Browsing through security issues

Security is expensive. It’s expensive in terms of complexity, management and non-ease of use. It’s also expensive in terms of the processing power required. But attempts to minimize the impact of the latter on Web servers are now affecting the very security that is being sought.

Web security is pretty good stuff. The basic idea is that you want to set up secure communication between yourself and a server that you are sure is the right one. At the same time, the server wants to be sure that it’s talking to you and not someone down the street.

The server has a digital certificate your browser uses to be sure it is communicating with the right server. You authenticate yourself to the server with your digital certificate or with a logname/password combination. Thus, the server knows who you are. You, as a user, authenticate yourself to an authenticated server – just the right level to be securing – and the communication is encrypted. What more could you want?

By the way, I say Web security is at “just the right level” because the authentication is taking place at the user level and not the system level, as is the case with many VPN products and services.

VPNs can be used between firewalls, in which case the communication inside the firewalls is open to eavesdropping, and the identity of the servers and users is not assured. VPNs can also be used between remote computers and a firewall. The result here is not much different – insecure internal communications and no server authentication. In addition, if the remote computer is compromised, the first line of corporate defence is breached.

But there is a disturbing, if understandable, trend that undermines some of the security of a secure Web environment. This is the movement to separate front-end processors that are used to off-load some of the computing-intensive work from the Web servers. These front-end processors mimic the server you’re trying to connect to. They have a digital certificate for that server, so your browser thinks it’s talking to the actual server. The front-end processor does the encryption and decryption, and communicates with the actual Web server using unencrypted datastreams.

Since this is all in a data centre, one might think that it’s all OK security-wise. But it’s not. The data is now exposed to eavesdropping, where it previously had not been.

Also, if the front-end processor is compromised, all the servers it front-ends for are compromised. But more importantly, you as a user can no longer be sure what you are talking to. Transparent proxies, Network Address Translation systems and firewalls have already compromised the original end-to-end Internet model, and I guess this is just another little step along the path. But I don’t have to feel good about it.

Bradner is a consultant with Harvard University

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Previous article
Next article

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now