Where am I? Who am I? Am I? I

by Francois Joseph de Kermadec

A little while ago, the notion of RSS highjacking grabbed the headlines and feed publishers everywhere where living in sheer agony, waiting for their reader count to drop, their faithful listeners to be piped smut through the magic of fraudulent CNAME records and sneaky mod_rewrites. Looking around, the situation is already problematic and there are many false feeds circulating through directories and indexes, more often than not created by users who were just "trying out" a service by using someone else's XML source, not realizing they were, by releasing their homebrew feeds in the wild, creating a virtual time bomb.

On the Internet of today, we have means to authenticate communications at different levels. Technically, we can guarantee you are talking to a specific server, a specific website, even a specific person or company by adding some real-life identity checks to the mix. The problem, of course, is that such certificates are difficult or impossible to obtain and that it is just "easier" to do without them, betting on the fact that we or the people around us will never come under attack.

Coming to think of it, though, the situation is preoccupying: with no assurance an email you receive is from me, the website you visit is the one I have written or the feed you are subscribed to faithfully mirrors what I write, how do you know you are in touch with me? And how do I know I am in touch with you? You think you are reading this blog on the O'Reilly network right now but are you really? Or did someone highjack the DNS of your network, presenting you with a page that looks like the O'Reilly network, smells like the O'Reilly network, sounds like the O'Reilly network but is actually stuffed with malicious images, corrupting your QuickTime installation through the magic of buffer overflows?

This sounds like a deleted scene from The Net but is actually a very plausible situation, given how predictable our browsing and updating patterns are for someone who really wants to attack our systems or our network.

If there is one thing I wish for the Internet of tomorrow it is better authentication, more ways to know who really is on the other end of the line. Transparent windows and web feeds can wait.


2005-12-29 06:35:35
Always could add...
We could always add a gpg signature to the feed for the 'podcast' in question. Course the feedreader would need to be able to verify it from the public key it would already have downloaded.

I thing the real fear I see is the 'PodCasting' directory services, tweeking hosted RSS to include their own Comercial Advertisements.

Mark my word, it's on the way...

2005-12-29 07:42:30
Personal Certificates
One potential way to address this, at least for person-to-person communications, would be to consider digital certificates a public service, maybe issue them along with government identity cards (driver's license or other) as a digital version of that ID. Make the ID a smart card, and the certificate could even be embedded right in it. The government seems like a natural Certification Authority.

The problem with this, of course, is the privacy issues it raises.

2005-12-29 12:44:25
Personal Certificates
Yeah honestly I think I'd rather have my entire hard disk hijacked and deleted than risk the government getting involved with it all. Government involvement inherently means regualtion. Standardization is good, regulation is not.

It makes more sense to do it as a private industry. Competition keeps cost down and incourages innovation. It'd be like buying a domain name. This is who I am, here's my $15, now give me a certificate...

As long as a standard is in place you caould have any number of companies issuing the certs. They'd just have to be compelled to keep up with the standards. You cant have some issuer drag behind and not patch a discovered security problem for six months.

2005-12-29 12:46:18
Always could add...
We'll just need to "tweek" those ads right back out again then wont we?


2005-12-29 20:46:56
Personal Certificates already exist
"It makes more sense to do it as a private industry."

It already is. You can buy certificates from VeriSign, Thawte and others. It's rather a pain, though you have to verify your identity to them (otherwise they can't certify it) which means using a notary or something similar. Also, certificates are expensive due to a chicken-and-egg situation, since they're currently mostly used by businesses, not consumers.

The whole business of Public Key Infrastructure (PKI) is pretty convoluted. I recommend reading Schneier's "Practical Cryptography" for a good overview. It's one of those areas, like AI or the "Semantic Web" that's prone to utopian ideals that collide against messy realities.