Four decades ago, when Bob Kahn and I were creating the TCP/IP networking protocol for the internet, we did not know that we were laying the tracks for what would become the digital superhighway that powers everything in society from modern business to interpersonal relationships.
By that same token, we also didn’t envision that people would intentionally take advantage of the network to commit theft and fraud.
In those early days, our experimental network was used by universities to share academic information. Fast forward a few decades, and the internet has become an intrinsic value to both people and businesses. Which in turn has increased the desire to exploit it.
As the internet continues to expand and mature, its threats are evolving right along with it.
More info, more problems
Today, hackers routinely break into online accounts and divert users to fake or compromised websites. We constantly need to create new security measures to address them. To date, much of the internet security innovation we’ve seen revolves around verifying and securing the identities of people and organizations online.
There are many ways to deceive internet users into visiting the wrong website. For example, a hacker might pick a popular website and then buy a domain name that looks very similar to the original—such as the visually deceptive “G0OGLE.COM” (where the first “o” is a zero) instead of “GOOGLE.COM”—with the intention that people will follow a URL to the fake site and type in their personal information without checking to confirm the embedded domain name.
This sounds like simple stuff, but it happens more often than one might think.
An average of 1.4 million fake phishing websites are created every month. A 2019 Harris poll, commissioned by Google Registry, found that 70% of the 2,000 internet users surveyed “wrongly identified what a safe URL should look like.”
This trickery is called spoofing. It’s a cross-industry threat, and it occurs at various levels within the web’s infrastructure.
If we are to ensure continued trust and confidence in the internet, we need to find a way to address it.
Spoofing as a technique is not particularly new, but it is particularly insidious.
Imagine that you type in or click on the URL for what you think is your bank, and log in. The spoofed domain name in the URL takes you to a fake website where you hand over your username and password to cyber criminals. With this information, the criminals now have access to your account and can transfer its assets freely.
Some attacks spoof the very infrastructure of the internet itself, in ways that even the most savvy of users has no way to detect. For instance, a hacker can spoof the Domain Name System (DNS), which maps domain names into Internet Protocol (IP) addresses,—those unique numbers that identify each computer connected to the internet.
In a spoofing attack, DNS records are altered so that someone trying to reach a specific website is directed—unbeknownst to them—to the wrong IP address, which directs information to the wrong web server even though the correct domain was specified. Sophisticated hackers can fake legitimate-looking sites on a massive scale, tricking thousands of users at a time.
What makes these attacks so hard to defend against is that they exploit human behavior: Instead of tapping into the pipes of the internet to syphon valuable data as we saw in the early days before strong encryption standards, spoofing preys on people’s naivete.
In other words, spoofing is often particularly hard to detect, especially if the DNS or routing systems are deceived, because people inherently assume that the infrastructure is trustworthy and reliable.
Spoofing can be used to hijack huge volumes of internet traffic at once. One such type of attack, called Border Gateway Protocol (BGP) spoofing, is accomplished by generating false routing information that alters the tables that specify internet traffic routes.
In 2017, large chunks of traffic destined for financial services and other websites were briefly run through a number of Russian state telecom-owned routers. While BGP spoofing can be difficult to verify, the fact that so many financial service providers were affected made this incident suspicious.
A similar situation happened in June when a huge amount of traffic destined for European mobile providers was re-routed through state-owned China Telecom for several hours. The concern with attacks like these is that unless exceptionally strong encryption is used, the re-directed traffic can be easily viewed by the routers it passes through.
The promise of the internet is one of an open global network for communication and commerce, and the foundation for a more prosperous and equitable world. But its potential is limited if we can’t trust it.
We trust that water will come out of our kitchen tap and electricity will flow when we turn on the lights. In much the same way, the internet carries critical information and services for our daily lives, our businesses, and the operation of our cities and governments. The internet is critical infrastructure for the modern fabric of our societies.
Lack of confidence in it will undermine our trust in everything from personal communications and e-commerce to digital stop lights and online elections.
Spoof-proofing the web
For everyday web users, the key is staying vigilant. Passwords are no longer adequate to protect online accounts—two-factor authentication, such as codes generated by cryptographic chips or software apps, is now essential.
Always double-check the URL when clicking on links to make sure it refers to the site you expect. Look for misspellings and extra letters, as well as numbers masquerading as letters. Using Greek or Cyrillic characters in place of Latin characters also creates serious spoofing hazards, and these tend to be particularly difficult to spot. These small discrepancies and outright spoofs are surprisingly easy to miss, and that’s why hackers use them.
For website creators, select a domain and hosting service that offers strong security standards, such as SSL certificates, easy-to-use Domain Name Security Extensions (DNSSEC), two-factor authentication, and HTTP Strict Transport Security (HSTS) preloading. HSTS forces browsers to use HTTPS exclusively to reach websites subscribing to the HSTS service.
Once a website is live, regularly check to make sure all software and plugins are up-to-date. It’s also a good idea to check your website for malware and adware by following the steps at vetted, publicly-available resources.
For the industry at large, domain registries should add the domain names they manage to the HSTS-preload list. This will ensure that HTTPS encryption is mandatory and turned on by default for all associated sub-domains, because all connections to the associated websites are cryptographically secured.
The industry also needs to push for speedier adoption of Domain Name System Security Extensions, or DNSSEC, to eliminate spoofing of the DNS system. This is a way to verify that the domain name/IP address combination obtained during the domain-name lookup comes from a recognized source and has been digitally signed to assure the browser is using the correct destination internet address to reach the website intended. Domain registrars and hosting providers should make it one-step simple for website owners to enable DNSSEC for their sites.
If there’s one lesson I’ve learned over the past 40 years, it’s that the power of the internet depends on the trust users have in it. It’s still our job to deliver on the promise of greater openness, connection, and opportunity for people all over the world.
To do that, we must carefully preserve that trust by creating new security measures that can keep up with the people trying to breach them so we can keep building new applications, websites, and navigate the internet safely.