They are. Nodes on the internet should be identified by public key hashes, not IPs. Whoever can respond to a packet with a message, whose signature verifies against the public key that it's destined to, is by definition the recipient.
Servers would have relatively static keys, while client keys could be as ephemeral as wanted. So rather than specify an IP address (location) as destination, you specify the recipient, by encrypting a request with eg. Google's SSL public key, signing it with your public key, and delivering it to something that will route this packet to Google (at whatever IP address that may be), so they can decrypt it, and produce a packet encrypted with your public key.
My point is that, with cryptography, they are redundant. If all traffic on the internet is encrypted, why do I need to both encrypt a packet such that only a single recipient can read it and specify an address? Any node on the path to the recipient could do a lookup and find Google's IP address, the client doesn't really need to.
Huh? Then you have to send "google.com" as a string instead of its IP address, which doesn't have any benefits, and can even change meaning during the time the packet is traveling... not to mention that it'd flood the DNS servers for no good reason.
I don't understand how your system would work with any sort of reasonable performance. How do upstream routers know which network to forward your packet to? The reason BGP works is because address spaces are delegated to "autonomous systems". The authority over the address space delegated to an autonomous system doesn't change very often, therefore only systems close to a packet's destination need to be updated with respect to routing changes on a regular basis. Systems farther away have a basic and infrequently-changing idea of how to interact with that ASN, i.e. your ISP doesn't really care what Google's network is doing, it knows how to get your packet closer to Google, and that's all. As the packet gets closer to the destination, those systems know more about Google and less about your ISP. Thus, we have an actual distributed system' the information each network needs to store and maintain is limited, but there is still much flexibility allowing the network to self-repair damage.
Certainly, networks can work without any delegation in this form; tor's hidden services show that this can work in practice. Pretty slow though. Reasonable performance (and accuracy) depends on not having every node on every network know the correct route to every other node, or having nodes have to reach a consensus (slow) on where to forward your packet at each hop. What's your plan for that?
I don't understand the problem, isn't this "solved" by contact lists? I for one am glad I can just call "Ted" instead of having to remember some nonsense like dreamyted887.com
I agree phone numbers are stupid to use as authentication, but I don't see how this scheme can save anyone from having to purchase a new sim when they move between autonomous cell regions.
Also, why is the Patrick McGoohan quote attributed to Iron Maiden?
1. the telephone number system is terrible (but only in hindsight)
2. a telephone number should not be used for security
But his premise of a DNS for phone numbers is ridiculous. Does he think the PSTN was invented when smartphones came out? What about the wide plethora of legacy phones that would cause countless issues?
If someone did manage to complete he herculean (if not impossible) task of making it happen, it would be a massive waste; the PSTN will become obsolete in the not so distant future as internet based solutions take over.
I actually believe the PSTN is so ingrained in international networks that it will be around for another 50 years, minimum. Think SS7 and the fact that anything that touches PSTN relies on a legacy implementation at some point (probably all VoIP terminates there at some point, every cellular device, etc.). This is just a guess though on my part..
If you want a stable phone number, use Google Voice (or another VOIP equivalent).
When I travel to Europe/Asia, I just buy a local SIM and use Google Hangouts to make and receive calls over IP. I treat my cell phone numbers as disposable, and indeed,I've been through 4 different prepaid carriers in the past few years, but none of my friends and family noticed any change since they all call via my GV number. (well, in reality, almost no one calls these days except my parents, everyone else SMS's... I don't even answer the phone if it's not from one of my contacts since 95% of the time it's a telemarketer, and if it's not, they can leave me a message and Google will transcribe it)
I have a second number from Anveo.com that I can forward to any number in the world. They have voice mail and smart call flow routing so you can do things like forward unanswered calls to another number, set up a mini IVR system (i.e. "Press '1' to call me on my mobile", "Press '2' to call my mom", etc.). They do SMS forwarding for some countries, as well as web based SMS.
They also have a nice service that lets you purchase a number in a foreign country and forward it to your own number. My relatives live overseas so I bought a local number in their country that they can use to call me for free. it only costs me a few dollars/month.
None of these features are unique to Anveo, but I've been using them for a few years and have been quite happy with the service.
if you live in the UK or Spain (where Google voice doesn't exist) O2 / Telefonica does something very similar, you can use their service TuGO and you can keep your phone number, receive and send SMS and calls all through internet and you don't even need your sim, or a phone, you can use it on a Browser or an app for Android and iOS (iPad included), on any network, wifi or some disposible sim. The advantage over GV (apart from not being US only) is that whilst you can use it without a sim, you do get the sim for those services that refuse Voip, you get the best of both world. Also TuGO is given at no extra cost, as long as pay monthly you have it.
How does that work for all the services that refuse to accept VoIP numbers nowadays? Don't they still need your cell phone number, which keeps changing?
