next up previous
Next: 2 What is Security Up: 1 Introduction Previous: 1.1 The Internet

1.2 Why is Security on the Internet an Issue?

In the ``real'' world, where information is exchanged in physical form, there is a great deal of security infrastructure, built up over literally thousands of years, that we take for granted.

The postal service is a good example. For a nominal fee, you are able to send a message anywhere in the world. If you want that message to be private, you enclose it within an envelope. Tampering or changing the message would require breaking the seal on the envelope and committing Federal crime. If you wish to make sure that your message was received, you ask for a return receipt. To make sure that the person who received the message was the one you intended him to be, you might check his or her signature. He or she might check yours.

Now imagine that someone has just constructed a brand-new postal service from scratch. The service operates at blinding speed, sorting and forwarding messages through various postal clearinghouses in seconds instead of days. But the new service has some drawbacks. Anyone can be a postmaster, and there is nothing to prevent a postmaster from making copies of the mail as it passes through his clearinghouse. Messages are written on postcards, and instead of signatures and return receipts, all message identification is written in identical block letters: ``This message is from John at ZDS.'' So the postcard-sorters can't help but see entire messages; there is little to prevent a phony message from being swapped out for a genuine one; there is no guarantee that the persons on either end of the message exchange are the people on the address; and there is no means of verifying that a message was received.

Such a postal service exists today, and it is known as the Internet. By design, the Internet allows wiretapping, and it is estimated that 20of the message traffic sent via the Internet is copied and stored somewhere (by someone other than sender and receiver) for later reference. Most messages are sent as plain block text... an intercepted message can be read by different software platforms.

Businesses are now viewing the Internet as another possible distribution channel that can inexpensively reach a vast, international marketplace. Products can be attractively presented with rich graphics and detailed descriptions, and customers can have a convenient, fast communications channel in which to obtain a quotation and place an order.

Security, however, continues to be a point of concern and a barrier for commercial transactions over the Internet. The building block architecture of the Internet dictates that, for the most part, communications must pass though many computer systems to link the parties in a transaction. Each interconnecting computer system represents a potential security vulnerability. A security breach at any point potentially has a wide reaching effect on a large number of users and institutions. In addition, telecommunications facilities that transmit price quotations, product plans, or other guarded information are subject to penetration from unauthorized parties.

Several break-ins on government computers and those managed by Internet service providers have been well publicized. Most of these break-ins resulted from attackers exploiting vulnerabilities in host and network security that allow capture of a user's password. Such incidents raise concern among those using the Internet for non-commercial purposes, and they discourage businesses considering use of the Internet as a commercial channel. Unless security problems are fixed, companies whose survival may depend on proprietary trade secrets and closely guarded cost and price information, and financial institutions required to provide a payments infrastructure will not participate. Without the support of financial institutions, it will not be possible to gather the critical density of businesses necessary for a healthy marketplace to develop.

next up previous
Next: 2 What is Security Up: 1 Introduction Previous: 1.1 The Internet
Denis Arnaud