Some Trust in SSL

Friday, September 30, 2011

By Steven H. VanderLeest

When you visit a website and see the little padlock symbol by the URL address in your browser, that means the website has been verified to truly be who you think it is (and not a fake).  The technology behind that lock symbol is the SSL certificate.  A few companies are trusted as Certificate Authorities to issue these certificates, and the process is normally transparent to the end-user. Before you entrust your credit card numbers or other personal information, you just look for the padlock.  Simple, right?  But what if one of the Certificate Authorities was not trustworthy?  Diginotar is a company that issues Secure Sockets Layer (SSL) certificates.  They have been in the news lately because they had a security breach.  It turns out they didn’t manage their data very carefully and took few precautions , so that hackers were able to gain access to issue fraudulent SSL certificates. How could this happen?  Why would any website provider trust this company for SSL certificates if Diginotar had such shabby security practices?  While it still appears that the basic technology is sound for trusting websites, this case makes it clear that humans in the loop can be negligent or malicious so that the system is compromised. 

Trust can never be simply a technical affair, it always has a human element.  The business social networking site LinkedIn uses a template email to invite folks to connect to each other. When a member contacts someone they know, asking to link up, the generic text indicates that one “has indicated you are a Friend.  Since you are a person I trust, I wanted to invite you to join my network on LinkedIn.”  Part of the popularity of social networking services like Facebook, Google+, and LinkedIn is that they leverage the trust inherent in human relationships.  The Circles that Google+ introduced were to reflect the varying levels of that trust (allowing one to share more information with a “Friends” circle than with an “Acquaintances” circle). 

As the social networks reflect our relationships, you can see that trust is not an exclusive affair.  We can trust more than one person, institution, or concept.  But David’s psalm says otherwise: “Some trust in chariots and some in horses, but we trust in the name of the LORD our God.” (Psalm 20:7, NIV) We are faced with two choices to keep us safe and secure: we can either put our confidence in technology or in God.  Why are they mutually exclusive? Because in this case David is pointing to the foundation of his trust.  God is his ultimate source of security.  However, in proclaiming allegiance to God, David didn’t withhold confidence in his advisors, nor stop relying on the stairs to hold up underneath him, nor stop believing that the sun would rise the next morning.  That is, he could still have trust in people and things, but it was a contingent trust: conditioned on a fundamental trust in God.  In a fallen and finite world, we can never be 100% certain of people or things, so our trust is ultimately an outgrowth of our faith.  We can trust a bridge will hold up underneath us because we trust in the society that regulates the bridge, contingent on our trust in the individual engineers that designed the bridge, or contingent on our trust in the science that describes the stress-strain relationship of the steel plates and cables that comprise the bridge.

As Christians, we stack up these layers of trust on one sure foundation.  A technical analogy comes to mind.  In the arena of secure computing, there is always a concern that a software application might be compromised by an enemy who has substituted his own malicious code in place of the intended safe code.  A secure system provides an operating system that confirms that applications are trusted (correct copies that show no signs of tampering).  However, this trust is layered.  We can trust the software application because the operating system approves, but then how do we trust the operating system itself has not been compromised?  By trusting another layer yet.  A Trusted Platform Module (TPM) is a computer chip that confirms the operating system itself is correct, with no signs of tampering.  The chip is designed to resist tampering or bypassing.  In this layered trust model, the TPM is the ultimate source of trust, on which we can build contingent trust of the higher layers.  Similarly, Christian faith puts trust in God as the ultimate source of security and safety, the Creator of reality, the foundation on which all knowledge and culture is built. 

Technology sometimes lulls us into complacency because it works right so often.  Perhaps one good thing to come out of the Diginotar debacle is that the episode reminds us that only God can provide 100% security.

Turn on the TV—Something has Happened

Sunday, September 11, 2011

By Steven H. VanderLeest

Even now, ten years later, some of the images and video clips cut to the heart.  That Tuesday morning I was in my office, preparing for a class I was teaching later that day when my wife called and whispered “turn on the TV, something’s happened”.  A plane had hit a building in New York.  Accident?  It had happened before, I remembered, a plane had accidentally hit the Empire State Building sometime after World War II.  It took me a few minutes, but then I found others around a television in a nearby classroom.  As we watched the North tower burn, a second plane hit the South tower of the World Trade Center.  In disbelief, the news commentator called out the details while we collectively realized this was no accident.  This could not possibly be a simple accident.

The deadly, destructive evil of that September 11th terrorist attack was answered with the stories of heroism that trickled out in the days afterward.  Tales of rescuers, tales of firefighters and police officers running into burning buildings to save others.  Tales of ordinary passengers that disrupted the hijackers on UA Flight 93, giving their lives to prevent a fourth attack that likely had targeted the US Capitol. 

The story of 9/11 is a complex quilt of culture, politics, religious extremism, geography, psychology, patriotism, globalism, and technology.  The warp and woof of our society and our world allows no easy separation of the threads that make up our reality.  Bruno Latour has written about the impossibility of insulating these pieces of our world:  “...the critics imagine that we are talking about science and technology.  Since these are… at best manifestations of pure instrumental and calculating thought, people who are interested in politics or in souls feel justified in paying no attention. Yet this research does not deal with nature or knowledge, with things-in-themselves, but with the way all these things are tied to our collectives and to subjects.  We are talking not about instrumental thought but about the very substance of our societies.” (Bruno Latour, tr. Catherine Porter, We Have Never Been Modern, Cambridge, MA:  Harvard University Press, 1993, p. 4)  His point was that not only are we unable to cleanly separate science from technology, but we are also incapable of really separating these so-called objective disciplines and objective instruments from the politics of power or the intercourse of communication.  He calls the new “things” that we introduce into our world, not simply things in themselves, but hybrids, that connect to other parts of reality.  They are networks, not in the technical sense, but rather conceptual connections between human and nonhuman actors. 

Why mention Latour on the anniversary of the September 11 attacks?  If we want to think about the technology that was brought to bear as a weapon, if we want to consider the technology that we brought to bear as a shield to protect ourselves afterwards, if we are trying to calculate the causes of the disaster, then we are mistaken to consider the technological artifacts by themselves.  Latour points us to the relationship, the interconnected imbroglio that relates the hard science and the soft weeping, relates structures we hoped were solid physical towers and solid governmental protections but found faltering on that day, relates questions of “what went wrong?” with “why do they hate us?”

So examine the technology and look for points of failure so that we can do better next time.  Invent new tools that will prevent an attack.  But make no mistake, technology by itself will not solve the problems of humankind.  The towers were built strong enough to withstand a plane crash, but we did not anticipate so heinous a mind that would crash a plane full of passengers and fuel at 800 kilometers per hour into the side of a skyscraper.  We brought war, regime change, and regional power shifts to Afghanistan and Iraq, but we did not anticipate a complex social fabric that led to a long stay, many casualties, and a nearly 10 year manhunt to find the man claiming ultimate responsibility for the attacks.  We introduced more stringent airport security, but did not anticipate explosives hidden in a shoe.  We waged war on terrorism to satisfy a thirst for justice and perhaps vengeance, but sometimes angered neighbors who thought we lashed out too indiscriminately. 

On this tenth anniversary, I pay my respects to those that died, to those that gave their lives.  May God bless America, giving her strength to rise above, courage to carry on, and wisdom to pursue justice.  May God bless his world, that citizens of every nation may use our technology to fight evil and to do good, recognizing it is situated in a complex weave of realities.

Page 1 of 1 pages
(c) 2013, Steven H. VanderLeest