Microsoft Internet Explorer and Encryption
By Larry Smith
Craig Brougher wrote: > I just received this note from MSN, warning me that I am at risk on > the Internet when I do the following things:
> If I am not mistaken, they are telling their subscribers that _if_ they > shop on the Internet, they are in serious danger of being ripped off, > intruded upon, or "digitally challenged" in some other way that is not > very nice. They also did not even address the scenario by Ron Yost in > regard to "Form" viruses as a result of using the MSN Internet Explorer. > To me, their reply smacks of politics, and lacks conscientiousness and > honesty. Their warning would apply to ANY search engine, seems to me.
Craig has a few observations about his latest experience with Microsoft in the last Digest. I sympathize, and I decided to digress from the normal topic of this digest to make just a few comments that might help some of the folks here that aren't all that familiar with the net.
Microsoft discovered the Internet much later than most other computer companies, and it rushed pell-mell to get on it, with a business plan that involved adapting a lot of existing software to Internet use, and in using some of their Internet software as part of their "next generation" operating system.
It is that close integration that got them into trouble. You can do things to a Windows 95 system using a browser that could never be done to a Unix system. For example: among the nasty possibilities that the recent patch is supposed to fix, you could click on a link that could turn around and delete the "Windows" directory on your hard drive - in effect, deleting your operating system and trashing your computer.
Microsoft left itself open to these kinds of problems because they really never, ever had to deal with a "hostile" environment before. Up until now, the only people who could "use" your computer was you, and YOU obviously don't WANT to hurt yourself - all anyone needed was "dummy-proofing" to avoid deleting important files by accident, and similar problems. Anyone who deliberately _set out_ to damage their computer hurt no one but themselves.
But in the real world of the Internet, crackers and vandals live that seem to have nothing better to do than to find loopholes in operating systems and try to destroy things. Microsoft is very, very lucky that the people who first discovered these holes in Internet Explorer (IE) were students of operating system security, and not vandals out to wreck people's computers. The next time, they - and we - may not be so lucky.
Internet Explorer is popular because it is Microsoft, and comes with Windows. But there is another browser that was developed in the Unix world where security has been a way of life for a quarter of a century and where dealing with crackers and vandals has become a fine art: Netscape.
Netscape for Windows has none of the integration with Windows that is Internet Explorer's claim to fame, and thus has no _opportunity_ to damage your computer. Netscape was immune all along to the security holes that Microsoft is trying to fix now, and will likely continue to be so for at least several years until Microsoft figures out what's what in the world of computer security. If you are nervous about the potential for having some innocent-looking web page trash your computer, I urge you to download and install Netscape. It will lack some of the nifty features that IE has, but it is safer.
For those of you who are really, *really* paranoid, you can simply dodge the whole issue and get Linux, which is version of Unix for the PC. Linux, as a member-in-good-standing of the Unix family of operating systems, has lived for years in hostile environments and is far, far harder to crack in this way. Anyone who is interested in it can check out any number of web sites that are dedicated to it - a good place to start is
http://www.ssc.com/linux/
Be aware, however, that Linux is a completely different operating system that is totally incompatible with Windows and only "sort of" compatible with DOS. It _can_ coexist on your computer _with_ Windows, so you can use Windows for applications work and Linux to browse the net, but there is a significant learning curve involved and this is not undertaken very lightly. Bbut that _is_ the ultimate in safety at the present time.
On the subject of encryption: as someone whose name I do not recall once observed, there are two kinds of encryption, the sort that keeps your little brother from reading your diary, and the sort that keeps major governments from reading your diary.
Most of the so-called "encrypted" web pages are using DES, which is a government-approved encryption algorithm. In the version most often used, it isn't quite up to keeping the government out of your affairs, but it is more than adequate to keep anyone else out.
If a web page is encrypted, Netscape (at least) will display a key in the lower left corner of the browser window (the key is broken - with a white bar through it - when the page is not encrypted). Any information sent to the web page server will be encrypted with DES, and anyone inter- cepting those packets will have to figure out the key before they can read your VISA card number, and that is very, very non-trivial -- at least, it's very non-trivial for anyone but the National Security Agency.
It's probably slightly more trivial for them, DES, particularly. In the lesser strengths that are allowed for export, it can be broken by massive computer power; but anyone with that much computing power is not trying to steal your credit card number -- the average card couldn't pay for an afternoon's worth of air-conditioning in the computer room !
Bear in mind that encryption guards against a theoretical danger. Even if you send your MasterCard number un-encoded, someone has to be (a) listening with a packet sniffer on the route, and (b) looking for card numbers. I am aware of no one whose number has been stolen in this manner.
Since it is far easier to harvest these numbers from discarded register slips and receipts in the average parking lot, even un-encrypted transfers aren't all that unsafe. I mean, there are a million people in the country that could, in theory, tap your phone and _record_ your American Express number when you make a phone order, because there is no encryption on an open phone line.
The U.S. government right now is trying to suppress industrial-strength encryption schemes that are commonly available in the US and Europe. One of these is PGP, which is a public-key system that is often used by banks for "digital signatures" - your ATM machine is using something along these lines. You can use PGP yourself: check out Yahoo and look up PGP for some introductory material about PGP. PGP can make any transaction over the net safe from prying eyes, but it doesn't help unless the software is designed to use it, and no browsers are yet, to my knowledge.
Myself, I use Netscape on Windows 95. I am very sure that Netscape cannot be tricked into blasting my hard drive away no matter what kind of link I click on. I do sometimes use Internet Explorer, and I downloaded the patch, but I used Netscape to do that, and I don't browse the net with IE; I only use that for local Java work when I'm off-line.
As for sending data by email, the advice about using encryption is valid and worth taking. And as a general observation, no one should _ever_ ask you for a password. Never give one out.
And that's your primer for safety on the Internet. If anyone has more questions or needs help they can email me, and I will help or send them to a Usenet newsgroup where the answer can be found. The problems with Internet Explorer are not worth panicking over - but they should remind people that monopolies are a Bad Thing.
regards, Larry Smith
[ Editors note: [ [ Right on, Larry! I am a big believer in PGP as an encryption [ tool for the masses, and I feel strongly enough about this that [ my public key is published at the bottom of the foxtail web page. [ I invite those Digest members who understand what this means to [ exchange PGP public keys with each other. [ [ Jody
[ Relief Editors note: Jody is helping me learn Linux on the PC. [ It's not that I have much against Windows 95, but the music [ tasks I'm doing aren't well-suited for a Microsoft environment, for [ many of the reasons Larry Smith cites, and I fear that the future [ is bleak for my trusty old Macintosh. -- Robbie |
(Message sent Thu 20 Mar 1997, 17:52:39 GMT, from time zone GMT-0500.) |
|
|