Hiding a secret in the Internet

Although it might seem intuitively obvious that the way to hide a secret is to keep it hidden, there are some reasons why it makes sense to hide a secret ‘out in the open’ on the Internet or the web. Doing so may make it easier to pass to other people than sending it explicitly to them because the sender doesn’t have to know where the receiver actually is (or who they are pretending to be). Physical meetings create a strong trace, so it might be more attractive not to meet but to communicate instead.

There are a number of ways to communicate a secret covertly even though it is out in the open on the Internet. Here are some of them:

  1. Rely on hiding the secret in the middle of a torrent of other communication. For example, create a blog on the most boring subject imaginable, wait for any initial interest to die down, and then post very occasionally. With a little bit of cryptic language, the chance of anyone stumbling on it, and being interested enough to act on what they see, is very small.
  2. Encrypt the secret. This makes it possible for the secret to be in plain view, but only those who have the decryption key can open the envelope and look at the content.
  3. Put it in a password-protected place on a web site. There is already a lot of protected content on the web, so this doesn’t make it stand out.
  4. Put it in a web directory, but don’t provide any link to it. Although web crawlers can see the content, there’s a gentleman’s agreement (worth testing from time to time) that the large commercial search engines won’t index it. Since the content can’t be searched for, it can only be found by knowing where it is, and the web is a big place.
  5. Use a non-http protocol. Many peer to peer systems already move hidden content around the internet and, because each is free to use its own protocol, standard tools do not ‘see’ this traffic or its content.

Each of these approaches has disadvantages and weaknesses. They are:

  1. Knowledge discovery tools that look for particular words are already deployed. Tools that look for unusualness or abnormality are also beginning to be developed. It is becoming easier and easier to filter content and pick out particular kinds, without needing a good model of what those particular kinds might look like.
  2. Encryption seems like a strong way to protect content, but its weakness is the handling of the keys needed for decryption. These are another kind of secret that must be protected even more strongly than the secret we’re thinking about. Also researchers in cryptography continue to discover unsuspected flaws in cryptographic schemes.
  3. Password protection of web sites is not very robust. Most servers protect particular directories/folders, but not recursively, so if you can guess the name of a subdirectory, you can usually get access to it.
  4. Relying on web crawlers not to index or otherwise capture data in unlinked files is just a dangerous idea, if you want to keep the data secret.
  5. Non-http protocols can provide a more robust protection scheme, but they require particular software to understand the variant protocol, so this new software becomes a different kind of secret.

So, although it is possible to hide a secret in public on the Internet, it is not so easy to do it well. One of the new hiding places is virtual worlds, which I’ll talk about tomorrow.


0 Responses to “Hiding a secret in the Internet”

  1. Leave a Comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: