12 April 2010

Internet security is dying painfully

Just now I saw a link on Hacker News with the following text (I'm linking it to the comments page for that link instead though):

This link says it's from YouTube but it's not (youtube.com)

Sure enough, Hacker News is reporting the host for the link is YouTube.com, and a quick glance at the URL shows it actually is (see bold):

http://www.youtube.com/redirect?username=digitalhook&q=http%3A%2F%2Fsecuritytube.net%2FSocial-Engineering-Attacks-using-Simple-Redirections-video.aspx&video_id=Vgc3NVVpb8c&event=url_redirect&url_redirect=True&usg=UE0DOmwjBRK-mgheFtW1hMTEvh4=

But look a little further and notice it says "redirect", and a little further along you see where it's redirecting (see the red above). In more malicious case, of course those could be further obfuscated so a cursory look by an intelligent human wouldn't see the redirection.

The sad part is, as noted by commenter Charles Randall, "I've taught people how to scan for valid links, and now they can't even trust that."

That's exactly right. The cost of maintaining security by the end-user, as paid by every individual end-user, is growing with little to no value created for any single one of them. The time spent checking the URL's host to ensure clicking it is safe becomes less effective with this kind of redirection: it's all cost and no gain, most of the time.

This comes right after I read Internet Security is a failure, which argues that these four facets of internet security has been a failure: "1. Identity and Authentication / 2. Transport Security / 3. Secure Software and Operating Systems / 4. Law Enforcement".


This reminds me of the article: Are users right in rejecting security advice?, and the paper from Microsoft the article links to as well: So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (pdf). Both are great readings, and it certainly makes sense to look at security as an economic question.

Anyway, internet security is in a sad state of affairs.

No comments: