2 years ago
In 2013, like many Internet Users I was deeply shocked when I learned about the extent of Pervasive Internet surveillance. Countries were monitoring your actions on the Internet, and they were secretly collecting your data. Many Internet institutions took a public stand: https://www.icann.org/news/announcement-2013-10-07-en
Now in 2015
2 years later, despite montevideo statement, Pervasive surveillance is still present. There is little indication that those countries are going to stop. Projects like DNSSEC & PKI(s) to improve the security of the internet are here. However, DNSSEC & PKI solve 2 specific problems. DNSSEC provides an authentication mechanism for DNS. You can have some level of confidence that www.ebay.com is secure when you connect to it via DNSSEC. One of the major limitations of DNSSEC is that the question/response is not encrypted. A 3rd party can monitor my DNSSEC messages, and build a profile about my surfing habits, such as the time I usually check my Bank account.
PKI can be leveraged by ISPs to prevent accidental or intentional prefixes from being hijacked. The most known incident is when Pakistan Telecom broke Youtube on the whole Internet. However, when we look at the Internet, there are more avenues to make the Internet more secure such as protecting against address spoofing, which is causing routine DDOS attacks to occur against such websites as github. The next question is who is taking care of securing the other bits of the Internet in our region ? How much is Africa investing into not only improving Internet connectivity, but also securing our Internet ? (BCP-38 anyone ?)
Banks in Africa
The local banks are discouraging me from getting my statements via mail. They send it to me by email. However, that email is not encrypted/ digitally signed. My bank is also discouraging me from doing transactions by writing on a paper in one of their offices. They want me to use their mobile application which goes through some secure encryption scheme through a hostile Internet. I poked around, and realised that there are some issues with their security scheme. Can we trust NIST recommendations for cryptography when NIST vetted specifications that contained backdoors ? (URL of a discussion: http://lists.elandnews.com/archive/mauritius/internet-users/2015/06/2128.html)
A few days ago, Another set of document revealed that the NSA is breaking VPN, SSH and HTTPS on a massive scale (geeky details here: http://thehackernews.com/2015/10/nsa-crack-encryption.html) . Those technologies are those that I use for my banking transactions, and also accessing the office remotely when I need to work. They are also used when I read my mail whether corporate or personal. What's worse is that it's becoming frighteningly cheaper for a small organization to do that thanks to the dropping price of computing power.
What are our organizations doing ?
Isn't it time for our public and private sectors to seriously look into improving the security of our internet that we rely upon daily for doing important things ? What about the Cyber/Internet Institutions that have a mandate and a budget in Africa & Mauritius ?