The C3Authority is a distributed trust system based on certification and encryption of communication. Unfortunately, cryptography with all it’s adjacent utilities is a vast and complicated domain and it takes ample time and a technical background to understand it. Even at superficial, usage level, it is still time consuming and laborious to implement, with literally no margin for error, this is why people are reluctant to use these technologies even if they offer great benefits from a security and privacy perspective. The C3Authority makes heavy use of all these technologies and therefore it can be complicated to understand unless one has some education in the fields of network protocols, cryptography and certification, so to bridge the gap I will try to translate it into a simple, jargon free story, with parallels from real life so that everybody can understand what the benefits are, whether they have a technical background or not.
The C3Authority has the potential to go deep into the communication layers and bring unprecedented security into the cyberspace. The great thing is that all the protocols and technologies that C3Authority needs are already developed, some of them are in use and some of them are in the midst of being adopted, like IPv6 (Internet Protocol version 6). Unfortunately, the Internet having so many dependencies these adoptions processes are very slow, therefore in the beginning we will only focus on those technologies that are already in widespread use. Luckily, even within this limited scenario, the benefits would be fantastic. One such technology is SSL (Secure Socket Layer), the use of which you can notice any time you type https://… in your browser. This technology uses Public Key Cryptography and a derivative technology, certification, which form the basis of the concept behind C3Authority. I will not get into the technical details of what these are or how these work as this is beyond the scope of this introduction and they are not at all necessary at this stage. Instead, let’s just talk about the principles and ideologies behind these technologies, which are very much the same as they are in real world.
When you connect to your favorite internet banking site and you see that a green bar highlights the fact that your connection is secure, this means your bank is using an extended validation SSL certificate, by ways of which they protect the communication between your browser and their servers. An SSL certificate is an interesting thing. It actually contains not one, but two security features: an encryption key and an identity guarantee. The two concepts are linked together, so from a tech perspective they are inseparable, nevertheless they play two different roles. The encryption key is used to encrypt the communication between the server and your browser, which means that even if the communication is intercepted, nobody can access the content of it. That being said, while the communication is secure, another problem remains: how are we to know that we are not communicating with a malicious entity? This is where the second part of the SSL certificate comes in, the identity guarantee. We can’t know everybody over the Internet personally, so we rely on trusted authorities to vouch for the validity of businesses that we do not know. Certificate Authorities verify the business, hence the extended validation certificate (green bar), and because we trust these authorities, we can subsequently trust the businesses they validate. This validation comes in the form of an impossible to forge signature as part of the certificate, so if we now go back to case of the internet banking, this signature guarantees that you are in fact communicating with the bank you intend to and not some impostor pretending to be that bank.
This offers some excellent protection, but unfortunately is limited in scope. It is logistically complicated enough to validate business, doing the same for every person who connects to the Internet would be practically impossible this way and it would also come with great violation of privacy. Normally the certificate contains identity information which is publicly available and while this is perfectly fine for businesses, it is unacceptable for people. This means that the security features the SSL provides are limited to a very small subset of the communication that takes place within the cyberspace. The lack of cryptographic validation of those that exchange information over the internet leaves everybody vulnerable. Servers have no choice but to rely on identifying legitimate clients based on less reliable methods, like the use of cookies and passwords, which are easy to forge, therefore sites get hacked all the time. Blogs and other simpler sites are used to distribute malware and SPAM, corporate and institutional sites are stripped of their intellectual property and members’ personal information, people lose their on-line accounts, their money and often their computer is hijacked. This fuels cybercriminality because it gives them even more resources, both technology and financial, to do even more misdeeds. It is easy to blame sites for lack of security, but often it is not their fault. The system is too complex, with too many players and insufficient cohesion and this makes it very weak. This weakness is exploited by criminals to their advantage generating losses of hundreds of billions of Dollars, yearly, not to mention countless grieves, that cannot be quantified with money. Everybody looses, while criminals flourish.
What the C3Authority does is to enable widespread use of an even more secure form of SSL which requires both ends to identify themselves. This means that nobody can hack anybody any more and the principle behind is trust, the kind we have in our everyday lives all the time. When the cable guy knocks on your door you are not reluctant to let him into your house, even if he is a stranger, because you trust your cable company. You know that if he did something bad in you house, you can call the company and they will hold him responsible for his actions. If a complete stranger, with an unknown agenda, knocked on you door and asked you to let him see your house, because he is curious about the layout, would you be inclined to do so? Most likely not. It’s all about trust. But what if the cable guy wore a ski mask when he knocked on your door, because at Cable Ex, it is company policy to wear ski masks and randomly pick the daily chores from a hat. Would you still let the guy in? I would not, because in this case the chain of trust cannot be established any more.
In cyberspace, everybody wears ski masks, they have no name, no fingerprint and they can teleport themselves across the world in a flash. This is not because it is company policy, it’s just how things are. No wonder that trust is impossible to establish and maintain. But let’s imagine that upon entering, the cable guy, ski mask on, legitimizes himself with a certificate issued by the C3Authority, which proves that the C3Authority knows somebody in his company, who knows this individual in person and can identify him by the serial number on the certificate. All things go back to normal, there is a chain of trust and responsibility can be established. Should he not present such a certificate, you have the option to lock an impenetrable door in his face and not allow him to enter.
This is what the C3Authority does. It applies the very basic, human principle of accountability to a world where there is none. This means cybercriminals cannot enter banks, they cannot leave infected stuff on sites, they cannot send SPAM, they can no longer hack social networking accounts, because the trail they leave behind can not only lead back to them, but it can also be used to block spread of malicious or unsolicited content in its infancy. The beauty of the system is that it works solely on trust exchange, not on the exchange of identifiable (personal) information. You don’t know the cable guy when he enters your home, the C3Authority does not know this individual either. What the C3Authority knows is somebody who does know this person well, and only when there is proof of this, will the C3Authority issue him this certificate. Everybody enjoys anonymity but at the same time, everybody is accountable for their action.
This principle is called distributed trust, in which there is not one certification entity that violates everybody’s privacy to certify them, but rather people are certified (vouched for) by local businesses with whom they have strong in-person relations. Personal information does not travel abroad, there are no jurisdiction conflicts and it is in perfect line with human social dynamics. Who else could vouch better for somebody than those that live in the same culture, have the same administrative rules and they’ve done business together? Trust and accountability are fundamental principles of human society, yet we have neither of these over cyberspace. This was not a significant problem when the internet was only an interesting curiosity, but as our everyday lives are becoming ever more dependent on cyberspace, this issue is becoming a serious problem that costs more in a year than humanities greatest, most daring projects from all times put together.
Cybercriminality is the kind of danger that threatens us all, people, businesses and states alike, but we can fix this. By cooperating we can make the Internet behave more like our reality. This is not even optional, we have to, because cyberspace is part of our reality.
