Apr 17, 2018

We built the internet to be insecure

A heap of old computer monitors from the '80s ands '90s

Photo: Photoshot/Getty Images

Today's cybersecurity mess has its roots in decisions a small group of engineers made in the internet's youth. Axios caught up with one of them, Paul Vixie, on the eve of the annual RSA cybersecurity conference.

Why it matters: RSA is where the security elite gather each year to cope with the world those early decisions shaped — and, as Vixie explains it, the system was intentionally designed to be open.

How it happened: "Every app we built for the internet was designed as if it was for a boy in a plastic bubble, a completely clean environment with nothing malicious," Vixie said.

Why it matters: Vixie is confident that his work — focused on the domain name service protocol — hasn't caused today's security woes. But other basic elements of the internet have proven fundamentally insecure, like email and data routing.

  • "No one ever thought someone would want to lie in the 'from' field of an email, or send email the recipient wouldn't want. And that made sense for a network of academics and military contractors, before anyone who could pay an internet service provider could get online," he said.
  • By the time such openness stopped making sense, massive growth made it tough to change basic services.

Take Border Gateway Protocol (BGP), which routes data from a far off server to a local computer. There are known flaws, "but the last update was BGP-4 in the 1990s," Vixie said. "Back then, only a handful of ISPs cared. If you could get a thousand people to agree to a change, you could change it."

Today, so many people, companies and institutions are affected by changes to fundamental services like routing and email that they are almost impossible to enact.

Go deeper