change a DNS record for me.”
Why do you want that? And there’s implications to it. So, you need to engage people that are going to ask that why and understand the implications of it rather than just charging ahead.
Jacob: Yeah. Excellent. Thank you. I think that’s great.
Also published on Medium.