December 2014 archive

DANE Interim Meeting on Dec 2 Focused on Email and S/MIME

IETF LogoFor those of you interested in tracking the evolution of the DANE protocol to add a DNSSEC-secured layer of trust to TLS certificates, the DANE Working Group within the IETF recently held an “Interim Virtual Meeting” via  conference call on December 2, 2014, where the focus was all around using DANE for securing email using S/MIME.  The minutes for the meeting can be found at:

The primary two drafts that were discussed were:

I was not able to attend myself but the minutes do provide a view into what occurred during the session.   There has also been further discussion on the DANE mailing list (to which anyone is welcome to subscribe).

What continues to be fascinating is how much interest there is in using DANE for better securing email communication, and this session was for those looking to use DANE for email systems using S/MIME.  It will be interesting to see where this goes over the next months.  At IETF 91 in November Eric Osterweil from Verisign demonstrated a version of Thunderbird that supported this usage of DANE.  He said they were looking at making that available publicly and that could certainly be of interest to many.

If you want to learn more about DANE, please visit our DANE page – and if you like to get started with DNSSEC please visit our Start Here page to find resources to help you begin.

TDYR 194 – Trying Out Opinion, A New Podcasting App For IPhone

In this episode I tried out the new "Opinion" app for the iPhone that aims to make podcasting easier: http://www.opinionpodcasting.com/ You can hear my thoughts in the episode...

The Directory Problem – The Challenge For Wire, Talko And Every Other "Skype-Killer" OTT App

Skype directoryAs much as I am enjoying the new Wire app, there is a fundamental problem that Wire faces... as well as Talko, Firefox Hello and every other Over-The-Top (OTT) or WebRTC application that is seeking to become THE way that we communicate via voice, chat and/or video from our mobile phones and desktops. That is:
How do they gather the "directory" of people that others want to talk to?

The fundamental challenge all of these applications face is this:

People will only USE a communication application if the people they want to talk to are using the application.

And where I say "talk" it could also be "chat" or "message" or... pick your communication verb.

It's all about the "directory" of users.

There's a war out there right now... and it's a war for the future of our communications between each other. It's a war for messaging... and it's also a war for voice and video.

And it all comes back to... which communications application or service can provide the most comprehensive directory of users?

Which communications tool will be the one that people use the most? Will any of them replace the default communications of the mobile phone?

NOTE: A number of updates have been added to the bottom of this post.

Today's Fragmented User Experience

The reality is that today we use several different tools for real-time communications ... and that creates a bit of a frustrating user experience. If I want to send a message to Joe, do I send him a message on Skype? Facebook? WhatsApp? Google+? Twitter? SMS? iMessage? BBM? Wire? email?

If I want to call him and speak via voice or video, do I use Skype? Facebook Messenger? Google+ Hangouts? Facetime? Wire? Talko? Viber? Firefox Hello? <insert WebRTC or OTT app du jour here>? Or just call him on his regular old phone line?

By trial and error we start to figure out which of the people with whom we regularly communicate are available over which channels. Certain family members may be through Facebook... others through WhatsApp or Skype. Work colleagues through Jabber or Yammer... except for some of them who primarily use Skype. These friends detest Facebook and so they are in Google+ ... and then there's that guy who thinks all of these new apps are junk and only wants to talk to you via SMS and phone.

It's a mess.

And every new app and service wants to fix it... and wants to be THE communications application/service that you use.

Skype/Microsoft Has A Directory

Over the years, I think it would be impossible to count the number of times we've seen new communications applications trumpted as "Skype-killers". "This new app/service WILL be the one to replace Skype. It's new. It's better. It supports (something). Everyone will switch and the world will be so much better!"

Except they don't switch.

Even when Skype's audio quality is no longer what it once was.

And why not?

Because Skype has a massive user directory.

When I speak at a conference I can ask the attendees "who has a Skype ID?" and usually almost every hand goes up. They may not use Skype as their primary communication tool, but they have an ID. They can be found on Skype.

Now a large part of this is because Skype has now been around for over 11 years and truly led the disruption that "consumer VoIP" has caused in the larger telecom industry. Part of it is that Skype prioritized the user experience and made it drop-dead simple to install and use. Part of it is that Skype made it easy to find other Skype users.

But the point is that Skype amassed this huge directory - and now is the default way that many of us communicate via voice or video over the Internet. Certainly many of us, myself included, would like a better mechanism at this point... but we still use Skype because that's where the people are! The directory of users is there.

Facebook Has A Directory (Two, Actually)

Facebook messenger callWhen it comes to a user directory, certainly one of the biggest in the world right now is Facebook. With over a billion users Facebook has an enormous ability to connect people together.

With Facebook Messenger, they are definitely aiming to replace SMS and become THE messaging application you use on your mobile phone.

And now in many regions of the world, Facebook lets you initiate voice conversations through simply clicking on a telephone icon in the Messenger interface.

They make it simple and easy... and it works because "everyone" has a Facebook account (or at least 1 billion people do).

Facebook has a massive user directory.

(Of course, every chat and voice conversation can then be mined for data for Facebook advertisers... but that's a topic for another post...)

Facebook actually as two massive user directories if you consider that they also own WhatsApp and most stats right now say that WhatsApp has over 600 million users. (Which is actually more than Facebook Messenger, which recently crossed the 500 million user mark.)

Put these two together and while there is certainly duplication between the two directories, they do represent a huge directory of users.

P.S. And Facebook actually has a third user directory in the form of Instagram (which now has 300 million users)... but we've not yet seen them do anything with real-time communications there.

Google Has A Directory

And then of course Google has its own massive directory. Everyone who has a "Google Account". Every Gmail user. Every Google+ user. Every Google docs user.

Hundreds of millions of Google users.

Google's focus today seems to be on Hangouts, which is available from the desktop and also from the iOS and Android mobile platforms. While Hangouts started out inside of Google+, Google has separated the application out. I'll note that just today they are rolling out a new version of Hangouts on Android that lets you add your phone number so that you are easier to find. They may at some point also integrate their Google Voice offering better into Hangouts.

Apple Has A Directory

Apple idIt goes without saying that Apple has its own massive directory from the hundreds of millions of iPhone and Mac users, almost all of whom get integrated into Apple's iMessage and Facetime services through their Apple ID. With iMessage and Facetime, Apple's directory includes my own phone number, as well as my email addresses.

Apple also makes the user experience insanely simple. When I go to call a contact, I am offered the choice of calling them via Facetime (audio or video) or the regular phone. When I send a message, Apple automagically sends the message over iMessage if the recipient is registered in Apple's directory. As a user I have no clue about this unless I realize that "blue bubbles" are iMessage and "green bubbles" are regular SMS.

The point is that Apple can do all this and make it so simple because they have this massive user directory.

LINE And WeChat Have Directories

While we in North America don't tend to know their names, there are apps building huge user directories in Asia. WeChat, based in China, now has over 468 million monthly active users worldwide. LINE, out of Japan and used in much of Asia, has over 170 million monthly active users. There are others such as KakaoTalk in Korea that have large directories.

The Telcos Have Directories

Of course, the original user directories for mobile phone users reside with all of the mobile service providers / telephone companies. They have the customer names and phone numbers. Their challenge is one of sharing that information between each other - and also their general challenges with embracing the world of OTT communications apps that threaten their basic revenue streams.

Some telcos have tried - and continue to try. Telefonica had "Tu ME" and now has "Tu Go". Orange has Libon. T-Mobile did have "Bobsled" but that seems to have disappeared. And then of course there was (and still is, although on life support) Joyn, the traditional telcos attempt to provide rich communication services and fight back against OTT apps. As Dean Bubley wrote at the time, RCS/Joyn was in trouble from the start and now seems to have faded from consideration.

I should note that Telefonica is doing some great work in the WebRTC space and is involved with Mozilla's latest Firefox Hello effort. There are other traditional carriers who are also doing some good work with WebRTC and other OTT works ... but I've still not really seen any of them figure out how to tie their apps and services back to the large user directories they collectively have.

Everyone Wants To OWN The Directory

Notice a common thread across all of these directories?

They are all owned / controlled by corporations - some of whom are among the largest in the world.

They have NO interest in sharing their directories.

They are all about the "lock-in".

Well... I should say... they are glad to "share" in the sense that they are glad for you to use their directory as a source of identity in your application or service. "Login with Facebook" or "Login with Google" or "Login with Twitter" ...

A better way to say it would be:

They have no interest in federation / interoperability between directories.

They want to own the directory. They want to be THE source of "identity" ... but that's a topic for yet another post.

And each of the ones I've listed is a commercial entity with their own investors or shareholders and their own ideas of what they will do with your data and your communication...

(NOTE: This is not a new problem - I wrote about "walled gardens" back in 2007 with regard to email and messaging - some names have changed but the problem remains.)

One Directory To Rule Them All?

Amidst all this we've seen various attempts to provide a global directory for IP communications. ENUM was one in the open standard space, but the original vision of "public ENUM" ran into a barrage of security and privacy issues and faded from view. (ENUM is still heavily used within SIP-based networks either within telcos or within peering relationships between telcos.)

On the corporate side, he original Google Voice was an attempt to put users in control, at least as far as a telephone number. Give out one number and have it ring many devices or apps. The .TEL people tried this with their original vision for that top-level domain. iNum tried to offer this with their numbers. Many other attempts have been made...

The question with all of these is how to make the directory accessible to other entities in a secure fashion - and how to deal with privacy issues, telemarketers, spammers, attackers, etc.

Back to the "Directory Problem"

How, then, does a new startup like Wire or Talko or Firefox Hello or whoever-releases-their-WebRTC-app-today build up a significant enough directory of users so that the application is usable by large numbers of people?

How do they compete with these massive user directories being built by Facebook, Google, Apple and others?

I don't know.

(If I did I'd probably start up a company... ;-) )

What I do know is that, as I said in my initial thoughts on Wire, "my iPhone is littered with the dead carcasses of so many other apps that have launched trying to be THE communication platform we all want to use."

Some may opt to use the identity systems of one of the major vendors mentioned before - but now you are putting your user directory in the hands of some other entity and relying on them to be there. And... you are excluding people who may not use that system.

Some apps/services may make it easy for you to "find your friends" through using your "social graph"... the connections you have on Facebook, Google, etc.

Some apps use your phone number as an identifier, but they still have to build up their own directory of users.

I don't know the answer... but I see this as a fundamental challenge for any new entrant in the space. How do they gain the directory of users so that people will be able to communicate with others using this new service?

THAT is what the team at Wire needs to answer... and Talko... and every other app.

Unless, of course, they just want to be happy as a smaller, more niche player.

But most of these apps and services want to be THE communication platform you use more than any other. Their success - and funding - is tied to that goal.


A Final Thought - The Bigger Picture

Let me end with one thought... this "directory problem" is in fact tied to the larger challenge of "identity" on the Internet. Back in the pre-Internet days our "identity" for real-time communications was simple - our telephone number. We might have had several phone numbers, but they were ours and they were/are globally unique and globally routable.

With the Internet, we gradually moved to where email addresses were (and still are in many ways) our "identity" online and became the identifiers that we used for many forms of communication.

BUT... when we've moved to IP-based real-time communications, first with instant-messaging / chat and then with voice and video, we've also moved into a realm of fractured identities and identifiers with, as noted above, many different companies vying to have us use their system so that their directory is the most complete and comprehensive.

I do definitely worry about a future in which our identities and the user directories are controlled by large corporations. This, to me, seems like it could be a severe barrier to the "permissionless innovation" that has brought about the "Internet of opportunity" that we have today.

I'd like to hope that we'll arrive at some form of distributed and decentralized identities and directories that can be federated together so that people can find each other. (Which is why I'm intrigued by what the Matrix.org folks and others are doing.) I do worry, though, that the financial incentives are there for the larger corporate players to fight each other for dominance... and leave us regular users of the Internet without a choice.

Thoughts?


An audio commentary on this topic is available on SoundCloud:


UPDATE #1 - On Twitter, Aswath Rao asserted that Firefox Hello doesn't have the directory problem because it provides a way to pass a URL out to anyone so that they can simply call you at that URL. I documented this myself in a post back on December 2nd. I can see his point, but I would argue that for Firefox Hello to be truly useful to me in my regular ongoing communications, I need some form of a "directory", either as a directory in the cloud maintained by Mozilla, or as a local address book in my Firefox browser that keeps track of those URLs. To the degree that Mozilla wants to let Firefox Hello users build up their contact list, I think they still have this issue of building the directory.

UPDATE #2 - In the comments to this post, Tim Panton points out that in many cases people do not want to be contacted. I agree, and in fact I think that the prevalence of email spam is in part what has driven so much of us to separate (walled gardens) messaging apps such as Facebook, Twitter, etc. Within those walls I have MUCH stronger control over who may contact me at what point. I do agree that any communications app/service needs those kind of controls - whether that is part of the directory or part of the client application or in the service infrastructure seems to be a bit of an implementation consideration.

UPDATE #3 - The folks at FireRTC contend that they don't have to worry about the directory because they are leveraging PSTN telephone numbers. As I replied, they can certainly use the phone number as an identifier to locate other users. This is a great idea and is done by many similar apps, including Facetime, WhatsApp, Viber and more. BUT... all that does is help bootstrap the directory creation process. They still have to build their directory so that users of their app can find and contact other users.

