The Internet is broken. We know it is broken. We make money off the fact that is broken, which dis-incentivizes us to fix it. We should fix the Internet despite this.
What, you ask, am I specifically referring to? How, exactly, is the Internet broken? Glad you asked.
- The Internet, as implemented today, is for the most part a postcard delivery system. Anyone who can get access to the flow of information can look at it. The result is that you can easily eavesdrop on information flows or surveil user activities which is the foundation of a huge slice of both commercial activities and state-sponsored oppression; that these two classes of activities are so similar should be attracting our attention and causing alarm.
- There is no concept of identity organic to the Internet. You are who you claim to be, and there is no build-in mechanism to validate that assertion. The result is that you can easily lie about who you are which is the foundation for a huge slice of the malicious activities on the Internet.
- There is no framework for trust organic to the Internet. The Internet is a binary reality; permit-deny is the only action that can be taken in the majority of traffic controls. Our world is infinitely more than yes-no, and we should have an Internet capable of reflecting that. This results in exceptional fragility in the way we build, deploy, secure, operate, and maintain communication networks, automated data processing tools, and information systems which is inefficient and costly, consuming human and capital resources that could otherwise be devoted towards non-reactive activities.
Three things. Out of which every ill and evil on the Ineternet flows. Three things that we’ve already spent a significant amount of time and energy designing solutions for, yet have declined to implement.
Really?
Really.
To transform the Internet from a postcard delivery system into a private letter delivery system, you need envelopes. Just like an envelope dissuades a person from reading your correspondence in physical mail, an Internet envelope would dissuade a person or system from reading your correspondence in the Internet. You could go a step further and use an envelope that could tell you if anyone tried to read your correspondence. I’m mean, this is 2013 and we have beer cans that tell you when your beer is cold, don’t you think we could have email that tells you if someone besides you and the sender has read it? You bet we can.
This is like sending your message via secure courier, and to transform the Internet from a postcard delivery system into a secure courier system, you need to deploy an end-to-end transport mode delivery mechanism that wraps the important parts of your message up in an cryptographic envelope that also verifies that the message you sent is the message you receive. We have that technology today, but it is metaphorically sitting in the Internet equivalent of that big warehouse at the end of Raiders of the Lost Ark because “they” don’t want us to use it. It is called IPSec, and your computer and your phone could be using it right now but you don’t. You send postcards that can be changed while they are in-transit.
To give the Internet an organic sense of identity and a framework for trust, you have to think about what identity means in the context of the Internet. To begin with, the Internet is a network of machines, just like the network you have at work or in your house, and those machines have addresses on the network that look like this c4:85:08:fb:a7:07 or this 10.10.1.136 or this fe80::c685:8ff:fefb:a707/64. Machines are good at remembering long strings of numbers and letters, but since you aren’t going to remember long strings of numbers, we have names like www.google.com and espn.go.com and guardian.co.uk that we use as shortcuts to those numbers. If you type one of those names into your browser, your computer looks up the name in a directory to get a number, then connects to the number. Once you get there, you are often given a number by the machine you are talking to so that it can remember who you are, very much like how the grocery store gives you a number on your “Membership card” or the government gives you a number on your Social Security card. When they do this, they are building their own directory of names (your name, John Smith) and numbers (their number to track you) so that when you log into Facebook you get your page and they can track what you do, what you buy, and who you know so they can sell that information to advertisers or present you with recommendations you’ll likely buy. And to keep you from having to log in everytime you go to facebook.com, the facebook servers will give your browser a cookie that looks like something like this presence:EM378567558EuserFA21605704951A2EstateFDsb2F0Et2F (Facebook actually gives your browser twelve of these when you log in).
