Tuesday, June 19, 2007

Report from the meeting of the New World Order

There seems to be some interest from Slashdot on the events at the Top Secret meeting of the New World Order today and yesterday, otherwise known as the W3C/WSRI Workshop on E-Government.

Since the agenda is online, together with the position papers. Anyone who is interested in really finding out about the discussions can do so.

The short version: E-Government is good, Semantic Web is good, it would be good if E-Government used Semantic Web.

The slightly longer version is that it would be good if we did the above with some thought about security. We need to sign all this data that governments are putting onto the Web if we want people to trust it and in particular if they are going to build Web Services that depend on those data feeds.

For example, HMG publishes The London Gazette every day. The Gazette is important because it is the paper of official record. The Gazette carries notices of personal and corporate bankruptcies, promotions in the armed services, war dispatches and many other pieces of official information. It is the index to the rest of the information government puts out.

Today the Gazette is published without any security at all. Let us imagine that in the new Semantic Web version of the Gazette an insolvency notice is published in a machine readable form. So for example a Webbot can notice that Example Ltd. Reg 12345678 has gone bankrupt. This might then feed a credit reporting service, or a Web Services based transaction system so that the company that has just manufactured 1,000 widgets and loaded them onto a truck which is on its way to Example Ltd. can call the driver and tell them to return the goods to the factory rather than deliver to them to an insolvent customer who is not going to pay up.

This is exactly the type of service that we want to build on top of authoritative government information. Without security we are building ourselves into a serious problem.

Let us imagine that Example Inc. has not gone bankrupt and that Webbot Credit services is downloading the semantic Web version of the Gazette via the Web site. Mallet performs a DNS cache posioning attack on the DNS server that Webbot Credit services depends on (alternatively a BGP injection attack might be used to the same effect). Mallet then provides Webbot Credit services with a fake version of the site where Example Inc. is listed as being insolvent. The goods are not delivered on time, Example Inc. is unable to trade. The result is a denial of service attack that may cost Example Inc. a lot of time and money and cause it to lose business to a competitor.

We already have a serious problem with DDoS based Internet denial of service attacks from criminal gangs running extortion rackets. Lets not create a new set of Semantic Web DoS attacks.

The basic attack can be fixed with a simple SSL/TLS certificate at a trivial cost, turn on SSL on the site, buy an SSL certificate from one of the competative CA issuers.

Since we are talking about Semantic Web though we should also look at the data level attack. Let us imagine that Webbot inc is corrupt and is in fact under the control of Mallet. Information consumers who rely on Webbot inc need to know the provenance of the data. This is exactly what the assertion structure of SAML 1.0 was designed to do, every RDF statement should either be wrapped in SAML or contain a SAML authenticator as a tag.

We have a choice here, either we can build the Semantic Web securely or we can do what we did with the Internet and the Web and build it insecurely despite knowing how to do it right, then wait till the crime problem is epidemic before we go about fixing it.

Last time I was somewhat more passive than I should have been in that debate. This time I am going to be very loud.

No comments: