The Broken Web

Decorative Image - thread

A no frills look at the problems facing some of the webs fundamental technologies.

Unbeknown to most people the web is creaking at the edges and any number of fundamental technologies that the web depends upon could crumble without a moments notice. Here I’ll outline the various problems in simple terms.

IP Addresses

Computers on the web find each other with IP addresses. IP version 4 has a finite range of around 4 billion values and it has been used since 1981.  With the persistent expansion of the web we are running out of available IP addresses. IPv6 was published in 1998 but uptake has been slow and a lot of equipment around the web still simply doesn’t support it.  The scope of IPv6 is effectively infinite with 3.4×1038 possible values. To make matters worse IPv6 and IPv4 are not directly compatible and intermediate equipment is needed to manage translations.

Put simply, this is like running out of telephone numbers, for the whole world, and most current telephones don’t understand new longer telephone numbers. You’re ok if you already have a phone number (or a website) but you’re kinda stuck if you’d like a new one.

Routing

Knowing the address of a computer on the web is not enough, one computer needs to have a route to another computer. On several occasions large chunks of web traffic have been inexplicably redirected, reaching its intended destination following an unscheduled and undetected detour. Most of these reports seem to involve traffic being diverted via China or Chinese owned equipment and networks.

Put simply, if you drive to the post office, pick up some mail and return home, you’d take the shortest route. When a redirection happens you drive through a potentially hostile neighbourhood where people might snoop on your mail, but upon getting home you’re unaware that you even took the detour.

DNS

We browse the web using human friendly web addresses like bbc.co.uk instead of IP addresses. DNS translates those friendly addresses to the IP addresses that computers understand. When DNS is compromised you might browse to bbc.co.uk but the DNS translation sends you to the IP address of a malicious website which might host malware or be set up to mimic the original website so that you’re tricked into handing over details. There is an extension called DNSSec but as with IPv6 the uptake is far too slow.

Put simply, you walk into a bank on the high street, the sign outside looks right and the shop inside looks right but it’s actually a fake copy of your bank and once you hand over your money you’ll never see it again.

SSL

SSL serves two purposes; 1) it verifies that the website you’re looking at is the website you think it is by providing an electronic certificate that matches the website address. 2) it encrypts the conversation between your computer and the website so that nobody can eavesdrop. Your web browser only trusts certificates from a fixed list of trusted authorities. The problem is those trusted authorities are being attacked and the attackers issue themselves with hundreds of seemingly legitimate certificates. There is a new concept called Convergence but it’s in very early stages and may not become a standard.

Put simply, combined with a faked website and something like DNS redirection, you’d never know that the website your looking at is not the real website if it has a valid, correct and trusted certificate.

BEAST Attack Tool

In September 2011 two researchers developed a tool that allows an attacker to capture authentication details even if you’re using a secured connection.  This means an attacker can gain access to your online banking, emails or social networks, regardless of what security measures have been put in place. In a live demonstration it took the researchers two minutes to compromise a Paypal account!

The attack works against SSL and TLSv1.0 (TLS is the later version of SSL) but later versions of TLS go some way to mitigate the attack.  TLSv1.1 was released in 2006 but is still only supported and used by a very small fraction of websites and web browsers.  The attack is limited to man-in-the-middle (MITM) attacks but again if coupled with a DNS redirection attack this becomes trivial and widespread.

There are some other problems such as cookies tracking your web browsing activity, so called super cookies that can’t easily be erased from your computer, net neutrality being challenged which could see the introduction of tiered or paid service levels and anonymity being eroded under a veil of social accountability.

The truth is though that the web at the time of its inception was never meant to do most of what we are using it for today. This is perhaps the biggest case of scope creep in history and there is a very real threat that the dependency so many of us have placed on the web may soon be challenged…

There’s no need to worry. There’s nothing you can do about it anyway 🙂

Image Attribution: Thanks to Idea go @ FreeDigitalPhotos.net for the images

3 thoughts on “The Broken Web

  1. thegaryhawkins Post author

    Hi Cat, it’s a combination of software and hardware but it’s not just your computer, it’s all of the website computers and all of the networks that join them all together.

    IPv4 uses four sets of numbers that each range from 000 to 255.
    IPv6 uses 8 sets of numbers that each range from 0000 to 65535 (or FFFF in hexidecimal notation).

    Computers and networking equipment (servers, switches, routers, firewalls, etc) were only ever designed to understand and work with the IPv4 format so they simply can’t handle the longer numbers. It’s like trying to write War & Peace in a single Tweet or squeeze a large square peg into a small round hole.

    Does that answer your question?

Comments are closed.