Great, you say, it sounds like we have identity on the Internet, what is the problem? The problem is that none of those systems are something you decide. In the physical world, our identity is an accumulation of assigned names and numbers and our own personal assertions and those assertions are important. Who you are, and who you represent yourself to be on the Internet is very important. Imagine you live in a small town; everyone knows who everyone is, there is a lot of closeness just because of the nature of small town life. You see the same people at the town meetings and the ice cream socials and the grange and the market and the football game and the barber shop and… well, you get the point. Because your circle is very small and because there is lots of overlap in the activities you participate in, you get to know your neighbors very well. You form friendships, have gossip, accumulate a lot of information about their lives (as they do of yours). It makes it hard to have secrets, particularly juicy secrets. Being unfaithful to your spouse, unethical in politics, or immoral in your beliefs requires more work. But so does being uncertain about your sexuality, or being contrarian in your politics, or an outsider in just about any part of the small town society. Not having secrets creates an awful lot of intimacy, and that much intimacy breeds a with-us-or-against-us kind of tribal tyranny of the majority where anyone who is different is the enemy. When you are part of the majority, small town life has a lot of great things to appreciate, but when you aren’t part of the tribe it can be torturous and barbarous.
Now, imagine you leave the small town and move to a big city where you don’t know anyone. It can be an overwhelming shock to the system with the press of people, most of whom you will never see again, and the cold and impersonal way that people treat each other, even when they are being civil. Compared to the small town, big cities are decidedly un-intimate. But they are also distinctly free of the kind of tribalism that small towns have, or rather, they are an aggregation of many tribes and in general those tribes are less powerful and less exclusive than small town tribes. You are at liberty to join or not join, at liberty to come and go, at liberty to keep secrets from them. When you want to be a fan of the local team, you can join that tribe. When you want to be a patron of a particular artist, you can join that tribe. If you want to partake in underhanded dealings, there is a tribe for that. If you want to be a communist or a comic book nerd or a Zionist or make artisanal pickles you can find people who want to do that too. And if you need to explore something about sexuality or talk about being abused or addicted, there are tribes that will let you do that, too. There are a whole assortment of things good and bad that are exclusive to big cities, but generally speaking the tribal tyranny borne of small town intimacy and exclusivity isn’t one of them.
So, keeping with the analogy, you can think of the Internet as built for the small town rules but living in the big city. Once upon a time, everyone on the Internet knew everyone else. That lasted for a relatively short amount of time, but we didn’t change the rules about identity when we changed the rules about what you could or couldn’t do on the Internet. There are authorities that hand out numbers for being part of the Internet (called Autonomous System numbers and IP addresses), and there are authorities that hand out names that serve as shortcuts (called Domains) and there are authorities that hand out security credentials that you use to encrypt your conversations with the bank or do on-line shopping (called Certificate Authorities), and there are authorities that hand out individual identities to people in the form of your email provider, or the service provider that gets you on the Internet with a DSL or cable modem or a mobile device, or the Web site that gives you a login to get through a paywall, like the New York Times or ESPN Insider, or membership wall, like Facebook or Google. But there are two problems with this. First, identity is issued by big central authorities to contextual businesses that don’t communicate with one another to ensure consistency (just because I have an AS and some IP addresses, doesn’t mean I have control of a domain name that points to those addresses; just because I have a domain name doesn’t mean that I control a certificate that claims to secure hosts in that domain). Second, identity is issued to people by businesses without a way in the system to validate they are who they say they are. Most validation is performed by leaving the system of the Internet and using a credit card to validate a person’s assertion of identity. Or there is no validation at all. In formal logic we’d call that an incomplete system, because we have to borrow from a completely different system to achieve our goal.
There are simple but perhaps politically impossible ways to fix these (You’d just aggregate these three authorities (AS & IP allocation, Domain Registration, and Certificate Authorities) together so that you get tightly coupled packages of identity), but since these represent control (and therefore power) and domain registration and certificate authorities have a profitable business, that isn’t going to happen. But there are longer paths to structural, technical ways to fix this as well.
