Previous | Table of Contents | Next |
The public should not be granted read and write access to the same resource. For example, if the public can read a web page, they should not be able to write to it. The ability to write to it would permit them to alter or contaminate the data in a manner that could prove embarrassing. If a directory is provided to which the public can send files, they should not be able to read from that directory. If they can both read and write to the directory, they may use it simply as storage in lieu of their own. They may also use it to store contraband data that they would not want on their own systems and which might also prove embarrassing.
Encryption is the application and use of secret, as opposed to public, codes. It is a powerful defense that can deal with many of the problems related to vulnerable links and even some of those related to insecure nodes. It is inexpensive and effective. In addition, multiple implementations are available. However, it is limited in the open node problems that it can deal with and may require some management infrastructure. Exhibit 1 displays some of the encryption choices available for selected applications on the Internet.
Encryption is used for two fundamental purposes on the net. The first is to preserve necessary confidentiality on the net, which is the traditional use of cryptography. The second is to enable some confidence about with whom one is talking. In other words, if conversation is in a language that can only be spoken by one other, the correct parties are speaking to one another.
Encryption can also be used to resist password grabbers and other eavesdropping attacks.
The following are recommendations for using the Internet in a relatively safe way. Although few will follow all of these recommendations, there is risk involved in any deviation from the recommendations. Moreover, although complete adherence to these recommendations will not eliminate all vulnerabilities, it will address many of them. Finally, although complete adherence will not eliminate all risks, it following these recommendations provides a reasonable balance between risk and other values.
The Internet is as ubiquitous as the telephone and for similar reasons. It gives users such an economic advantage over nonusers so that the nonusers are forced to become users. Pundits are fond of saying that no one is making money on the Internet. This position is fatuous and suggests that tens of thousands of enterprises are behaving irrationally. What is meant is that no one is conducting commerce on the Internet, at least not in the sense that they are selling, distributing, billing, and being paid over the Internet. Of course, many firms are doing one or more of these. Many others are making money, mostly by reducing costs. Many companies are using the Internet because it is the most efficient way to support customers.
The Internet holds out the promise to empower, enrich, and perhaps even ennoble. A minimum level of public trust and confidence must be maintained if that promise becomes a reality. That trust is both fragile and irreparable.
Because fundamental vulnerabilities on the network exist and because all possible attacks cannot be anticipated, a conservative policy and a responsive posture are required.
Previous | Table of Contents | Next |