The Insecure Protocol at the Heart of the Web

There are lots of reasons why the world wide web has developed so quickly from it’s early origins in CERN at the beginning of the 1980s. Of course, there are many reasons why it has become so popular but arguably at the core is the transport protocol called HTTP. This is the reason why different clients, servers and devices have been able to communicate with each other so effectively. However there is a problem with the simplicity of this protocol, which is now a major concern due to the fact that so much of our lives has been transferred to the digital realm.

The issue is security which in the initial development of the web was not really a concern.  However, the world has changed and now the web is much more than a few thousand websites passively supplying text pages to our browsers.     There are some client side solutions that people can take and one of the most popular is to use a VPN which will encrypt your connection.  One of the benefits of using these services is that you can even bypass region blocks and watch things like BBC TV abroad.

And so precisely how does the best part of your digital communication get moved around the net? Well the vast majority takes advantage of something referred to as HTTP that you have already almost definitely heard of.  HTTP is actually the transport used by your web requests and is essentially an extremely simple protocol utilized to deliver HTML webpages. It’s not exactly what you could call secure but is primarily designed for lightness and speed – you can read about it in more depth in the RFC Here.

One of the main problems inn attempting too always keep our details and identification safe and secure utilizing HTTP is the simple dilemma that it is predominantly an ASCII based protocol which in turn functions in plain text.

This is almost brilliantly simple and quick and simply operates at a quite basic degree of request and respond. HTTP is a mechanism, a way to request a resource from a world wide web server (GET request) and a response will be supplied and the information when possible.

Here’s an example of such a request

GET/ index.htm HTTP/1.0.

Not actually exactly difficult stuff and the worrying fact is there’s no cryptic language to understand and no need to decipher any of the data that passes to and from your web browser and the web server.

Among the most revealing things you can do in order to show how insecure the HTTP protocol is actually for delivering and obtaining data is to connect up to a wi-fi coffee shop, hotel access point and after that fire up a free sniffer program like wireshark (despite the fact that I still use ethereal!) and look at the data that is actually circulating in the clear.

Same goes with wireless connections – I still just can’t quite look at some of my neighbours in the same way the moment I saw some of the websites he visits flying passed my sniffer.

There certainly are loads of reasons why HTTP is such an insecure protocol such as it functioning over the exact same well known TCP ports but we should also remember exactly how staggeringly effective and efficient it is as a delivery mechanism. It certainly done a damn great job sharing information over the internet but quite possibly in some cases a little too good!

Source: Using a Residential Proxy

Hacker or TV Fans – the VPN User

Whether you need to use something like a VPN or proxy server depends on a whole range of factors.  However they are certainly becoming much more popular among average users throughout the world.  There are probably two main justifications, concerns about online and privacy and being able to bypass the myriad region blocks that are pervasive on the web’s best sites.

There’s little doubt that in the minds of many people there is a pervasive picture of a VPN user, and it’s not a good one. It’s something similar to a youngster wearing a hoodie, huddled up in a coffee shop with their laptop computer. They’re quite possibly trying to hack right into some federal government computers and are on the run from the authorities. As a VPN hides your location and your web traffic there’s a common idea that the individual is up to no good and indeed has something to conceal.   So indeed it could be a anarchist hacker or just someone who wants to watch Coronation Street using a VPN to watch ITV abroad while on holiday.

The real truth is literally a very long way from this perception and although many hackers do indeed use VPNs routinely so do an awful lot of ordinary individuals. Certainly the majority of large organizations have actually been using VPNs for decades to sustain inbound connections from remote users. If a salesman needs access to the product database on the company’s network it’s much simpler to allow them to connect through the internet and view the latest version. This is much more secure than travelling around with DVDs and obviously ensures that he or she has the latest versions.

In the event that you make any kind of regular connection over the internet, all your web traffic is pretty much visible, i.e anyone with a mind can intercept and see it. If you’re logging and connecting to a secured share then this would consist of usernames and security passwords. In order to secure these connections, you would commonly install a VPN client on the laptop and ensure it’s used to encrypt the connection back to the company network. It’s completely legitimate and indeed smart business practice.

Ordinary home users will make use of VPNs for very similar reasons. Pretty much the internet is insecure and there is minimal provision for safety and security built in automatically. Absolutely you can access secure sites through things like SSL whenever you have to enter a credit card or payment information. This is the exception not the rule and most sites are not secure and the vast majority of data flies across the wires in clear text.

In addition to the general insecurity of the internet, there’s the other issue of online privacy. Your browsing data is easily accessible via a range of sources. For a start, there’s a complete list in your ISP of every little thing you do on the internet and depending on where you reside this can be routinely and easily accessed. Using a VPN stops this, turning your web activity into an encrypted list which is unreadable without your permission. Are they used by cyber criminals and terrorists? Sure but also by millions of people who think that what they do online shouldn’t be part of public records.

The VPN systems are becoming increasingly more sophisticated merely driven by demand and the risks of recognition. There are all sorts of variants including allowing different arrangements and ports to evade detection. You can even get them to use home IP addresses through certain residential IP providers –

In most countries VPNs are definitely not illegal but simply a simple business and personal security tool. In some countries this is not the case and you can get into trouble if caught using them. Countries that actually ban the use of VPN include places like China, Iraq, Belarus and Turkey. Various other countries merely allow authorized services which usually mean those that can be compromised if required. People still use VPNs in the majority of these nations indeed in Turkey almost all expats use one to watch things like British and American TV on-line. It’s actually quite difficult to detect a VPN in use however that doesn’t stop it technically being illegal in those locations.