UPDATE #4 - Aswath and I have been engaged in a Twitter discussion where he points out that WebRTC addresses can be much more decentralized like email addresses have been. He argues that they can provide much greater richness and freedom than a static directory of users.

He's right... BUT... we now come back to the "discovery" issue that directories also address. How do I find your WebRTC URL to call you at? Sure, you can email it or IM it to me ... and I can then store it in my address book or contact list. But somehow I have to get it first - and I have to know that it is the current and best address to use for you.

I often use Facebook to send a private message to someone because it's easier than finding their email address and sending them a message. Now, if I synced my contact lists across all my devices perhaps it would be easier... but I don't and so sometimes FB messaging is easiest. I can see the same kind of thing happening with WebRTC URLs.

UPDATE #5 - In response to this post, Phil Wolff wrote a long series of tweets with ideas for further research on this topic.


If you found this post interesting or useful, please consider either:


Finland Planning “National IPv6 Launch Day” On 9 June 2015

Finland National IPv6 Launch Day

The folks in Finland are planning a “National IPv6 Launch Day” for 9 June 2015. Patterned after 2012’s World IPv6 Launch but targeted at service providers and content providers in Finland, they are seeking participants (and already have a number of both broadband service providers and content companies) at their site:

https://www.viestintavirasto.fi/en/ipv6now/index.html

Given that Google’s IPv6 statistics by country show Finland as currently only 0.48% this effort should help greatly!  (And APNIC’s stats for Finland show a similar value.)

Finland IPv6 statistics

We wish the folks in Finland all the best with this effort and we look forward to seeing these IPv6 statistics change as that date gets closer!

If you are a broadband service provider or a content provider in Finland, we would definitely encourage you to sign up.

And… if you need help getting started with IPv6, whether you are in Finland or not, please do visit our Start Here page to begin!

TDYR 193 – The Directory Problem: The Challenge for Wire, Talko and All Other Skype-Killers

To me the "directory problem" is the greatest challenge facing new communications apps such as Wire, Talko and many more.... how do you build up the directory of users so that the app is useful to people? People will only use a communications app IF the people they want to talk with are using the app!

Catching Up With Mitel …

Mitel logo 2014By way of a tweet I stumbled upon analyst Blair Pleasant's UC Strategies post, "Change - The Only Thing That's Constant", that showed me that while I've been off in the worlds of IPv6 and DNSSEC there has been a great amount of activity happening in the world of my former employer Mitel.

Heck, I didn't even realize they had a new logo! :-)

But indeed they do (apparently back in 2013 in October 2014 (see comments))... and Blair's great look at the world of Unified Communications mentions that and a good bit more. I was aware of the acquisition of Aastra, but did not realize that PrairieFyre had finally been folded into Mitel (it had always seemed to be a likely acquisition candidate as its products worked primarily with Mitel's systems).

With my focus changing a bit, and most of my interest here on Disruptive Telephony focused around WebRTC and some of the newer disruptions to Internet communications, the last time I really mentioned Mitel was back in April with the passing of Simon Gwatkin. My posts about Mitel prior to that go back to 2011 and before.

In looking at Mitel's web site, their rebranding is clear in so many ways. From the nice clean website to the "Mi<whatever>" product naming... there's obvious a great amount of work that's gone on.

Congratulations to the Mitel team, too, on being named a leader in the Gartner Magic Quadrant for UC. Having worked with Gartner analysts in the past on these reports (as a vendor representative), I know what a huge amount of effort goes in to making your case for why your company should be positioned highly - and I also know how powerfully these reports can help in enterprise sales. I read the UC Magic Quadrant report, too, and Gartner had very nice words about Mitel.

While I no longer really focus on the IP-PBX and the "enterprise" side of UC, it's great to see this evolution of Mitel. I still know many excellent people who work there and certainly during my time there (2001-2007) the R&D teams were (and presumably still are) some of the best in the industry.

Congrats to all involved at Mitel!


If you found this post interesting or useful, please consider either:


DNS Security Advisories Out Today For BIND, PowerDNS and Unbound – Time To Upgrade!

DNSWhile this has nothing to do specifically with the topic of DNSSEC that we cover here on Deploy360, there is important news in the broader world of “DNS security”.  The vendors of three of the major DNS recursive resolvers today released security advisories about a particularly nasty bug where the resolver can be tricked into trying to follow essentially an infinite loop and wind up exhausting all resources and potentially shutting down.  The advisories from BIND, PowerDNS and Unbound are found at these links:

The advisories from both PowerDNS and Unbound indicate that this bug would be difficult for an attacker to exploit unless they were within the user base of the recursive resolver.  The BIND advisory is more open-ended and indicates the bug could be executed remotely.

