I seem to be hitting on security stories this week. Via BoingBoing, here's a screed from financial cryptographer Ian Grigg, decrying the obviously poorly thought out threat model behind the seemingly ubiquitous SSL protocol. (For those not into crypto jargon, SSL is the security protocol at work when your browser puts up the lock/key/what-have-you to indicate you're talking to a website securely.) As he wants us all to know, a well defined threat model is behind every decent crypto protocol. Spoken like a true engineer. If only life were so simple. Allow me to share some history.

The reader will likely recall that once upon a time Netscape stunned the net by giving away its web browser. Leading to the question: Where's the money? (Such questions were still being asked at that time.) Part of the answer was Netscape-specific HTML tags that tried to create barriers for other browsers. A bigger part was a set of attempts to 'improve' the HTTP protocol in proprietary ways so that the creators of sites who wanted to talk to the (free) Netscape browsers that had suddenly permeated the net would have to buy (non-free) Netscape servers. Amongst those improvements was SSL, which at the time of release was a Netscape proprietary.

I was not there at the invention of SSL, so I don't know if its element of client/server lock-in was a design criterion, or a happy accident from the business point of view. I was a potential customer of Netscape, and I can certainly attest that the company sold hard on the point. Oh, they also put in one other 'feature' as part of this improvement: the infamous Netscape browser security alert dialog, warning that the user's information could be filched as it trickled through the net. This was not a good idea. Take the newbie user's natural anxiety around the novel medium, aggravate it with a cryptic and intimidating prompt, and suddenly consumers who didn't think anything of rattling off their credit card numbers over an unsecured cell phone wouldn't have anything to do with the newly discovered 'e-commerce' marketplace. Credit card and identity thieves must be lurking at every router. D'Oh! While the press loved the 'dark side of the net' story angle, the budding Internet mall merchants - the ones that were supposed to buy Netscape servers - were not pleased.

Meanwhile, the technology industry was working hard to make things worse. Since there had to be an open alternative to the proprietary SSL, soon there was another Web security protocol called SHTTP, doing more or less the same thing (though at the application layer, not transport). No new threat model, just a goal of getting rid of Netscape lock-in. Microsoft, not to be left in the shade, started working on something called STT, which differed in being specific to credit card transactions. Far from having a clear threat model, one of its main design goals was to enshrine the role of banks in the transaction, because Microsoft had a wily plan to lock the bank card associations, particularly Visa, into its own technology. Now not only the consumers were confused, but the developers and merchants as well. Wonderful.

At this point, Netscape seemed to belatedly realize that SSL as a proprietary was a busted strategy, and signed over the specs to an industry consortium. Soon thereafter, the browser market imploded to two viable vendors, both of which supported SSL. Shortly there were also open source versions of the protocol widely available. Secure Web transactions consisted of an SSL session to a server, which dumped the results into an existing (non-Internet) credit card clearing network. Visa eventually wised up to Microsoft's end-run, coopted the bank-card-specific security project as SET, and ultimately released the resulting protocol, to complete indifference from the marketplace. SSL went on to metastasize its way into a number of other applications, at least partly on the strength of the sheer ubiquity of implementations.

And the consumers eventually started buying. Not because they understood that one security protocol now reigned supreme. More by a combination of familiarity breeding contempt, and a belated marketing push from (ta-da!) the bank card associations. Who finally woke up and realized that from the consumer's point of view, security = trust = brand, and they already had the right brand positioning, technology or no. Soon the Christmas ads were full of happy consumers buying on the net, and fraud loss guarantees were extended to all. That began a cat-and-mouse game with online credit card fraudsters that still continues, but at least the card associations can carry it on in the confidence that no Netscape or Microsoft is going to be wedging their way into the bank's food chain.

Moral of the story? It's the business model more than the threat model that often dominates the real world of commercial security deployment. Grigg is right that if the actual threat had been analyzed, the focus would have been on the server (Willy Sutton: "That's where the money is."), not hypothetical packet sniffers. But that wouldn't have created a client/server lock-in, so it didn't fit the actual goals. Security designers - paranoids by trade - would be well advised to find an equivalently cynical business type to vet their ideas.

Update: Here's a more complete description of the STT/SET (& SEPP) saga which I simplified for the sake of brevity. I will, however, hold to my point that MSFT was implicitly trying to position STT against SSL from the merchant's point of view. The name of the game at the time was trying to capture mindshare of merchants going onto the Internet. That's the entire thrust of this post: the business model games being played swamped out the technological considerations (else why would anyone have designed the baroque SET protocol?). At the end of the day, the merchants cared a helluva lot more about tapping into the growing base of customers enabled with SSL browsers than they did about the relative merit of the security protocols, or even Visa's attempts at bribery to push SET into the market, in the form of reduced clearing fees. Eventually, VISA got the message that their brand mattered a lot more than technology.
6:07:05 PM    

Science writer Carl Zimmer went on the blogroll recently without much explanation. If your usual blog diet is information tech, or business punditing, consider a visit to expand your horizons. Here's a great, thought provoking post on the detective work in discovering part of the genetic basis for language. Turns out that it's a mechanism that lets us be efficient copy cats. And that is part of how we have moved largely from the genetic evolutionary track onto a memetic evolutionary track. The verdict on that experiment is, of course, still unknown. Fascinating.
1:40:17 PM