A Journey into Web3: Security by Design vs Secure Coding — Part 1
Written by Federico Lombardi
Decentralization and Security Analysis of Bitcoin
So far the Internet is centralized, this is a fact. Nevertheless, we are approaching the so-called Web3, also known as decentralized web. The concept behind is to reorganize the Internet in order to move from huge centralized parties to a network handled by multiple peers.
Such a transaction cannot be straightforward, it means to change the way everything communicates through the Internet that today we know and are used to. It is a big challenge that may restore some of the original decentralization properties of the Internet, but is going to be a long journey where security will play a crucial role.
In this post I start the journey into Web3 through Bitcoin and its underlying technology, the blockchain.
1. Some history from Web1 to Web2 to Web3
Web1:
Nowadays, the most common communication pattern is client-server; the server produces content, the client consumes it. This is how Web1 began, with mainly read-only content, no single trusted third party used to manage servers and each identity online running their own.
Web2:
Over the years, the increase of online entities brought out that running servers is expensive, time consuming and requires a lot of effort. Thus, the Cloud started to catch on, opening the door to Web2. Of course, trust is fundamental since users delegate their own servers, services and data to a third party. On the other hand, Cloud speeded up e-commerce, enhanced interaction between users through social media and it tracked the way to a sharing economy with smartphones dominating the scene. Content became more balanced between published and user-generated, but all of those have been possible at a price to be paid: centralization. Indeed, the communication pattern remains the same client-server inherited from Web1, but the servers are much less than before and clustered in huge Cloud data centers of a few companies.
Web3:
Finally, we arrive at Web3 which aims to decentralize the content and the control of the Internet. This does not mean coming back to a Web1-style where each entity runs his/her own server, but to take advantage of the existing Cloud platforms to execute a node of a peer-to-peer (p2p) network on top of it. This means that the Cloud becomes an underlying layer providing the infrastructure and on top of it we can build a decentralized overlay network. The blockchain seems like the candidate to implement such an overlay network.
Web1 Servers (read), Web2 Cloud (read and write), Web3 Blockchain (read, write, execute)
Yet, why does the Internet aim to move towards a decentralized network?
2. Centralized Systems: What’s the Matter?
The interest in a decentralized web started with a countless number of issues involving widespread espionage and content control. To date, the owner of a server/service can ban, censor, block, monitor and even worse, spy an user. Centralization means that the third-party may have the control of what we do, what we can do and what we cannot do. The security of the platforms is centralized as well, hence an outage or a data leak may impact all the customers. Besides, the huge amount of data that companies collect might be also used for profit. Recall the famous sentence from the 1970s:
If you don’t pay for the product, you are the product!
At the time it was about television advertisements. Nowadays the same sentence came to a new life due to personal data gathering. Search engines, social networks, websites and so on, track people’s activity on the web, collect data, profile personal interests to deliver custom ads. Note that this post is not intended for judging, conversely, it simply aims to explain how the market works. For the sake of simplicity, a company which delivers a service can choose between two options: charge customers for a service or make it free. Picking the latter means to find out a different business model. Thousands of free services are available out there making profit through users’ data. This is fine, as long as people are aware about it.
Non-technicals struggle to get how the Internet works, thus they cannot easily understand the complex data collection and targeting advertisement process. This means that they do not even imagine the amount of data they unawarely share. That is why it seems like most people do not care, because they are not aware about it, at all. Let’s not gild the lily, a free service entices the most, thus such a business model works. However, recently a huge sensitization campaign has been carried on and people started to get more susceptible to privacy issues, especially after the introduction of privacy regulations such the European General Data Protection Regulation (GDPR).
Nevertheless, centralization is not only a matter of privacy, it is a matter of security. In engineering and system theory a centralized system is subject to what is called Single-Point-of-Failure (SPOF), namely, a successful attack or a fault over a single point can put it down. Replication is a way to face SPOF in terms of outage. The service is deployed among multiple instances, hence, if a server goes down the other replicas can still operate. However, modern Distributed Denial of Service (DDoS) attacks are still an effective way to break down the availability of a system. Content Delivery Networks (CDNs) arose as a solution to improve performances and, among others, protect from DDoS, but once again they are centralized solutions handled by CDN providers, thus they might be the SPOF as well.
Last June 2021, Prolexic, the anti-DDoS service provided by Akamai within its CDN took down several major customers for more than four hours. The paradox is that a service supposed to protect from outages may be the availability issue itself. It is not an isolated case, a year before it happened the same to Cloudflare. We cannot avoid it by-design on a centralized service, even with replication it may suffer from SPOF.
From an integrity point of view, things are similar. Exploiting a vulnerability to gain access into the network of a company can make an attacker able to tamper with the database. Replication may not help if the attacker is able to compromise all replicas as well and being already inside the network it may be possible through lateral movements. Think about the hundreds of ransomware campaigns we observe everyday, they do not occur exclusively on companies not implementing replication.
Thus, it is clear that centralization requires high trust, fails in guaranteeing security by design at scale, presents privacy issues and potential control on data and activity. These are the main reasons for fostering a decentralized web.
3. Decentralized Systems: Benefit and Limits
Decentralization is a solution to distribute the control (and the security) of the network among multiple parties. This means that there is no single authority managing the network.
Note: Replication != Decentralization
Decentralization must not be confused with replication. The latter is in fact a solution to enhance the availability of a system, but under the control of a central single party. Tor (anonymous network on top of the Internet), YaCy (distributed search engine), BitTorrent (decentralized file sharing system) are just a few examples of decentralized services existing since decades. They share the same network model, the p2p. Conversely to the traditional client-server model, p2p is a network where peers act both as server and client. No single trusted authority controls the network, participants do through a distributed consensus algorithm.
