Berkeley boys talk security

By David Joachim

Ian Goldberg and David Wagner, first-year graduate students of computer science at the University of California at Berkeley, made international headlines recently.

First, they cracked the Secure Sockets Layer security tool built into the World Wide Web's most popular browser, Netscape Communications Corp.'s Navigator (Communications-Week, Sept. 25, page 1); then, they reported flaws in the core Internet protocols that threaten the security of sensitive data transmitted over the public network (Communications-Week, Oct. 16, page 1). Interactive Age spoke to them earlier this month.

Interactive Age: What got you interested in Internet security, and what got you started in your work?

Wagner: Obviously, there's a lot of interest in Internet security, and I've been interested in computer science, math, cryptography, civil liberties and related issues for quite some time now.

Goldberg: I've been interested in computer security ever since my first exposure to a Unix machine in high school. Trying to get a computer to keep secrets from its users is a difficult problem, because bugs in security software often lead to problems of a more undesirable type than bugs in more mundane programs.

Interactive Age: What is the motivation behind your work to uncover holes in Internet security?

Wagner: To work toward a secure, safe Internet environment for the future and uncover past mistakes and learn from them, so programmers can make sure to avoid them in the future.

Goldberg: The growth in electronic commerce on the Internet is no small cause for concern. Whereas security holes used to be used by crackers to show off or for petty vandalism, they now have the potential to be used to steal large amounts of real money, perhaps untraceably. Our work is not so much to "uncover" holes in Internet security, but rather to point them out to consumers who are being courted by makers of electronic-commerce products, but who are not very familiar with the Internet.

Interactive Age: Are you continuing that work?

Wagner: Absolutely. We here at Berkeley are starting a small security research group, made up of one professor and three grad students, which will identify broad problems with Internet security, looking at the whole system from end to end.

Goldberg: We also are trying to develop software that will help consumers protect themselves against threats, without requiring them to be technically knowledgeable.

Interactive Age: Did you expect the kind of attention you got after you reported breaching Netscape Navigator's security?

Goldberg: Initially, no. When we found the problem with Netscape's implementation of its Secure Sockets Layer [the method by which Netscape's browser transmits encrypted information over the Internet], we publicized what was intended to be just an initial result to the cyberpunks list [a mailing list for hackers]. But the press picked up on it right away, and here we are.

Wagner: It was totally and completely unexpected. It was very weird, actually.

Interactive Age: How was it weird?

Wagner: It was just very surprising to walk into your office as a first-year grad student and find TV camera crews. This isn't an everyday occurrence for us, you know. Or at least it wasn't a month ago.

Interactive Age: Were you going after Netscape because of its domination in the market, or was it one of many tests you were conducting?

Goldberg: I initially looked at Netscape because someone on the cyberpunks list had wondered how good its random-number generator was. When I took a look at it, it looked OK, but I hadn't yet looked at the method used to determine the initial seed, which is where the problem ended up being.

Dave was independently looking at the seed code in a different Netscape product, SSLREF, noted it was faulty, and wondered if the Netscape browser had the same problem. Upon discovering we were working on similar things, we teamed up and found that, although the browser did not have the same problem as SSLREF, it had a similar one.

Interactive Age: Are you attempting to show that the Internet is not a solid enough platform for electronic commerce?

Goldberg: Not at all. We just think it's not quite ready yet. One of the biggest problems is that in a new field such as this one, being first through the door is much more important than having the best product. Therefore, we see many companies rushing to be the first ones into electronic commerce, electronic money and electronic payments, and none of them thus far has managed to convince me that I can trust my goods, bank accounts and credit cards to them.

It would be beneficial to all if this rush for the door would stop, take a step back, and make sure these products are actually secure before trying to get them installed on every desktop.

Interactive Age: So, you do not see the Internet as a fundamentally flawed network that needs to be completely dismantled and rebuilt in order to support electronic commerce?

Wagner: No, I don't think the Internet is fundamentally flawed for security. It was not designed for high-grade financial security, and there's some work to do to improve security to an acceptable level. But there's no reason to run around crying that the sky is falling.

Goldberg: The main thing to note here is that if Netscape had published the source code for at least the security bits in its program, this problem would have been found and corrected very quickly. It has long been known in the security community that source-code review is absolutely essential when constructing a system you intend to be secure.

Companies that withhold their source code or, even worse, withhold their protocols, are basically saying, "Your money is safe with us. Really, it is. Trust us." By publishing source, you get, for free, the best people in the field looking at your code, and either pointing out problems or giving it a clean bill of health.

Interactive Age: What is missing right now that needs to be in place before the Internet can be trusted as a channel for transmitting sensitive financial and business information?

Wagner: Well, this is one of the questions for research. If I had a complete and detailed answer to this question, I'd have a thesis dissertation right now.

But we can identify a few broad things we're missing: secure operating systems on the endpoints and secure software-distribution methods, instead of unauthenticated FTP [File Transfer Protocol] and HTTP [HyperText Transfer Protocol]. Those are some cases of broad functionality we need. But there's more.

Assurance of security is at least as important as the functionality available. If I had to pick the biggest item that is missing right now, it would be assurance. The public needs to have some assurance that new bugs in security applications won't be found. The only way to accomplish this is through public review - outside auditing, where independent security experts can evaluate the detailed internals of the security systems.

Today, many security companies are strongly resisting this, and I think they will need to learn to accept and embrace public scrutiny as a natural and necessary part of security systems.

Interactive Age: Is the proprietary network a better platform to sell goods electronically?

Goldberg: It depends what you mean by proprietary. In a sense, the Internet backbones in the United States are proprietary; they're owned by companies. If you mean that the methods used to transmit information over these networks are secret, then the answer is emphatically no. Security through obscurity doesn't work.

Another thing to keep in mind is that any infrastructure for electronic commerce should have the ability to support arbitrary people selling arbitrary goods over the network. The World Wide Web has introduced the concept that "everyone is a publisher." There's no reason why any of these publishers should be denied the ability to charge for the information they give out.

That's why a system similar to cash, where anyone can give or accept it, is better, in my opinion, than a system similar to credit cards, where only special merchants can accept payments.

Interactive Age: What about closed networks, such as America Online and CompuServe?

Wagner: Obviously, businesses want to reach as many consumers as they can; online services limit your reach. And I haven't seen any security benefit to using a closed network. AOL and CompuServe don't have any technical advantages over the rest of the Internet.

Interactive Age: What do you see yourselves doing after you graduate?

Wagner: That's a long way off, so it's hard to tell. But I'll definitely be staying with research, almost certainly staying with something having to do with computer security and cryptography.

Goldberg: Right now, my thoughts are that I'll be headed for academia, but who knows what the future holds?

Back to Home Page