Development of Internet security 30 years of the Internet – 30 years of (in)security
02.02.2022A guest post by Stefan Henke
The first website went online more than 30 years ago – today the WWW consists of around 1.8 billion Internet pages. What has happened in terms of security in the last three decades? And where is there still a need for action today?
The DNS security market will continue to grow as companies need long-term solutions to provide remote work and access to the cloud securely.
(© knssr – stock.adobe.com)
The Internet has become an indispensable part of our everyday life. It serves us as a source of knowledge and information and formed an important cornerstone of digital communication during the pandemic. This makes it all the more important that everything that has to do with the World Wide Web is protected, whether it’s websites, servers or network infrastructures. Especially in times when the cybercrime rate is constantly increasing. However, many areas of the Internet are still unprotected –some of the protocols and technologies date back to the early days, when security still played a subordinate role.
HTTPS as a picture book example
A website is usually a place where an operator hosts content that other people interact with. Every interaction with a website is transmitted over the Internet. Since its introduction in 1991, websites have followed the unsecured HTTP standard. The problem: As an application layer protocol, the transfer protocol was previously only concerned with the visibility of content in the form of plain text – but not with securing and encrypting the data transport from the client to the server. Due to the lack of Secure Soket Layer (SSL), HTTP was insecure and consequently made all organizations using the standard vulnerable: anyone who is able to access this traffic could see the content.
Today, the secure HTTPS standard has become established: it encrypts the connection between the web server and the browser with the help of SSL/ TLS certificates and is indispensable today. The development is one of the biggest security changes in the last 30 years and a shining example of how vulnerabilities from the early days of the web can be remedied sustainably. However, there is another way.
Universal encryption standards still in the development stage
There are still unencrypted technologies from the early days of the Internet, when security was not thought of from the beginning. We encounter probably the most prominent one on the net every day: DNS queries. The Domain Name System (DNS) is the address book of the Internet. As soon as users make a request to a website, for example “security-insider.de “, the browser asks a DNS resolver for the IP address of the requested page.
The problem: both the DNS query and the answer to it are usually unprotected. In this way, controlled websites and domains can be easily manipulated, tracked and logged. The hodgepodge of such DNS-centered attack scenarios is called spoofing: in the DNS name resolution, the IP address of the target domain is manipulated. The terminal then accesses a fake IP and the traffic is redirected to the server of the “malicious” host. He can infect the device with malware or access confidential data.
Widespread DNS encryption would provide users with more privacy and security. Various solutions are currently being discussed, such as DNS over TLS (DoT) and DNS over HTTPS (DoH). DoT standards embed the original DNS message directly into the secure TLS channel instead of using HTTPS. The requested name can then neither be determined nor changed from the outside. Among other things, the DoH standard was developed so that web applications can access the DNS via existing browser APIs. For this purpose, the DNS traffic runs via encrypted HTTPS connection to DOH resolvers. The DOH protocol standard hides the actual HTTPS traffic and protects it from manipulation from the outside – like a protective shield. DoT and DoH are important, but still relatively new and are not yet universally used.
Browser isolation strengthens security
Browsers are the basis of every search query on the Internet. It is all the more important to protect them. This applies to private activities as well as for use in companies, especially as more and more applications for corporate users are operated from the browser.
In order to ensure security when using the browser, users can use various standards. The most complete among them is browser isolation. The core concept here is security through physical isolation; a “gap” is created between the web browser and the end device or corporate network. This vulnerability protects against browser-centric attacks, the browser is actually out of reach of the attackers.
Web gateways, firewalls or antivirus software are based only on already known threat patterns or signatures. In contrast, a complete isolation of the browser is based on the zero trust approach. This encapsulation can be carried out either locally or remotely. Local isolation simply moves the risk from the endpoint to another location without eliminating the actual risk. Cloud-based isolation separates the end-user’s corporate network or device while enabling complete IT control and compliance solutions.
Even if the browser isolation provides for a separation, security standards in themselves should not be considered in isolation from each other. If they are compatible with each other, users should make every effort to make their activities as secure as possible – this also means combining standards with each other.
Where will Internet security develop in the next few years?
The Internet has become one of the most central components of our lives. Nevertheless, the increasing dependence also reveals the weak point of this global resource: it has been developed for too long without security thoughts.
Nowadays, everything connected to the Internet must have active security standards. If you install these later, it is often already too late. Cloud computing in global networks elegantly combines security, data protection, performance and reliability. The more people join the network, the safer and more efficient it will be for everyone
About the author: Stefan Henke is Head of DACH at Cloudflare, the Internet infrastructure and security company. He previously worked for Symantec and Veritas. Since August 2018, Henke has been focusing on advancing Cloudflare’s mission – the worldwide improvement of the Internet – in Germany, Austria and Switzerland.