Hm, I've definitely seen a lot. First one that comes to my mind is Telegram [1], but it's not one I use personally. I've run across it before personally too, but I'm forgetting for what services...
Now imagine crossing the border, connecting to a new telco and being prompted to choose a data plan (or a phone number). This would be great! I’d purchase new phone number / data plan every time I’d cross the border. Telcos would profit from this and I wouldn’t have to spend time researching the best package (I will be presented with the options right in the popup on my phone)
The author has a very optimistic view of cellular companies -- in many countries, the official carrier rates for SIM's are far worse than those available from resellers, so the "Click here to roam" rates are not likely to be the "best options"
If telcos really wanted to give fair rates to roaming customers, they'd just negotiate more reasonable roaming rates so visitors wouldn't feel the need to buy a local SIM in the first place.
> in 2016, roaming rates were still quite high in Europe
Actually, European roaming is incredibly reasonable, and set to get even better.
Since July 2014 roaming charges were set to EUR 0.05 per minute, and since April this year that was changed to a cap, with prices varying from the domestic rate to EUR 0.05 maximum. And the legislation [0] requires the telcos to make changes again next year in 2017, that will make roaming charges equivalent to domestic charges, i.e. abolishing them. Similar rules apply to data rates - between domestic rate and EUR 0.05 per MiB just now and no extra charge above domestic in 2017.
Maybe I didn't state it right. What I meant wasn't roaming. When connecting to a new telco, when you enter new country, you would be able to choose new phone number and package. Simple as that.
Whenever I hear a rant about SIM cards I just mentally think that this person hasn't thought about the problem for 5 seconds longer than needed.
"Oh CDMA proves you don't need a SIM card" - the stupidity HURTS
Given his difficulty in "buying a SIM card" (which I've done in several countries and it was never as difficult as portrayed) I can see why
- SIM cards makes switching telcos EASIER as CDMA phones need the company to issue an UIMID before you can do anything with it (while SIM cards talk to the company and do that - they're tiny computers) - oh and btw newer CDMA modules are moving to SIM cards
- SIM cards are safer, as initial CDMA systems that fell back to AMPS were vulnerable to cloning
"I wouldn’t have to go to a shop to buy SIM card and I wouldn’t have to go back to the same shop to top-up my SIM card."
And that's why a lot of stores sell (or you know, they just give you) SIM cards and an even bigger amount of stores have top-ups available.
And of course the "proposed solution" relies on login/password which is such a bad taste joke I don't even find funny. A SIM card is a hardware crypto auth module, if there's one thing that deserves to be called "stupid technology of the past century" are usernames and passwords.
Sure, phone numbers are old. It's an old standard that has a big backwards compatibility requirement.
Also, don't most pre-pay SIMs have an online top-up service, usually made available automatically if you try to use data without having any credit. As well as that, most ATMs have an option for 'top up mobile' here in the UK, and pretty much every corner shop will sell you a top-up voucher. Or, of course, you just try dialing a number without having any credit, and you're forwarded to the automatic top-up line.
The idea that one has to return to the shop you purchased the SIM from is insane, in fact, there are many places where this is impossible, for example the local pound store sells all manner of SIM cards for GBP 1.00 (identification? nope, but here, have a pound coin...) but don't do top ups.
If you want the future, look at software SIM cards or e-SIMs [0] (like the Apple one[1] in the latest iPad) which can be provisioned remotely.[2][3]
"It was never as difficult as portrayed" - we are talking about UX here. Stating that something is not as difficult is wrong. The UX is bad. When you go to a new country for the first time, you need to search online or ask around how and where to buy sim card. Yes, you can do it in a lot of countries in almost any grocery store. I'm not saying it's easy and it's close to impossible to have something like this implemented world wide. I'm proposing what I think would be ideal solution.
Login/password is the current de-facto standard. Until something better, widely accepted comes along, I don't see why my phone number should be safer than my facebook account or my bank account (it's not username/password, but the security of cards that we use for payment is pretty bad)
The most widely used 2nd factor for authentication is a phone number. When I log into my gmail account from a new PC they send me a text to confirm. Same for my bank account. Same for several other services.
The reason they do this is because my phone is safer than a simple user / password.
> we are talking about UX here. Stating that something is not as difficult is wrong.
As an UX concept, correct. But UX cannot go against technological limitations, physical reality or security
> When you go to a new country for the first time, you need to search online or ask around how and where to buy sim card
Go walk in the city center maybe? Ask around?
Yes, you usually need to do some research if you want the best price, but that goes for most things . Also a lot of electronics stores can give you the different plans as they have sim cards.
Asking around and doing price research is part of being an adult, sellers won't come together to offer you a price and plan comparison in one page.
You're also assuming that people will want to change their mobile operator when they get to a different country (for a short trip they won't need it, some will need to keep their original phone working)
Now, remote SIM provisioning may be a good option for some devices (not all of them have wifi or are a smartphone), but that's much different from having a user/pwd combination
> Login/password is the current de-facto standard.
