How to secure the Internet with a single service

We're a small step away from deploying simple DNS-like service that could largely fix security without fancy new tech

I've been writing about how to secure the Internet for almost a decade, including in this InfoWorld position paper (PDF), which gives most of the details. My proposal is this: A new Internet channel must be created to establish pervasive authentication and improved services for identifying the bad guys.

That might seem like a tall order in today's ultramalicious online world, but it can all be readily done using existing protocols and integrate with all legacy systems.

[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]

In the past, many readers have recoiled from the notion of pervasive authentication. An Internet where everyone knows who everyone else is a contentious idea. But those concerns can be addressed by having anonymous and pseudo-anonymous identities, and channels that don't mind those types of identities with less trust assurance. 

In all modesty, I think the best part of my solution is a new centralized service that serves as a sort of "DNS for security."

Like DNS, the new security service would be everywhere on the Internet, available for all to us, and mostly invisible behind the scenes. I envision a centralized service that keeps track of all the bad things going on around the Internet and lets everyone else know when badness is confirmed. For example, Microsoft recently confirmed that four brand new computer brands contained malware installed at the factory -- and also discovered a single parent domain, 3322.org, hosting 500 different malware strains across more than 70,000 sub-domains.

Wouldn't it be wonderful if both the computer vendors involved and the 70,000 exploitative sub-domains were immediately announced to the world as "bad actors" so that the rest of us (and our software and computers) could respond appropriately? Much of the anti-malware world knows most of the malicious places and things on the Internet. I believe this sort of information should be freely shared with the entire world, rather than held by particular vendors.

What's needed is a new service that has the simplicity of a DNS query ("one packet sent, one packet received"), which can tell the originator whether or not a particular subject has been previously determined as malicious or not. Some vendors have already built this sort of functionality into their products. But what I'm talking about is a service the works no matter what product, operating system, or device you use.

In my ideal world, every time anyone received a piece of incoming content, regardless of the the application, the computer would send a trust query behind the scenes: "Can this content be trusted?" The answering service would be backed by a cloud database that collected anti-malware information from a variety of vendors and products. That way when a spammer launched its latest spam campaign, the service would get early warning and the rest of the spammer's campaign would fail. Millions of spam emails would fail and make spam unprofitable again.

If some part of the Internet, such as 3322.org, were identified as hosting too many bad sites, everyone would know immediately. And if the owner of 3322.org cleaned up his act, he might be able to get his domain and sub-domains unflagged, and start to join legitimate society again. But only with a DNS-like trust service could we immediately mark, communicate, and defend against these malicious actors that depend on our ignorance to get rich. Malicious hackers live by the byte at the speed of light. I say let them disappear by the same method.

We would need to build, fund, and maintain this new service, but we already do the same with DNS today. DNS is pervasively used by everyone, and I don't hear anyone complaining about its cost. A security service could be provided using the same mechanisms as we use to support DNS, which relies on a few contracted parties supplemented by a host of volunteer devices. We already have the model. We just need the new service.

Actually, one global security service probably isn't enough. Others can probably come up with different protection services at least as good as the one I suggest above. For that, we need a meta-security indexing service. Essentially, you would have a few servers that would host the records of all the underlying security services, of which my trust assurance servers would be one. Your device could query the indexing server for a particular security service and get immediately redirected to the right computer or computers.

The Internet is long overdue for a more secure version. We can make it. We can do it. It just takes the right people with a common vision coming together for a few months to implement existing protocols against a few new databases and services. It will happen -- and I hope I'm part of that change.

This story, "How to secure the Internet with a single service," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies