Werner's Blog — Opinion, Analysis, Commentary
The Fiction of Internet Security

The Heartbleed Bug was discovered as a major vulnerability in the popular OpenSSL software that is used to encrypt and secure internet connections between web browsers and web servers, among many other applications. This vulnerability compromises security without leaving a trace—an absolute nightmare for internet security. While software patches were made available quickly, the mere existence of the bug has sent shockwaves through the internet community. Internet security is never absolute, and may well be more fiction than fact. The success of hackers to steal millions of account names and passwords tells us that security remains the Achilles Heel of web commerce. Why is internet security so difficult to accomplish? There are many reasons for compromised internet security, but among the top three are what I like to call the three ‘I’s: ignorance, inattention, and inability.

‘Passwords that one can remember are inherently weak, but good passwords are difficult or impossible to remember.’

In my top three list, ignorance is the first reason. Many people only wake up to the dangers of compromised security after the damage is done. Inattention is the second reason. Many network appliances (such as routers) remain unsecured and vulnerable because owners never bothered to configure them properly. Inability is the third reason. We are only human. How many password can we remember? How difficult are the passwords that we can remember? If you are still using "password123" as a password, or your birth date, or your pet's name, you will soon find out that hackers can guess that too. Passwords that one can remember are inherently weak, but good passwords are difficult or impossible to remember. People are bad at remembering many different and difficult passwords. Software solutions, such as the iCloud Keychain by Apple, generate unique and difficult passwords for each web site and account, and share these passwords across your iCloud-enabled devices. As long as you remain in possession of your devices, this will make things much easier. The catch is obvious: if you lose possession of your device, and/or this device is not secured with a sufficiently strong password, the thief will gain instant access to all your passwords. In this case it becomes even more important to secure your smartphones against theft and misuse.

One thing is for sure. Internet security will remain on our collective radar screen for decades to come. Our tendency to opt for convenience over security will keep us vulnerable. Security turns into nuisance, nuisance turns into aversion, and aversion turns into inattentiveness and carelessness. Internet hackers and thieves count on it.

Posted on Saturday, April 19, 2014 at 20:15 — #Internet
© 2024  Prof. Werner Antweiler, University of British Columbia.
[Sauder School of Business] [The University of British Columbia]