title: Talking to a mirage?


by: Scott Bradner  


Security is expensive.  It is expensive in terms of complexity, management and non-ease of use.  It is also expensive in terms of processing power required.  But attempts to minimize the impact of the latter on web servers are now impacting the very security that is being sought.


Web security is pretty good stuff.   The basic idea is that you want to set up a secure communication between yourself and a server that you are sure is the right server at the same time the server wants to be sure that its talking to you not someone down the street. The server has a digital certificate that your browser uses to be sure that it is communicating with the right server.  You authenticate yourself to the server with your own digital certificate or with a logname password combination.  Thus the server knows who you are.  You as a user authenticate yourself to an authenticated server -- just the right level to be securing -- and the communication is encrypted - what more could you want?


By the way, what I meant by saying that web security is at "just the right level" is because the authentication is taking place at the user level not the system level as is the case with many VPN solutions.  VPNs can be used between firewalls, in which case the communication inside the firewalls is open to eavesdropping and the identity of the servers and users is not assured.  VPNs can also be used between remote computers and a firewall, the result here is not much different -- insecure internal communications and no server authentication, in addition if the remote computer is compromised the first line of corporate defense is breached.


But there is a disturbing, if understandable, trend that undermines some of the security of a secure web environment.  This is the movement to separate front-end processors that are used to off load some of the computing intensive work from the web servers.  These front-end processors mimic the server that you are trying to connect to.  They have a digital certificate for that server so your browser thinks it is talking to the actual server.  The front-end processor does the encryption and decryption and communicates with the actual web server using unencrypted data streams.


Since this is all in a data center one might think that it's all OK security-wise but its not.  The data is now exposed to eavesdropping where it had not been. Also, if the front-end processor is compromised all of the servers it front-ends for are compromised. But more importantly, you as a user no longer can be sure what you are talking to.  Transparent proxies, NATs and firewalls have already compromised the original end-to-end Internet model and I guess this is just another little step along the path but I don't have to feel good about it.


disclaimer:  Harvard's original model is long gone or this column would be more pious -- but the University has not expressed a view on Internet transparency.