Jim Collins

Value of the Software Testing Life Cycle

Anyone who has ever seen a piece of code accidentally released into a production environment will appreciate the value of a strong testing regime. Obviously if the code is 100% correct and contains no errors then the effect will be negligible, however that rarely happens. Untested code can create huge problems and create very expensive problems which can be difficult to rectify. Even the smallest change which looks fairly trivial in development can have far reaching effects when released into a live environment. It doesn’t matter where you are or what technology is involved – testing will always be a worthwhile exercise.

Any component needs testing even if it appears unnecessary in fact sometimes then it’s even more important. I once saw a huge network brought to it’s knees when a small but important update to Microsoft ISA server was released without testing. It seemed trivial but of course, firewalls and proxies can impact lots of other systems besides themselves. This was in a software creation company but the chaos would have been much greater with a larger number of proxies, perhaps somewhere like a residential IP provider with large proxy infrastructure.

We need to understand a little more about how software testing works in practice before we can think about how to implement effective testing. Testing and debugging are different kinds of activity, both of which are actually extremely important. Debugging is the process that developers undergo to determine the reason for bugs or defects in code as well as undertake corrections. Ideally some check of the correction is made, however this may not extend to checking that other areas of the system have not been inadvertently affected by the correction. Testing, meanwhile, is a systematic exploration of a factor or system with the major objective of finding and documenting defects.

Testing does not incorporate correction of problems– these are passed on to the web developer to correct. Testing does, however, guarantee that changes and corrections are examined for their impact on other parts of the component or system. Effective debugging is essential before testing starts in order to raise the level of quality of the component or system to a level that is worth testing, i.e. a level that is sufficiently robust to make it possible for rigorous testing to be performed. Debugging does not provide confidence that the element or system meets its criteria totally. Testing makes a rigorous examination of the behaviour of a component or system and reports all flaws found for the development team to fix. Testing then repeats sufficient tests to ensure that defect corrections have been successful. So both are needed to achieve a quality result. Static testing and dynamic testing Static testing is the term used for testing where the code is not exercised. This might sound strange, but remember that failures often start with a human mistake, specifically a mistake in a document such as a specification. We need to test these due to the fact that mistakes are significantly cheaper to fix than problems or failures (as you will see). That is why testing should start as early as possible, another fundamental principle explained in more detail later in this chapter. Static testing consists of strategies such as reviews, which can be effective in preventing defects, e.g. by eliminating ambiguities and errors from specification documents; this is a topic in its own right and is covered in detail later in this blog.

Dynamic testing is the type that exercises the program under test with some test data, so we mention test execution in this context. The discipline of software testing encompasses both static and dynamic testing. Testing as a process We have already observed that there is a lot more to testing than test execution. Before test execution there is some preliminary work to do in order to design the tests and set them up; soon after test execution there is some work needed to record the end results and check whether the tests are complete. Even more essential than this is deciding what we are definitely trying to achieve with the testing and setting clear objectives for each test.

A test developed in order to provide confidence that a program functions according to its specification, for example, will definitely be really quite different from one developed to find as many different defects as achievable. We define a test method to guarantee that we do not miss out on crucial steps and also we do things in the appropriate order. We will return to this important subject later, where we explain the key test process in detail. Testing as a set of techniques The final challenge is to make sure that the testing we do is reliable testing. It may seem peculiar, but a good test is one that finds a problem if there is one present. A test that finds no defect has consumed useful resources however added no value; a test that finds a flaw has created an option to improve the quality of the product. Just how do we design tests which find defects? We actually undertake two things in order to maximize the effectiveness of the tests. We use well-proven test design techniques, and a selection of the most important of these is explained in detail in Chapter 4. The techniques are all based upon specific testing concepts that have been identified and documented over the years, and these types of principles are the second mechanism we use to ensure that tests are effective.

Further Reading:

A Comparison of Physical Vs Digital Identity

At the core of this particular service-oriented economy are truly network-based, automatic transactions. Automated transactions are actually basically different than the transactions in which occur within the physical realm. The minute I stop by the corner store to purchase a snack, I can easily barter money for peanuts. Unless the clerk happens in order to know me, the operation is anonymous. In comparison, in the service– oriented economy, anonymous transactions are actually rare, simply because delivering service immediately almost always suggests that you will have to know something about who’s being given the service—- if not their names, then a minimum of their preferences or other attributes.

This distinguishing data is normally transferred digitally, across the network. In a service-oriented economy, electronic identity matters. Of course when we speak about the service-oriented economy, we’re certainly not just talking about ecommerce. Note in which my scenario with the convenience store involved a small cash purchase. However imagine the same situation, except this time around I use a debit card, credit card, or check. In any one of those scenarios, I have actually invoked a network-based monetary service as component of the overall transaction.

Network-based services are as prevalent in operations which take place in the real world as they are in online interactions. Within an automated, network-based service, I need to know who you are in order to sell anyone easy access to my service.   This could concern any user whether from the domestic market, international customer or perhaps an unidentified user from something like a UK VPN service who hides their identity.

Since these services are increasingly delivered over electronic digital networks, businesses really need dependable, secure, and private means for producing, storing, transferring, and using digital identifications. Network-based, computerized services are not simply just supplied to customers, workers, partners, and providers likewise interact with the enterprise via services. In a lot of cases, anonymous service is actually impossible or undesired, and also as a consequence, digital identities need to be designated as well as managed. In addition to determining clients in order to sell them services, business have an increasing need to determine employees, systems, resources, and services in a systematic way to create business agility and make sure the safety of company assets.
Using Digital Identity

Digital identity is definitely the lynch pin within each of the activities we have actually merely discussed, in addition to a wide selection of other activities significant to business. Consequently, exactly how your company manages digital identities will have a great influence on whether you are constantly dealing with complications brought on by a lack of attention to taking care of identity, or whether you are exploiting opportunity enabled by a flexible and rational digital identity infrastructure.

Further reading: