Stories

We built the internet to be insecure

A heap of old computer monitors from the '80s ands '90s
Photo: Photoshot/Getty Images

Today's cybersecurity mess has its roots in decisions a small group of engineers made in the internet's youth. Axios caught up with one of them, Paul Vixie, on the eve of the annual RSA cybersecurity conference.

Why it matters: RSA is where the security elite gather each year to cope with the world those early decisions shaped — and, as Vixie explains it, the system was intentionally designed to be open.

How it happened: "Every app we built for the internet was designed as if it was for a boy in a plastic bubble, a completely clean environment with nothing malicious," Vixie said.

Why it matters: Vixie is confident that his work — focused on the domain name service protocol — hasn't caused today's security woes. But other basic elements of the internet have proven fundamentally insecure, like email and data routing.

  • "No one ever thought someone would want to lie in the 'from' field of an email, or send email the recipient wouldn't want. And that made sense for a network of academics and military contractors, before anyone who could pay an internet service provider could get online," he said.
  • By the time such openness stopped making sense, massive growth made it tough to change basic services.

Take Border Gateway Protocol (BGP), which routes data from a far off server to a local computer. There are known flaws, "but the last update was BGP-4 in the 1990s," Vixie said. "Back then, only a handful of ISPs cared. If you could get a thousand people to agree to a change, you could change it."

Today, so many people, companies and institutions are affected by changes to fundamental services like routing and email that they are almost impossible to enact.