The flaw isn't some new problem that was suddenly discovered, but an age-old issue that has been written about in academic circles for more than a decade. But the debate has gained new importance after an assistant professor and three University of California, Berkeley students suggested last week that companies should stop trying to commercialize the Net until the security problems are resolved.
Essentially, the four men showed how a computer hacker could intercept financial transactions as they're transmitted from one computer to the other, potentially ''stealing'' hundreds of credit-card numbers at a time.
By making only minor changes in the most commonly used software program for exchanging data over the Internet, Netscape Communications Corp.'s Navigator program, it was possible for Eric Brewer, an assistant professor of computer science, and the computer students to disable the program's encryption system. Encryption is a process that turns words - and more importantly, financial information like credit-card numbers - into indecipherable gibberish based on mathematical formulas. With encryption, sensitive data can be exchanged in relative safety over the Internet. But turn the encryption off, and information can be easily eavesdropped.
The reaction to the Berkeley group's finding wasn't what you might have expected, however. The rush to trade and buy over the Internet continues, with many expecting it to become common within the next 12 to 24 months.
Meanwhile, experts have been working on ways to make the Internet more foolproof. Further, there are several ways to sidestep the problem found by Brewer's students, such as buying Internet-related software on computer floppy disks rather than ''downloading'' it directly off the Internet, where the program could have been modified by a hacker. And it is less likely that your credit-card number will be stolen over the Internet than if you use it to buy dinner at a restaurant.
Cyber-shopping
The issue is crucial for companies that want to turn the Internet into a virtual shopping center, where goods are bought and sold with the tap of a few keystrokes. Without a nearly flawless encryption system, there is little chance of easing the angst of consumers enough to make the Internet the next Wal-Mart.
Companies like Netscape Communications (http://www.
netscape.com), Open Market (http://www.openmarket.com) and O'Reilly &
Associates (http://www.ora.com/) have all recently introduced or announced
Internet software programs with encryption capabilities. Yet, for most people,
it is still easier to use the Internet for browsing catalogs, then pick up the
phone and call an 800-number to make the purchase.
AOL's advantage
When it comes to billing customers, companies like America Online and CompuServe have a distinct advantage over organizations that merely offer their products on the World Wide Web.
AOL and CompuServe already have their customers' credit-card numbers and addresses. Furthermore, since customers connect to these services through the services' own private network rather than through the Internet, the companies can assume the responsibility themselves for protecting sensitive information.
The same is true of the telephone system, says Jeff Treuhaft, security product manager at Netscape Communications. The reason that most Americans feel that it is safe to read their credit-card numbers over the telephone to a business is because the telephone system and the long-distance networks are controlled by a relatively few number of companies. The Internet is an eclectic world in which anyone with the technology can create his or her own home page without government interference.
'Secure servers'
''The Internet is completely different,'' says Treuhaft. ''The Internet is made up of what amounts to millions of different people who connect themselves together with common protocols and common systems.''
Netscape is using the fundamental insecurity of the Internet as its marketing trump. Netscape hopes to sell a ''secure server'' to companies wanting to conduct financial transactions, which allows information to be exchanged using encryption that hides information. Unfortunately for Netscape, flaws in its program have been detected that diminish the program's security and have been well publicized in recent months
A number of security-related flaws have been discovered with Netscape's Navigator, a program that is widely used on the Internet for browsing the World Wide Web. Netscape's Navigator contains a sophisticated encryption system, designed to allow computer users to securely transmit their credit-card numbers and other financial information over the Internet. Each of the flaws has shown that Netscape's initial program was not as secure as the company had hoped.
Shortcomings
For example, a few weeks ago a group of computer enthusiasts based in Silicon Valley replicated the feat without the use of the supercomputers. The following month, researchers at UC-Berkeley demonstrated an even more serious flaw that made it easy for an attacker to decipher an encrypted message.
Netscape is now working on a new version of its program that includes a new security technology called Secure Courier. The new program has an improved system for picking random numbers and uses a 64-bit encryption key for protecting financial information.
Nevertheless, the Berkeley group contends, it doesn't matter what encryption technology Netscape puts into its products if attackers can modify the programs before they reach a user's computer.
Between networks
In the Netscape example, the students developed a technique for modifying the program as it travels from one computer on a network to a second. By minor changes in just four bytes of the Navigator program (the actual program is more than 3 million bytes long), it was possible for the students to disable the program's cryptographic protections. Such changes in programs that can be invisible to users occur in many software programs, not just on the Internet.
''Security is an end-to-end problem that is far harder than getting the protocols correct. Strong, correct protocols only make more subtle, end-point attacks more likely, especially in light of the potential for financial gain as the amount of commerce on the Internet increases,'' their statement says.
Companies are rushing to commercialize the Internet because ''Internet-based commerce can offer convenient ordering (for the customer) at a very low cost for the company,'' says Brewer. ''Orders can be automatically integrated with inventory systems, and it is easy to provide detailed information on every product.''
Greater lure
But the more people who use the Internet for conducting financial transactions, the greater the reward for hacking the system.
''Right now, the only people who are hacking these things are doing it in academia or out of a sense of mischief,'' says Paul Gauthier, one of the Berkeley students. ''But that's changing. Once real credit cards and real money are at stake, it becomes very attractive for someone to try to systematically exploit these kinds of holes and to do it silently.''
One of the criticisms of the Berkeley group's work is that it requires an attacker to take control of a computer on an organization's local-area network, which is a group of computers that can be collectively controlled through a single computer. But such an attack on a network is not all that unreasonable, Gauthier says.
According to some studies, he said, as many as one in five computers connected to the Internet today may have major security problems. ''This is a way to leverage one machine in an opportune place to basically gain control over an organization.''
'Password sniffing'
Indeed, such attacks already have happened. Over the past year, there have been a rash of cases of ''password sniffing'' on the Internet, in which an attacker captures all of the passwords that pass through a computer connected to the Internet. Last year, for instance, the Massachusetts Institute of Technology sent an e-mail message to all of its users, advising that their passwords may have been stolen by a person who had commandeered one of its computers. The university suggested that its users change their passwords.
Sophisticated protocols that use encryption are designed to render this sort of eavesdropping attack useless. What they do is focus an attacker's attention at other weak points in the system.
Never perfect
''When you talk about the kinds of things that we have done with people who are in the know about security, the discussion quickly digresses to more and more Internet plots against security,'' says Gauthier. ''My opinion on it is that you don't need to get all the way - you can never get it all the way. You can never make a system truly secure unless it is in a locked room and it doesn't talk to anybody.''
Fortunately, says Gauthier, the Internet doesn't need absolute security. It
just needs enough security so that stealing financial information over the
Internet's wires is ''harder than somebody looking over your shoulder.''