NEWS


Computing Now Exclusive Content — August 2011

News Archive

July 2012

Gig.U Project Aims for an Ultrafast US Internet

June 2012

Bringing Location and Navigation Technology Indoors

May 2012

Plans Under Way for Roaming between Cellular and Wi-Fi Networks

Encryption System Flaw Threatens Internet Security

April 2012

For Business Intelligence, the Trend Is Location, Location, Location

Corpus Linguistics Keep Up-to-Date with Language

March 2012

Are Tomorrow's Firewalls Finally Here Today?

February 2012

Spatial Humanities Brings History to Life

December 2011

Could Hackers Take Your Car for a Ride?

November 2011

What to Do about Supercookies?

October 2011

Lights, Camera, Virtual Moviemaking

September 2011

Revolutionizing Wall Street with News Analytics

August 2011

Growing Network-Encryption Use Puts Systems at Risk

New Project Could Promote Semantic Web

July 2011

FBI Employs New Botnet Eradication Tactics

Google and Twitter "Like" Social Indexing

June 2011

Computing Commodities Market in the Cloud

May 2011

Intel Chips Step up to 3D

Apple Programming Error Raises Privacy Concerns

Thunderbolt Promises Lightning Speed

April 2011

Industrial Control Systems Face More Security Challenges

Microsoft Effort Takes Down Massive Botnet

March 2011

IP Addresses Getting Security Upgrade

February 2011

Studios Agree on DRM Infrastructure

January 2011

New Web Protocol Promises to Reduce Browser Latency

To Be or NAT to Be?

December 2010

Intel Gets inside the Helmet

Tuning Body-to-Body Networks with RF Modeling

November 2010

New Wi-Fi Spec Simplifies Connectivity

Expanded Top-Level Domains Could Spur Internet Real Estate Boom

October 2010

New Weapon in War on Botnets

September 2010

Content-Centered Internet Architecture Gets a Boost

Gesturing Going Mainstream

August 2010

Is Context-Aware Computing Ready for the Limelight?

Flexible Routing in the Cloud

Signal Congestion Rejuvenates Interest in Cell Paging-Channel Protocol

July 2010

New Protocol Improves Interaction among Networked Devices and Applications

Security for Domain Name System Takes a Big Step Forward

The ROADM to Smarter Optical Networking

Distributed Cache Goes Mainstream

June 2010

New Application Protects Mobile-Phone Passwords

WiGig Alliance Reveals Ultrafast Wireless Specification

Cognitive Radio Adds Intelligence to Wireless Technology

May 2010

New Product Uses Light Connections in Blade Server

April 2010

Browser Fingerprints Threaten Privacy

New Animation Technique Uses Motion Frequencies to Shake Trees

March 2010

Researchers Take Promising Approach to Chemical Computing

Screen-Capture Programming: What You See is What You Script

Research Project Sends Data Wirelessly at High Speeds via Light

February 2010

Faster Testing for Complex Software Systems

IEEE 802.1Qbg/h to Simplify Data Center Virtual LAN Management

Distributed Data-Analysis Approach Gains Popularity

Twitter Tweak Helps Haiti Relief Effort

January 2010

2010 Rings in Some Y2K-like Problems

Infrastructure Sensors Improve Home Monitoring

Internet Search Takes a Semantic Turn

December 2009

Phase-Change Memory Technology Moves toward Mass Production

IBM Crowdsources Translation Software

Digital Ants Promise New Security Paradigm

November 2009

Program Uses Mobile Technology to Help with Crises

More Cores Keep Power Down

White-Space Networking Goes Live

Mobile Web 2.0 Experiences Growing Pains

October 2009

More Spectrum Sought for Body Sensor Networks

Optics for Universal I/O and Speed

High-Performance Computing Adds Virtualization to the Mix

ICANN Accountability Goes Multinational

RFID Tags Chat Their Way to Energy Efficiency

September 2009

Delay-Tolerant Networks in Your Pocket

Flash Cookies Stir Privacy Concerns

Addressing the Challenge of Cloud-Computing Interoperability

Ephemeralizing the Web

August 2009

Bluetooth Speeds Up

Grids Get Closer

DCN Gets Ready for Production

The Sims Meet Science

Sexy Space Threat Comes to Mobile Phones

July 2009

WiGig Alliance Makes Push for HD Specification

New Dilemnas, Same Principles:
Changing Landscape Requires IT Ethics to Go Mainstream