We could, for example, deploy a way for anyone with a domain name to be their own certificate authority by replacing the hierarchical checks of security certificates with direct checks of the certificate through the hierarchical checks of the domain name system if you could trust that the domain name system answers you were getting hadn’t been tampered with. This is called DNS-based Authentication of Named Entities, and it is on the shelf in our Internet version of the Raiders of the Lost Ark warehouse. The result of this would be that anyone with a DNS server could become a Certificate Authority.
We could also have DNS root servers (the one’s that list all the .com or .net domains) be named and identified, so that you wouldn’t need to have centralized hierarchies controlled by registration authorities, you could let anyone with an IP allocation be their own domain name system root. Doing this today is astonishingly simple through a combination of smarter, safer DNS clients, authenticated connection handshakes, and DNSSEC to eliminate the role of the local DNS server as anything but an authoritative resolver. The result of this would be that the local network would be able to be the authoritative source for all the names of sites or services in its section of the Internet, but the client could directly use any root server hierarchy it chooses when performing look-ups to intelligently discern the difference between google.com@hierarchy1 and google.com@heirarchy2, resolve conflicts when encountered, and be the authoritative source of name-address pairing for all local processes.
We could de-emphisize the importance of the IP address as an identity on the Internet by creating a mechanism that allows any device to opportunisticly obtain an address from the local network and publish that address to a name-to-address registry that would then be used for machine to machine connections. By this point it may not surprise you when I tell you that IPv6 has the first part built in, and the domain name system has the second part built in. The result would be that instead of having relatively few devices on the Internet with names, and those devices having relatively static name-address pairings, and configuring network devices relatively infrequently, the Internet would have nearly all of its devices named, dynamic name-address pairing, and network devices that match names to dynamic addresses would be in a constant state of awareness to the subset of the Internet they are responsible for.
We could give everyone a certificate (or many certificates) that they would use as an identity token. You could use this to say “I am Spartacus from spartacus.com” and anyone could quickly check to see if spartacus.com has a valid certificate issued for Spartacus and if the one you have matches. Then when you say “I am Spartacus, but the one from rome.com” anyone could validate that and tell the difference between the two. And you can give devices and people different certificates so that when I use your phone to look at facebook.com, it shows me the page for spartacus@spartacus.com not the page for spartacus@rome.com, but your phone will have the same identity on the network, because it is still the same device and still has the same certificate, and presumably the same address.
With these larger infrastructure issues solved, resolving the smaller implementation issues of certificate and key distribution, federated identity tokens, and reputation webs becomes surprisingly easy. The same DNS server that is the certificate authority is the certificate and public key distributor. The same device that registers it’s IP address to the name server, registers its identity certificate with the name server. The same web browser that performs DNS lookaside validation with the DNS server during an TLS handshake performs SAML authentication with the web server during application authentication. The same keychain that stores certificates and public keys stores identity tokens and private root certificates. The same DNS infrastructure that secures sites with DANE can distribute keys for IPSec. On the Internet, who you are is who you say you are, but now, when you say you are a dog with an ice cream fetish, you can be authoritative in asserting that persona, and whomever is making a decision about whether or not they want to interact with you can make an informed decision. Perhaps I am anti-ice cream, or anti-dog, or just refuse to talk to imaginary personas; I can reject your attempts to connect. Likewise, if I too am a dog with an ice-cream fetish, we can enjoy our shared interest together, but we decide what boundaries we will erect to compartmentalize our interactions. And those interactions are free from eavesdropping, freer from surveillance, free from someone pretending to be you, and consequently free from someone using address spoofing to overwhelm a link or a server with a distributed flood of traffic. Those interactions are automatically eligible for a wide range of dynamic trust – and all of the granular controls that I wish to bring to bear.
In short, migrating towards IPv6 and IPSec and using technological means to distribute the centralized certificate authority and DNS root servers opens up huge opportunities to fix what ails the Internet and those technological means are largely on the shelf today but not assembled in such a way that they are logistically or operationally free of the friction that keeps them from being widely deployed. There are vested interests in government and business that have no interest in upsetting this particular apple cart, but it seems like a very good cart to topple.