In an open p2p network peers can join without any subscription, thus they are called permissionless. In such a model, however, there is a big issue: peers joining the network can misbehave, thus such networks are trustless.
Let’s make an example with Tor. It is an overlay network where users can navigate (pseudo-)anonymously due to its onion routing protocol. Each Tor connection relies on a chain of peers used to forward the traffic, thus nobody can know both real source and real destination, but only the previous and next step. Although this approach supposes to keep anonymity, however, entry nodes and exit nodes have a lot of information since they know respectively real source and real destination. If they are controlled by a single authority the connection might be deanonymized. To hinder malicious behavior Tor hardcoded a set of authorities which manage the distributed consensus to decide which node is good or bad, who can be input node and exit node. Despite Tor being considered decentralized, it is just partially. Indeed, standard users can just be relay nodes and cannot take part in the consensus process.
Who can ensure that the set of entry and exit nodes in Tor is not maliciously managed by a single authority? The real answer is: no one. So, apart from the p2p model opposite to the client-server there is still not a huge difference with centralized systems. After all, it is all a matter of trust, again.
4. Bitcoin: Security By Design
Bitcoin, has carried on the evolution towards the p2p paradigm, adding a further component to the carousel, the blockchain. Such technology became a prominent building block for the entire sector due to its cutting edge capability to significantly enhance the integrity assurance of data stored within a distributed ledger. Independent parties maintain the very same replica of the ledger through a probabilistic distributed Byzantine Fault Tolerant (BFT) consensus governing the mining process (i.e., the block creation and transaction ordering), namely, the Proof-of-Work (PoW).
The security of Bitcoin derives from both PoW and its strong cryptography. It is math. For the sake of simplicity, tampering with the Bitcoin blockchain requires 51% of the computational power of the entire network, which is almost computationally infeasible.
What’s the main difference with the consensus of other p2p networks like Tor? PoW is not restricted to a set of authority, everybody can participate. How can such a trustless network work? A reward mechanism incentive miners to behave honestly. That’s how Bitcoin copes with the Tragedy Of The Commons.
Tragedy Of The Commons — an economic problem occurring when individuals neglect the well-being of society in the pursuit of personal gain
The result is that Bitcoin is the first trust-less, democratic, censorship-free and tamper-resistant network able to ensure a high level of availability.
The impressive thing is that the security of Bitcoin is by design. In software engineering, it means that the system is designed to be foundationally secure even when it is under attack.
This is the recipe that has opened to a real decentralization and that explains why the Bitcoin blockchain is a crucial element that p2p networks were missing to move towards Web3. However, there are some costs to pay:
- poor performance (3–7 txn/sec);
- power consumption required by the PoW-based mining process.
To answer the question whether Bitcoin filled the gap to approach Web3, the answer is: partially. It is true that it overcomes the trust necessary in a centralized system and it is also true that no centralized system can ensure the same level of integrity and availability that Bitcoin has, but many areas require for high performance. Its drawbacks foster research for alternative solutions to speed up the network in a more environmentally-friendly way. Yet, addressing them means potentially bringing back a less secure and less decentralized network. Finally, we must recall that beyond security by design, secure coding is crucial as well. Let’s see why.
5. Bitcoin: Secure Coding
Despite the Bitcoin protocol being mathematically secure, there is no guarantee that the software implementing the protocol is well coded and thus fully secure as well. This is true in general and not limited to Bitcoin. A clear example is the Value Overflow Incident which occurred on Bitcoin on August 15 2010. It was discovered a vulnerability in the wxBitcoin and bitcoind clients’ software that has allowed remote attackers to bypass intended economic restrictions and create bitcoins via a crafted Bitcoin transaction. Specifically, block 74638 contained a transaction which created ~185M bitcoins, i.e., almost nine times the maximum number of bitcoins defined by protocols (we recall, 21M).
This attack was possible because the code used for checking transactions before including them in a block did not account for the case of outputs so large that they overflowed when summed. This vulnerability has been labeled with CVE-2010–5139 after its exploitation.
After five hours, an update of the client was published containing a soft-forking change to the consensus rules that rejected output value overflow transactions. Here, the bitcoin blockchain forked. Despite many unpatched nodes kept building on the “bad” blockchain, the “good” one overtook it at a block height of 74691 where all nodes accepted the “good” blockchain as the authoritative source of Bitcoin transaction history. The bad transaction and related bitcoins disappeared with the longest chain.
To make the long story short, the vulnerability of the bitcoin software introduced the issue, but after the fix, the bitcoin protocol through the longest chain rule restored the normal behavior. Bitcoin is indeed designed to fork, but eventually converge to a single branch. This choice follows the CAP Theorem where, for the sake of simplicity, a distributed system must choose between strong consistency or high availability. Bitcoin decided for high availability and eventual consistency.
This is a remarkable example to show how the security by design of the bitcoin protocol is a fundamental property to eventually ensure the desired security guarantees. At the same time, this example shows that software may contain vulnerability, hence developing secure code is a paramount process to ensure security at scale.
6. Conclusion
Can we assume, thus, that blockchain is enough for security by design, at least? TL;DR: NO!
Security by design is a fundamental property to be resilient to attacks and failures, but without secure software there is no comprehensive security. Besides, the Web3 goes beyond Bitcoin and many other blockchains arose with the goal to run smart contracts, i.e., programs deployed on the blockchain and executed by its peers. In the next post I will analyze the importance of both security by design and secure coding properties through two well-known alternative blockchains, namely Ethereum and Solana.
