Network trust and security in doubt

Switching off the PSTN and the uncertain future of SSL certificates is creating doubt over network security and trust, cyber security expert Bill Caelli argues.

Cyber security specialist, Bill Caelli.

Cyber security specialist, Bill Caelli.

The decommissioning of the public switched telephone network (PSTN) across Australia over the next few years could accelerate the deterioration of one of communication technology’s most valuable assets: Trust.

Speaking ahead of his presentation at the 2011 Computer Control Audit Security (CACS) conference in Brisbane, cyber security specialist, Bill Caelli, told Computerworld Australia that decommissioning the PSTN would result in faster speeds — but at the potential cost of trusted computing.

“We are about to move our total nation, through the NBN (National Broadband Network), to internet-based activity... Whereas in the past I trusted Telstra to give me a trusted connection, I now have to trust a broad range of who knows who to create the connection,” he said.

“The connection system itself has moved beyond the actual carrier to another level and we don’t know what the training, education, security and resilience of all those other internet service providers is; we don’t know how secure the DNS (domain name service) is.”

According to Caelli, the DNS-SEC security standard was developed to add authentication security for an element of trust, similar to the PSTN, into the DNS. However, the standard was ageing and received very low levels of adoption and implementation.

Exacerbating the issue, Caelli said, was the industry’s high reliance on Secure Socket Layer (SSL) certificates to provide security. However, the security of the certificates themselves were now in doubt.

“SSL certificates themselves depend on a root certificate which can be verified and digitally signed by an issuing authority,” he said.

“But as we have seen with DigiNotar in the Netherlands, that system has been broken by hackers and they can now issue fraudulent certificates.

“The issue is that the SSL system depends upon the trustworthiness of the people who issue them ... and with a broken system we now have a real problem on our hands."

Importantly, the number of sites issuing SSL certificates also meant that the number of certificates which now had to be checked posed a massive task.

“The average browser now has one hell of a lot — a massive amount — of certificates to check whether or not they are now no longer valid,” Caelli said.

“SSL has become unwieldy. It just doesn’t scale.”

As a solution, Caelli called for an accelerated use of DNSSEC to provide authentication combined with the security capabilities embedded in internet protocol version six (IPv6).

“You combine DNS security, which gives us trust we are getting to the right place, and IPv6 with IPSEC, which gives us a confidential or encrypted channel, and we start to get a solution,” he said.

“The problem is that IPv6 is hardly in existence yet.

“If nothing much is happening in safety and security, then what is the role of government? The government absolutely needs to look at it.”

Caelli also pointed to a major need for security training among senior IT practitioners around the country, arguing that the level of understanding on issues around network security was generally low.

“Cloud computing will critically depend on the naming system to get to the right ‘you’ in the cloud,” he said.

“How many CIOs would be able to do a proper risk assessment on that?

“A recent survey in America showed 50 per cent of CIOs in the Fortune 1000 didn’t have a background in IT. They are lawyers as what they are mostly doing is administering outsourcing contracts.”

Caelli also pointed to a decline dedicated IT departments at universities and tertiary education institutions in response to falling student enrolments as a future network security issue.

Follow Tim Lohman on Twitter: @Tlohman

Follow Computerworld Australia on Twitter: @ComputerworldAU

Tags Networkingipv6SSLDNSCACS 2011DigiNator

Show Comments