Summary

In this chapter you've seen some of the issues of computing trust and verification, and places where trust and security can be compromised by a person or computer that is providing false identification tokens to your system. Here we've concentrated on how basic network information can be falsified, and the consequences of such spoofing, but the issue of trustable information extends to any sort of computing data in a similar fashion. The information by which you recognize a familiar auction Web site can be spoofed by someone who has copied the page's layout and design.

Unless you're terrifically alert, you probably pay much more attention to what the page looks like than to the URL that appears in your Web browser's location bar. Emails can be spoofed; the identifying information that gives machines' names on the network can be spoofed; practically any data that is delivered over the network can be falsified by someone, in some way. What you need to determine for yourself and for your systems is what identifying information is sufficient for you to trust, and how much trust you're willing to have, based on that amount of information. The answers will be different for almost every user and almost every context. We can only help to show you where the problems might lie, and try to illustrate potential consequences that might not be readily apparent. You will need to make the hard decisions yourself regarding who to trust and how much, based on your own needs and the sensitivity of whatever information might be at stake.

It's important when considering the possibilities for spoofing and the areas where it may cause harm to remember that spoofing is essentially impossible to completely prevent. Regardless of the credentials you require to verify identity, there will be some way that someone might be able to provide false credentials and establish a false identity. What you can do is make it harder to generate believable false credentials, and take advantage of any auxiliary data that is available to attempt to corroborate the identification. Use firewalls, monitoring software, and identification protocols for which the credentials cannot be easily stolen or duplicated . Make certain that the identification credentials you choose to accept are kept up to date, and that software that uses them has been patched against any possibility of information leakage.

Many network services and many types of data already have software written to help you with the task of establishing a trust level for various credentials, and there will undoubtedly be more that appear as the realities of network commerce mature. Examine your computing trust needs, what the pitfalls in any particular trust situation might be, and what avenues present themselves for establishing the veracity of credentials that are presented to you. In some cases there will be few to no safeguards in place, but if the communication or identity verification is one that is common in the networked world, someone will probably be working on solutions to assist in detecting and avoiding spoofed information. Some of these may not be inexpensive, but as we've reiterated throughout this book, there are bad people out there who want to do bad things. Only you can decide how important the truth of any communications are, and how much effort, time, or money you're willing to invest in increasing the level of your trust in that information.