Synthetic DNS Stirs Controversy:
Why Breaking Is a Good Thing

New Approach Fights Microchip Piracy

Technique Makes Strong Encryption Easier to Use

New Adobe Flash Streams Internet Directly to TVs

June 2009

Aging Satellites Spark GPS Concerns

The Changing World of Outsourcing

North American CS Enrollment Rises for First Time in Seven Years

Materials Breakthrough Could Eliminate Bootups

April 2009

Trusted Computing Shapes Self-Encrypting Drives

March 2009

Google, Publishers to Try New Advertising Methods

Siftables Offer New Interaction Model for Serious Games

Hulu Boxed In by Media Conglomerates

February 2009

Chips on Verge of Reaching 32 nm Nodes

Hathaway to Lead Cybersecurity Review

A Match Made in Heaven: Gaming Enters the Cloud

January 2009

Government Support Could Spell Big Year for Open Source

25 Reasons For Better Programming

Web Guide Turns Playstation 3 Consoles into Supercomputing Cluster

Flagbearers for Technology: Contemporary Techniques Showcase US Artifact and European Treasures

December 2008

.Tel TLD Debuts As New Way to Network

Science Exchange

November 2008

The Future is Reconfigurable

Growing Network-Encryption Use Puts Systems at Risk

by Rob Holquist

As concern about Internet security has risen over the years, users have increasingly chosen to protect sensitive transmissions via Secure Sockets Layer or Transport Layer Security cryptographic technology.

However, this trend has raised cybersecurity concerns.

A recent study by firewall vendor Palo Alto Networks indicates that SSL and TLS encryption hide transmission contents from security applications that work by scanning inbound and outgoing transmissions.

"As a practical matter, no one can determine what the content of that traffic is unless they have the ability to decrypt it. If they don’t have that, then they're blind to it," said Scott Crawford, managing research director at Enterprise Management Associates, a consultancy and market-research firm.

SSL and TLS basics

Netscape released the first public SSL version in 1995. The Internet Engineering Task Force released the first public TLS version, based largely on SSL, in 1999.

The technologies provide privacy, authentication, and message integrity by employing a cryptographic system that uses an openly available public key in conjunction with a private key that only the recipient knows.

To communicate safely, each party must send the other a security certificate.

Each then encrypts what it sends using information from both its own and the other party's certificate. This ensures that only the intended recipient can decrypt the transmission. It also ensures that the data comes from the place it appears to have come from and that no one tampered with it.

The main difference between the two cryptographic approaches is that SSL starts with a safe connection and then secures the communications itself.

TLS starts with an insecure connection to a server and switches to secured communications only after a client–server handshake. If the handshake fails, no connection occurs.

TLS is more extensible and allows both secure and insecure connections over the same port. SSL requires a secure-only port.

Usage on the Rise

Palo Alto Networks' recent study analyzed 28 exabytes of data generated by 1,253 organizations from October 2010 to April 2011, and found that SSL and TLS use is growing.

"Applications using SSL … represent 25 percent of the applications found and 23 percent of the overall bandwidth used," stated Palo Alto's 2011 Application Usage and Risk Report.

SSL and TLS use will continue to grow because of ongoing Internet-security concerns and because they're popular with major websites, including social-networking sites, said Mike Haro, head of communications for Palo Alto Networks.

In fact, Facebook, Gmail, and Twitter all recently added SSL as either a standard setting or a user-selectable option.

Dangerous side effects

Many security products, such as antimalware software, firewalls, and data-loss-prevention tools that scan ingoing or outgoing transmissions, can't read the contents of communications protected by SSL or TLS.

"There are a lot of valid reasons for their use, but they pose an issue for security professionals in that they obscure traffic that could potentially be malicious," Crawford said.

And if organizations routinely encrypt traffic streams via SSL or TLS, Palo Alto said, disgruntled employees or other insiders could send out confidential information without being detected.

Looking forward

Companies must do more to deal with the problems that SSL and TLS can cause, said Ryan White, a product marketing manager with security vendor Symantec.

Organizations could take steps to inspect network traffic for malicious content that might be hidden by SSL or TLS encryption.

One technique would be to sniff data packets and identify their destination IP addresses, Crawford said. Because the packet headers aren't encrypted, the IP addresses are readable.

"If you can correlate that IP address with other known malicious activity, then you have probably reinforced your identification of a potential command-and-control channel," Crawford said.

To cope with incoming traffic, he noted, network administrators could use a white-hat man-in-the-middle approach, in which a proxy intercepts the traffic between a client and the organization's server.

In the communications process, he said, the man-in-the-middle could masquerade to the client as the server and request the former's private cryptographic key. At that point, the organization could inspect the traffic for security problems before it reaches the server, which could then send the transmission, if deemed safe, to its ultimate destination.

A similar process could be used for outbound traffic.

White expressed optimism that such techniques will help organizations deal with communications encrypted via SSL or TLS.

"But the problem is [getting] businesses to adopt the practices and implement them correctly," he added.

According to Crawford, the SSL- and TLS-related issues are indicative of a bigger problem, which is that many organizations fail to monitor activity on their networks closely enough.