So this forms a prequel for some of the VPN and SSH HOWTOs based on feedback from readers. Specifically, “these look great, but why do we need them?”.
In the beginning …
The Defense Advanced Research Projects Agency (DARPA) created the internet for military purposes. In the late 1960s, the US government was concerned about the vulnerability of its communications networks to attack. DARPA’s goal was to create a network that would be decentralised and redundant, so that it could survive a nuclear attack.
The first network, called the ARPANET, was created in 1969. It linked four computers at universities and research institutions. The ARPANET quickly expanded, and by the early 1980s, it was connected to hundreds of computers. In 1983, the ARPANET adopted the TCP/IP protocol suite, which is still used by the internet today. This allowed computers on different networks to communicate with each other.
One of the goals of ARPANET was to make it possible to communicate sensitive information securely. It did this by using a technique called obscurity. Obscurity works by hiding sensitive information among a large amount of other, non-sensitive information. This makes it more difficult for an attacker to find and intercept the sensitive information.
Obscurity can be used as a supplement to encryption. Encryption is a technique that scrambles data so that it cannot be read without a password or key. Obscurity can help to protect data that is not encrypted by making it more difficult for an attacker to find.
As an analogy, imagine that you are trying to hide a secret message in a book. You could write the message in invisible ink, but this would be difficult to do and the message could be easily revealed if the book was exposed to heat or light. A better way to hide the message would be to write it in plain sight, but among a large amount of other text. This would make it much more difficult for someone to find the message without knowing where to look.
The ARPANET used obscurity in a similar way. By routing sensitive data through a network of many different computers, it made it more difficult for an attacker to find and intercept the data. Obscurity is not a perfect solution, but historically it was an effective way to protect sensitive information.
Note for later when I reference the online safety bill; in summary the Internet was designed to be decentralised and to facilitate secure communications.
Back in the real world …
We used to gain remote access to servers via a tool called telnet. This was great. You telnet to a remote machine, you give it a user name and a password, and if you enter valid credentials, it starts a remote terminal session on that machine. ssh by the same token did the same thing, but provided an encrypted channel, so nobody in between you and the remote server could see what you were typing.
At the time ssh was poorly documented, quirky, and I really couldn’t see how all the effort of getting it going was worth it. Then two things happened. Firstly someone showed me a brute force telnet password cracker. Second, it became apparent that I was acquiring the need to connect to other remote machines from a machine I’d connected to remotely. This would essentially mean passing a second set of credentials over an unencrypted channel. Then telnet was no more, things had changed, a huge hole had been blown in security through obscurity.
So why SSH specifically?
Well, ssh has become a bit of a sysadmin’s Swiss army knife. It’s not just for getting a terminal session on a remote computer, and although it can work off username / password based credentials, this is seriously discouraged and a huge security risk.
Fundamentally ssh is designed to create a secure encrypted connection between two points. It does this typically by generating a pair of keys, one referenced as a private key (which should never leave the machine on which is was generated) and the other a public key which can be shared with any remote server to which you want to connect.
They keys work in such a way that once you’ve encrypted a string of characters with the private key, it can only be decrypted with the public key. So in principle, encrypt “let me in” with your private key and send it to a remote server. If the server can decrypt the message with your public key, and it reads “let me in”, it knows definitively the message received was encrypted with your private key, so it knows the message is you. Typically ssh uses 2048 or 4096 bit keys, so this is the equivalent of logging in with say a 256 or 512 character password, anything 16 characters and up is generally considered out of range for brute force crackers.
So, once you have your secure point-to-point encrypted connection, the standard application is a remote terminal session. However with a few additional command line flags you can set up a tunnel and route other traffic over the link, and on Linux we have sshfs, which will let you mount the folder of the user at the far end of the connection, as if it were a network folder. (think; a secure / remote version of NFS)
How do VPN’s fit in?
VPN’s work in a similar way to ssh, I guess you could think of a vpn as a variant of ssh specifically designed to maintain a number of persistent tunnels to remote machines. If you can only access a collection of remote machines via ssh, some things can become a little laborious. Say for example you’re working from home, but need to print something on a printer in the office. You could set up a ssh tunnel to a point inside the office, then redirect your print function to the tunnel … but this is a bit of a fiddle. With a vpn you would typically run a virtual network that encompasses your remote machines and your office machines. In this instance, from the perspective of printing, it would look like the office printer was on the same Local Area Network as your home machine, so you would literally just print to it, as if you were in the office.
So what are VPN Services?
