2018: the year that web security moved forward

According to @year_loading on twitter, we’re now:

▓▓▓▓▓▓▓▓▓░░░░░░ 62%

And there’s been some great advances in web security and capability that is finally putting a nail in the coffin of 25 years worth of web legacy. It’s been a long time coming.

The Early Years of The Web

I graduated high school as the class of ’93, starting a Bachelors of Computing and Mathematics at UWA in 1994. I wrote my first web pages in the summer of 1995 – content about the city of Perth (there was no Wikipedia), and by 1996 was being paid to carefully craft web content in two languages, English and French — content which is still online today.

Cascading Style Sheets were born (“W3C Recommendation”) in late 1996, and by 1997 I was lecturing about CSS to staff at UWA in my role as the university’s webmaster. JavaScript was starting out, and Sun was all about embedding their Java language into the browser as clunky, heavy applets.

It was the Netscape Navigator 1.1N release of 1996 that spawned the start of SSL for transferring the hitherto plaintext, unencrypted HTTP protocol, coupled with x509 certificates that looked like it could provide a distributed secure system over untrusted networks with a solid chain of trust. This looked like something that could potentially be used for some sort of transaction — perhaps as far as commerce.

It has now been nearly 25 years since that Navigator release; and as expected, the encryption technologies — as open as they were — are now relegated to the past. Or they should be.

The horrible middle years

Don’t let me dwell; suffice to say:

  • Java Applets
  • Fractured web browser ecosystem (Microsoft)
  • Flash
  • Digital Rights Management
  • Proprietary (closed) formats

…were all horrible. Slow, klunky, insecure, or just broken.

And today in 2018

The HTML mark-up language today is just as readable and renderable as it was then. Openness has preserved the history of the web – for content which has not been replaced or removed. Archivists decry a period of our history for which paper documents are declining, but open formats have outlasted proprietary ones and are still functional.

As an aside in 1999 I joined Debian as a (volunteer) developer; Debian itself today turned 25 years old.

Cryptography rules the world. We stand today where Google Chrome, which itself accounts for over 60% of all web browsers used by market share, reports that as of July 2018, 76% of traffic that its users consume is over an HTTPS protocol for Microsoft Windows desktops, and 86% for Apple Macintosh users.

Moore’s Law on computing power, and economics means attacks on now-‘historic’ mechanisms to secure content are now reasonable. I’ve seen attacks on GPG short key IDs (8 hexadecimal characters) for people trying to generate keys to impersonate others based on generating keys repeatedly until a short key ID match (the long key IDs were different). Attackers stuff comments into PDFs to bloat their size, but match their checksums.

What’s clear is that the majority of the IT Industry has become terrible at one thing: deprecating legacy. I see this with Java developers who ignore warning messages about deprecated methods. And I see this with web sites that turn on every possible combination of TLS (SSL) protocols, ciphers and checksums, despite the majority of them now being deemed insecure.

Transitions are hard. Here’s a list of some of the web transitions going on now to help secure, speed, or improve content or connectivity:

  • HTTP/2.0, replacing HTTP/1.1 and 1.0
  • HTTPS replacing unencrypted HTTP
  • IPv6 replacing IPv4
  • TLS 1.2 replacing all earlier versions, and itself about to be replaced by TLS 1.3
  • AES ciphers replacing RC4, DES, 3DES
  • GCM-mode based encryption ciphers replacing CBC mode block chaining
  • Elliptical Curve mathematics replacing RSA prime number factorisations for certificates and key exchanges
  • Stronger message digests such as SHA-2-384 replacing earlier SHA-2-256, SHA-1, MD5 and worse
  • Brotli compression replacing gzip and deflate
  • Angular, React, Bootstrap and other JavaScript frameworks replacing the Flash and Applets of the past
  • DNS Sec starting to roll out (come on gov.au, and Route53)
  • Browsers being able to actively enforce stricter policies around content and actions they take
  • SVG replacing bitmap formats for specific use cases
  • Java 8 replacing Java 6 and 7
  • Java 11LTS about to be replacing Java 8
  • Python 3.x replacing Python 2.x
  • NodeJS 8 replacing NodeJS 6 and 4.
  • Linux replacing Solaris and all Unix before it
  • Cloud replacing on site data centres, Co-Lo and traditional ‘managed services’
  • PaaS replacing IaaS + blood, sweat and tears
  • SAML and OpenID replacing LDAP

With all of these changes (and more) its hard to keep up. Some of these items are for SysOps people to fix, some are for Developers, yet all can be done by Full Stack DevOps Engineers.

I’ve been idle on web content up until about 6 months ago; frustrated with a lack of real innovation and cohesiveness, and no real way to differentiate ‘good’ and ‘bad’ configurations of all of the above. Sadly, many poor configurations of systems and solutions are masked by functionally working, even if they are inferior in speed, efficiency, cost,  or security.

For many decades governments have tried to move to IPv6, but have successively failed. ISPs fail to offer IPv6 to their customers, undermining the drive for the major transport protocol migration; work around upon work around has had to be devised. IPv6 traffic in Australia stands at 5% or so in 2018; and at no additional cost, many solutions can be deployed as ‘dual-stack’.

Managing these transitions while systems are live is interesting. But this is what motivates me.

We have a lot of web legacy. There is much to be done.