The Centralized Internet

Try to picture the vastness of the Internet – and not just the World Wide Web or otherwise publicly resources. Think about how much of your day relies on your being able to access it, how much data is being exchanged every second. The mental picture seems to be larger than life, doesn't it? There can't possibly be only a handful of companies that control intercontinental IP transit in its entirety! While there is some dispute over what qualifies an entity as a Tier-1 internet service provider, it is usually agreed that such providers do not pay for data transit; they include: AT&T, CenturyLink, Cogent, GTT, Deutsche Telekom, Level 3, NTT Communications, Sprint, Verizon, and XO Communications. (http://www.technologyuk.net/the_internet/internet/internet_service_provider.shtml) That's it. If you are sending or receiving any data internationally/over geographically long distances, chances are that your data is passing through at least one or two tier 1 networks. To appeal to what appears to be the talk of the times, it's apparent that it really wouldn't be exceedingly difficult to monitor data ingress and egress to and from a particular region or country.

Next, imagine that the confidentiality of your data (while in-transit over the Internet) depended on a mere few dozen corporations – the name “VeriSign” probably rings a bell. VeriSign is one of the larger, more popular certification authorities in the world. VeriSign, like the other certification authorities, runs its service based on the concept that they are universally trusted – all operating systems and browsers implicitly accept any resource as “genuine” if they have been verified by VeriSign. To put that into perspective, websites and services like PayPal, Facebook, Amazon, Twitter, and countless others depend on a third-party organization (like VeriSign, DigiCert, or Comodo) in order to prove to their users that they are “genuine”, and to prevent anyone else from easily assuming their identity under false pretenses. In essence, the very foundation of confidentiality, data integrity, and “trust” is deeply flawed; in theory, if a certification authority wished/was compelled to, they could very easily spoof any website/service or decrypt any data sent from/to one of their customers. Suppose all certification authorities were saints, and would never accept a court order or bribe intended to persuade them to compromise a client of theirs. Yet, a problem still remains: security of the authority themselves. It isn't beyond imagination that such an authority can be hacked, is it? In fact, it's happened in the past. (https://www.schneier.com/blog/archives/2012/02/verisign_hacked.html (https://technet.microsoft.com/en-us/library/security/2607712.aspx)

I'm probably expected to offer a solution of some sort, but that's not why I chose this topic for this week's post. My main motivation in writing this was to simply portray how much we depend on a select handful organizations for the Internet/WWW to function correctly. There are, of course, some “solutions” (meshnets, keyless SSL, etc.) that have been offered to both of these issues, but they will likely be very difficult to implement on a widespread scale.