Historically we used to have a bunch of proxy servers that people could connect to which would effectively hide their actual identity and location, and make it look like they were somewhere they weren’t. A great feature in terms of anonymity. I say historically, they still exist if you look, but they now seem to be called VPN Service providers. This company for example I’ve been aware of for many years and my recollection is that they started out as a Proxy service, offering the same kind of features they now seem to provide as a VPN Service.
They essentially do a similar thing, but rather than just proxying traffic through their servers, they encrypt the traffic between you and them, and typically offer other bells and whistles. I’m not entirely sure with services like this why VPN gets into the name.
On the one hand having the connection to your proxy server be encrypted isn’t necessarily a bad thing as it reduces the chance of someone in the connection path effecting a “man-in-the-middle” attack. (which is hard unless you’re accessing the Internet via public WiFi) On the flip side, you put all your traffic through a proxy server, so you are putting all your traffic through a server it wouldn’t otherwise go through. I guess you’d be relying on them being good guys and them not getting hacked.
In summary, I would ask myself, do I really (really) need it. Even if you do have it, just don’t do your online banking from a Coffee shop (!)
The Online Safety Bill
Yes you may be thinking, “it’s about time those big old social media companies were subject to a bit of regulation” for all the potentially harmful content that’s creeping onto their platforms.
If only. Where do I start. Transparency, Honesty, Competence. All seem to be lacking to some degree. At this point it seems difficult to determine whether the bill came about because of the government’s concern for people’s well-being, or whether they thought it was unacceptable that people should be allowed to have private communications that various government agencies couldn’t gain access to. Either way, it seems they wanted to do away with Internet security (privacy) which is in direct conflict with one of the core reasons for the Internet’s existence. (as noted above)
Strangely there has been a degree of push-back, many companies encrypt data in many ways and the bill’s attempt to either weaken this encryption or provide back-doors for the government, well. It seems the government’s technical advisers omitted to mention that the technology just doesn’t exist to do some of the things they want to do, and that companies simply cannot just abandon their business-model, products and user-base, because there would be nothing left. Unless of course they they did mention it and the government just ignored them. Given the number of times we seem to have been told in recent years that they “just follow the science”, that option seems a little unlikely …
Anyway, there seem to be a number of U-Turns in motion at this point;
What does it all mean for the future?
Well, the big online giants will tell you that the future is in massive super-concentrated data centres that consume as much electricity as a small town, covered by a Faraday cage, with backup generators and built nowhere near a river or open brush. However.
Which would you rather?
- Have a centralised Internet where a few giants effectively own all your data and monitor everything you do, with the future promise from a government who also wants access to everything.
- Have a decentralised private Internet (as above, per it’s original design) where you own all your own data, nobody is tracking what you do (at least not en-mass from a single point) and the government isn’t trying to use it to find out if you said a bad word when texting to you mates on a chat app.
Given the number of apparent cases of people now being convicted based on something they typed in what they took to be a secure chat application, typically something they may not ever have said out loud, I feel a reference to ThoughtCrime appropriate. Whereas I wouldn’t want to defend someone who has done something harmful, if we start going after people who think something others might perceive as harmful, it would seem to be a very slippery slope back to 1984.
Just look what happens now if you publicly disagree with the wrong people. What will it be like in the future if we’re not even allowed to privately disagree with the wrong people!
Anyway, if you choose the second option (i.e. decentralised), most of the tools you need are readily available. You don’t need to use somebody else’s VPN service, you don’t need to use somebody else’s cloud storage, email service, content management system, etc etc.
Web 3.0 and other interesting projects
Web 2.0 is generally thought of as the age of social media. Huge centralised online operations where people share communications and data. Web 3.0, although people often quote blockchains and crypto, is all about decentralisation. (which is sort of what blockchain and crypto are about) In this arena a number of things are happening;
IPFS (InterPlanetry FileSystem)
If you’re interested in distributed networks and how things might look in the future, IPFS is something to keep an eye on. The software is becoming pretty slick and it’s been picked up and supported by some quite large players. (like CloudFlare)
DWEB
DWeb connects the people, projects and protocols essential to building a decentralised web. A web that is more private, reliable, secure and open. A web with many winners—returning to the original vision of the World Wide Web and internet.
CloudFlare’s ZeroTrust Platform
CloudFlare provides a number of very useful free tier products including their ZeroTrust platform. This has many uses, but one feature is that it allows you to present services to the Internet without actually having a public server. So although you need a domain name to be found (maybe £4 a year) nothing else is needed for you to host your own website. (i.e. you can host it in a virtual machine or container in your office or home, and the platform will make it available on the Internet)
Summary
If anyone would like me to expand on any of these points, provide more detail or explain in more detail let me know, this post is set up as a Wiki so I will correct it / add to it over time.
1 post - 1 participant