A Question of Trust

We all need to take security seriously. It is mostly a question of trust.

2021-01-24 Previous Home Next

How many people in the world would you trust with the password of your bank account? How about with your phone's passcode? Your browser history?

If a friend introduced you to someone you had never met before, would you hand this new person the key to your car? Your house? Would you let this person pick your kids up from school?

Safe

You'd probably trust one or two people— certainly no more than a handful.

And yet, the vast majority of people have ceded control over their lives to nameless people they have never met. In our digital world today, we use our devices and networks without thinking.

And this is a problem.

The SolarWinds hack

Back in December 2020, the U.S. Department of Homeland Security, Treasury, Commerce, and many other departments discovered that they had been running software written by hackers, likely working for the Russian government.

The hack extended to many large corporations, too.

The hackers first got inside an IT management software provider named SolarWinds based in Austin, TX.

Their software performs routine IT tasks for customers, for example, monitoring their networks and servers. In order to perform its job, this software accesses the customers' systems just as their own IT department can.

The hackers inserted malicious code into SolarWinds's releases, which its customers dutifully downloaded and used.

This means that for several months last year, thousands of large corporations and government departments were running the malicious software. It could have accessed many restricted databases and perhaps impersonated many users to perform unwarranted actions.

The lesson

To function in our digital world, we have few alternatives but to trust many actors every day.

But hacks like these illustrate that the people we trust, in turn have to trust other people. IT departments, in particular, are often the recipients of unquestioned trust. Whoever they in turn trust can compromise everyone downstream. We are all vulnerable.

Our infrastructure of trust has been set up very carelessly and needs some serious rework.

This is a job for the designers of these systems and for governments.

In the meantime, we can start by becoming aware of the points of trust we rely on.

Certificate Authorities

Let me give you a short example: everyone tells you to look for the tiny green lock icon in your browser's status bar when connecting to your bank, your insurance company, or a payment provider.

This lock icon means something very specific: that an organization called a Certificate Authority asserts that the website is actually owned by your bank.

You can ask your browser to show you a readable version of this assertion called a "certificate," usually by clicking on the lock icon.

If you go to "solarwinds.com" today and ask your browser to see its certificate, you will see that the ultimate certifying authority, the "root CA," is a company called DigiCert, Inc.

Your browser automatically trusts a list of over a hundred such certificate authorities spread all over the world.

But you have no objective reason to trust any of these global certificate authorities. You don't know them from Adam. No regulations apply to them. They are under no obligation to make sure that they provide valid information or take particular steps to make sure they are not compromised.

In fact, over the years, many of these organizations have themselves been hacked multiple times.

At least now you know whom you are trusting. It's a tiny step, but it's a start.