Wednesday, November 3, 2010

Security Costs vs Benefits: Should companies deploy SSL to deal with Firesheep?

Yesterday, I talked about why end-users don't care about security and how that actually makes a certain amount of sense for them since the cost of behaving more securely can overwhelm the cost of an actual breach.

However, what I didn't talk about is whether this is true for companies. A single security breach in a single user account maybe doesn't cost a company much, but if breaches get common enough that they start losing users, it could be a problem with a much higher cost.

While users trying to protect themselves from curious folk with firesheep are counseled to use a VPN, website owners can choose to do encryption right from their end using SSL. But it was thought that SSL was computationally costly and even environmentally costly due to the supposed need for extra electricity and machines.

But who's been looking at what those costs actually are? A blog post entitled Overclocking SSL looked at the severity of these costs as they deployed SSL, and made a pretty clear statement:

If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. You too can afford to enable HTTPS for your users.

So there you have it: the people who should be protecting users from firesheep attacks are probably the companies who run the websites, since SSL isn't likely to be as costly to them as numerous complaints and support requests would be from their users. The cost equation might not be the same for all organizations, since the cost of certificates and labour can be non-trivial if you don't already have expertise on hand. But sure enough, Google has decided to provide https access by default to all gmail users, so they clearly believe it's worth it.

This leads to an interesting question: Does the burden of security always fall heavily on corporations and large organizations rather than on end-users? Many would argue that this is naive and that users must bear some responsibility, others would argue that only corporations have the resources necessary to make an impact on security. This is a much larger discussion that I expect we'll see occurring over and over again for a very long time.

Tuesday, November 2, 2010

Apathy or sensible risk evaluation: why don't people care about security?

Engineer Gary LosHuertos decided to try Herding Firesheep in New York City: He sat down in a Starbucks, opened up his laptop and started gathering profiles, then sent messages to people whose facebook accounts he could access warning them of the security flaws. Some people closed up and left, but some just ignored his message and went on with their day. Confused, he sent another message, but they just didn't seem to care and continued using their accounts.

This is the most shocking thing about Internet security: not that we are all on a worldwide system held together with duct tape that has appalling security vulnerabilities; not that a freely available tool could collect authentication cookies; and certainly not that there are people unaware of either. What's absolutely incomprehensible is that after someone has been alerted to the danger (from their own account!) that they would casually ignore the warning, and continue about their day.

But is this shocking? To someone who cares about security, maybe. To someone who knows people? Less so.

Cormac Herley has an absolutely great paper entitled "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users"

It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.

So let's think a little bit about cookies and firesheep. One of the ways to be most safe is to browse using a VPN. For someone who already has one set up, this is pretty much a matter of toggling something on your computer: pretty low difficulty and less trouble than having your accounts hacked. You can see why many geeks think it's ridiculous that people wouldn't just secure their sites: even if you include time setting up the VPN, for many folk that's a task that falls under the heading of "something I meant to do anyhow" and isn't really perceived as costly.

But if you're not a computer-savvy person who has a server online to host a VPN, setting up a VPN can be stupidly costly. Maybe you'd have to replace your router with one that can handle it. Maybe you'd have to pay for hosting. Maybe you'd have to spend hours figuring out how to generate keys, or pay someone else to do that. Maybe just figuring out what you need to do at all is going to take hours. Quickly, the hours required seem worth more than the cost of having some stranger send you messages from your own facebook account, or maybe set your status message to something embarrassing.

Perhaps what we need to raise the costs of a security mishap is a little evil. It's actually easy to craft a firesheep-based attack that would raise the cost high enough to make VPN hunting (or just not using the Starbucks wireless) seem worthwhile to most people: Log into someone's account, delete all their status messages, notes and photos, defriend all their friends. Since there's no easy way to back up your facebook profile, the results would be devastating and partially unrecoverable: worth more than the pain of setting up a VPN or going without FB while in a coffee shop. It might be easier to litigate for theft/unauthorized access than it is to restore that profile, so I don't recommend any security vigilantes start doing this!

So I guess the take-home message here is that while it's worth trying to educate users so they can make smarter decisions, they're not necessarily being delusional or foolish when they just say "meh" and go on with their lives. If we want to make a really huge impact, we need security solutions that are so low-pain that there's no longer any rational reason to reject them.