A current textbook on networking states, “(C)omputer security is inherently something of an oxymoron….” That assessment is especially true for client-server communications over the Internet. Security today relies on a system of related technologies and methods, each of which has its own flaws and vulnerabilities. A major root of the problem is that engineers originally developed TCP/IP, the most widely used protocol for Web communications, to enable highly reliable data transmissions that would work even if a nuclear war were in progress. Unfortunately, security was a major oversight. On the transport side, TCP has incorporated a number of network management functions over the years to “improve” performance and control. The resulting patchwork of software has actually created inefficiencies that fail to meet growing demands on IP communications.

Why today’s security methodologies are broken.
Encryption has become the main way to protect sensitive information sent over the Web. A general-purpose protocol, Secure Sockets Layer (SSL, the latest version of which is Transport Layer Security—TLS), was developed to manage this process. Combined with Public Key Infrastructure (PKI) and Digital Certificates (DCs), SSL/TLS is the most widely used mechanism to secure on-line transactions.

In the enterprise environment, Virtual Private Networks (VPNs) rely on SSL/TLS and other protocols to create secure communications channels—virtual point-to-point (P2P) connections—across public networks like the Internet. Current offerings are encrypted connections using TCP as the transport protocol. While VPNs are much cheaper than dedicated lines between endpoints, these products often incorporate a complex system of software, routers, servers, and hardware devices in order to provide a high level of security.

The shortfalls of these technologies are an enabler of many cybercrimes perpetrated today. Consider the process by which SSL/TLS establishes a secure connection. The user’s Web browser and the Internet server (or SSL-based VPN endpoints) initiate the session with a DC that affirms the certificate’s owner, validity and public encryption key. If the browser accepts this information, the user enters a password that is encrypted and sent to the server for validation. The log-on is then completed, and a secure session is established.

Unfortunately, many software applications have flawed design or implementation of SSL/TLS that create security exposure. DCs are not always trustworthy and valid—they can be bogus, stolen, expired or revoked and go undetected. Private keys, both user and server, and passwords can be lost, stolen or compromised in various ways. During the exchange of keys and identity, both the server and user device create a computational state that opens each to numerous types of exploits by intruders.

See Ten Risks of PKI: What You’re not Being Told about Public Key Infrastructure and Click here to bring down the Internet for a more detailed discussion of the problem with current technology.

The impact of these security exposures on users is compounded with use of TCP. Over time substantial configuration and management functions have been added to the protocol to produce a tool for administering larger networks. This added “baggage” has reduced throughput and efficiency of transporting data over the Internet. Consequently, an inefficient and flawed method of transporting and protecting IP traffic, especially at the packet level, has evolved as an industry standard methodology. In response, the base of users seeking a better security solution that does not add complexities or sacrifice performance grows larger every year.

Now, there IS a better way to secure IP-based communications.