In all cases the easiest solution is to upgrade to the newest versions:

While there are apparently no known exploits of the bug in the wild yet, that will now only be a matter of time.  It would be best to upgrade your recursive resolvers as soon as possible.

P.S. While you are in there updating your DNS resolver, if you are using BIND or Unbound, why not enable DNSSEC validation?  It’s a simple change in the configuration file, as shown in this SURFnet white paper.

That moment when your computer makes a notification sound… but you can’t identify it, nor know which browser tab or app made the sound!

That moment when your computer makes a notification sound… but you can’t identify it, nor know which browser tab or app made the sound!

TDYR 192 – Where Are The Positive TV Shows Like The West Wing?

Where are the TV shows that are ultimately positive and hopeful like The West Wing? I'm looking for series like that, but all the recent drama series seems to be dark and gritty...

IPv6 Privacy Addresses Provide Protection Against Surveillance And Tracking

IPv6 BadgeRecently we’ve seen several articles, such as one out today, that assert that IPv6 addresses will make it easier for security services and law enforcement to track you. Surprisingly, these articles seem to miss that when IPv6 is implemented today on mobile devices or other computers, it is almost always implemented using what are called “privacy extensions” that generate new IPv6 addresses on a regular basis.

To put it simply – almost every mobile device or computer using IPv6 in 2014 changes its IPv6 address on a daily basis (usually) to prevent exactly this kind of surveillance.

To step back a bit – if you read any of the documents explaining the basics of IPv6, they inevitably mention that the “auto-configured” IPv6 address for a device is created using the network address and the MAC address assigned to the device’s network interface. This gives a theoretically globally unique address for your computer, mobile phone, or device.

If this were the only IPv6 address your device had, it would be something that could be easily tracked.

But…

The engineers who created IPv6 were very concerned that IPv6 could be used in this way and so way back in 2007 they published RFC 4941 defining “privacy extensions for IPv6″ autoconfiguration. This standard defines a mechanism where a device generates a random host address and uses that instead of the device’s MAC address.

The device also changes that IPv6 address on a regular interval. The interval can be set to anything, but typically is configured on most operating systems to be one day. In mobile networks, the IPv6 address may change based on the link to which you are connecting, so as you move around you will be generating and using new IPv6 addresses all the time throughout the day.

As we wrote about in a resource page about IPv6 privacy extensions, the following operating systems use IPv6 privacy extensions BY DEFAULT:

  • All versions of Windows after Windows XP
  • All versions of Mac OS X from 10.7 onward
  • All versions of iOS since iOS 4.3
  • All versions of Android since 4.0 (ICS)
  • Some versions of Linux (and for others it can be easily configured)

So if you are using a Windows or Mac OS X computer, or any of the major mobile devices, you are already using IPv6 privacy addresses.

I know from my own network analysis in my home office network that all my devices are constantly changing their IPv6 addresses. (In fact, these IPv6 privacy addresses can cause problems for some applications that expect IP addresses to be stable – which brought about RFC 7217 this year suggesting a way to create a random address when your device is on a given network but then have that change when you move to another network.)

In the end, the ability of security services to track you on IPv4 versus IPv6 is pretty much about the same. With IPv4, you generally have a public IPv4 address that is assigned to the edge of your network, perhaps your home router or the router at the edge of your corporate network. You then use NAT to assign private IPv4 addresses to all devices on the inside of your IPv4 network. On the public Internet, all that an observer can see and track is your public IPv4 address – there is no further information about the device on the inside of the network beyond a port number.

With IPv6, you typically have a public IPv6 network address assigned to the edge of your network and then the devices internally configure themselves using IPv6 privacy extensions. On the public Internet, an observer can see and track your public IPv6 address, but that will be changing each and every day, making any kind of long-term tracking rather difficult or resource-consuming.

We definitely want to see more articles about IPv6 security appearing out in the mainstream media as these are extremely important conversations to have – but when talking about IPv6 addresses and surveillance, let’s please try to focus on how IPv6 is actually being implemented rather than how it could theoretically be done.

NOTE: For a lengthier technical discussion on this topic, please view this Internet Draft: draft-ietf-6man-ipv6-address-generation-privacy

For more information on how to get started with IPv6, please visit our Start Here page to find resources focused on your role or type of organization.

P.S. From a privacy perspective, I am personally far more worried about the application-layer tracking that occurs through “cookies” (including the new “super cookies” deployed by some mobile network providers) and other mechanisms. For these tracking mechanisms, the underlying IP address is completely irrelevant.