Michal Zalewski's The Tangled Web is an excellent technical book on how the technologies that power the web are interconnected, and how they're all a vulnerable mess of hacks. On the surface, it looks like everything is running smoothly, but on the inside, everything we've architected is subpar for our current needs. It's amazing that the web is hanging by its nooks and crannies, but the constant series of gaffes that is infosec and most people's refusal to accept it, speaks for itself.
Who knew that one day, a handful of nerds and social outcasts would end up maintaining core infrastructure that the entire Western economy depends on so dearly?
Of course, people have realized this and have been hard at work building new protocols, abstractions and mechanisms on top of current cruft. It's still a mad, mad, mad, mad ecosystem out there, though.
The author's sentiments go completely off rails by the end of this, however. It's almost eery. What is there to possibly trust?
"The Internet was done so well that most people think of it as a natural resource like the Pacific Ocean, rather than something that was man-made. When was the last time a technology with a scale like that was so error-free? The Web, in comparison, is a joke. The Web was done by amateurs."-- Alan Kay.
Tim Berners Lee was trained to be a physicist. He wasn't aware of the things computer scientists had learned in the last few decades. He was a clever man who came up with a clever idea, but it wasn't engineered to scale.
I think Kay is right, and more ambitious tech firms are definitely running up against this wall. The fact that Google wrote a new Javascript engine tells me that Kay's proposal, where the web should have been like an operating system on which you could run programs in a separate address space and with limited access to underlying system calls - is coming to pass, except in this OS the assembly is Javascript.
Yenc binaries on Usenet are stupid an inelegant yet petabytes of stuff have been shifted around on Usenet servers.
Humans are creative and capable of trashing almost any RFC no matter how well written it was.
You say that like it's a bad thing?
- Using HTTPS only for the login or purchase page, and sending the user to plain-old HTTP for everything else
- And to make the above even worse, storing passwords in plain text in a cookie
- Disallowing certain characters in passwords, or forcing passwords to be under a certain length
- Allowing people to reset passwords from the browser with just one answer to a security question, i.e. not even sending a confirmation email
- Not supporting any form of two-factor authentication
The question I keep asking myself lately is, is there a better method to authentication than just plain ole' passwords? There are other systems that we're starting to see now being used more often in consumer devices, such as RFID and fingerprint/face scanners, but those have some obvious weaknesses as well.
I was signing up for a site that took openid the other day- and then after confirming access - I was returned to the site. There, I was prompted for email, first/last name, and 2x password to use on the site, in order to complete my registration. (This email and password would be my future login.)
Nothing quite like implementing a buzzword while missing the point completely...
Persona on the other hand is what you want, long term. Mozilla did everything right.
That is, everything except marketing it properly. And abandoning it... sigh.
Edit: And if we really have a problem with this, we better start our engines.
Privacy is impacted because we are rushing ahead, advancing our sharing & social & etc technologies. We aren't developing privacy & security fast enough to keep pace. So while it is that way right now, must it be?