Until people start having their cell phones cloned, which already happened and that's why they came up with something better
> Until something better, widely accepted comes along
Doesn't this exist already? It's called DNS, along with E.164 representation of numbers.[0] You can map a telephone number to its E.164 representation by reversing it, so +447123456789 would become 9.8.7.6.5.4.3.2.1.7.4.4.e164.arpa and delegation at various points in the hierarchy would be done by the responsible PTO or telco, so that looking up the number would map to a SIP or similar identifier. Alternatively, looking up a DNS name could return a record with the E.164 address as a CNAME or similar, to provide the name to number mapping. I don't think this is really very widely implemented, except maybe for some VOIP providers, but since 4G UMTS is IP based maybe it could become more useful?
38 comments
[ 2.8 ms ] story [ 78.5 ms ] threadServers would have relatively static keys, while client keys could be as ephemeral as wanted. So rather than specify an IP address (location) as destination, you specify the recipient, by encrypting a request with eg. Google's SSL public key, signing it with your public key, and delivering it to something that will route this packet to Google (at whatever IP address that may be), so they can decrypt it, and produce a packet encrypted with your public key.
Certainly, networks can work without any delegation in this form; tor's hidden services show that this can work in practice. Pretty slow though. Reasonable performance (and accuracy) depends on not having every node on every network know the correct route to every other node, or having nodes have to reach a consensus (slow) on where to forward your packet at each hop. What's your plan for that?
I agree phone numbers are stupid to use as authentication, but I don't see how this scheme can save anyone from having to purchase a new sim when they move between autonomous cell regions.
Also, why is the Patrick McGoohan quote attributed to Iron Maiden?
1. the telephone number system is terrible (but only in hindsight) 2. a telephone number should not be used for security
But his premise of a DNS for phone numbers is ridiculous. Does he think the PSTN was invented when smartphones came out? What about the wide plethora of legacy phones that would cause countless issues?
If someone did manage to complete he herculean (if not impossible) task of making it happen, it would be a massive waste; the PSTN will become obsolete in the not so distant future as internet based solutions take over.
http://www.itu.int/osg/spu/enum/
https://en.wikipedia.org/wiki/Telephone_number_mapping
When I travel to Europe/Asia, I just buy a local SIM and use Google Hangouts to make and receive calls over IP. I treat my cell phone numbers as disposable, and indeed,I've been through 4 different prepaid carriers in the past few years, but none of my friends and family noticed any change since they all call via my GV number. (well, in reality, almost no one calls these days except my parents, everyone else SMS's... I don't even answer the phone if it's not from one of my contacts since 95% of the time it's a telemarketer, and if it's not, they can leave me a message and Google will transcribe it)
They also have a nice service that lets you purchase a number in a foreign country and forward it to your own number. My relatives live overseas so I bought a local number in their country that they can use to call me for free. it only costs me a few dollars/month.
None of these features are unique to Anveo, but I've been using them for a few years and have been quite happy with the service.
[1] http://telegram.wiki/troubleshooting:ri
I have a very old GV number (at least 7 years old), so maybe not all numbers are flagged as VOIP.
Interesting network to network phenomenon or "growth engineering?" ;)
The author has a very optimistic view of cellular companies -- in many countries, the official carrier rates for SIM's are far worse than those available from resellers, so the "Click here to roam" rates are not likely to be the "best options"
If telcos really wanted to give fair rates to roaming customers, they'd just negotiate more reasonable roaming rates so visitors wouldn't feel the need to buy a local SIM in the first place.
Actually, European roaming is incredibly reasonable, and set to get even better.
Since July 2014 roaming charges were set to EUR 0.05 per minute, and since April this year that was changed to a cap, with prices varying from the domestic rate to EUR 0.05 maximum. And the legislation [0] requires the telcos to make changes again next year in 2017, that will make roaming charges equivalent to domestic charges, i.e. abolishing them. Similar rules apply to data rates - between domestic rate and EUR 0.05 per MiB just now and no extra charge above domestic in 2017.
[0] https://ec.europa.eu/digital-single-market/en/roaming-tariff...
"Oh CDMA proves you don't need a SIM card" - the stupidity HURTS
Given his difficulty in "buying a SIM card" (which I've done in several countries and it was never as difficult as portrayed) I can see why
- SIM cards makes switching telcos EASIER as CDMA phones need the company to issue an UIMID before you can do anything with it (while SIM cards talk to the company and do that - they're tiny computers) - oh and btw newer CDMA modules are moving to SIM cards
- SIM cards are safer, as initial CDMA systems that fell back to AMPS were vulnerable to cloning
"I wouldn’t have to go to a shop to buy SIM card and I wouldn’t have to go back to the same shop to top-up my SIM card."
And that's why a lot of stores sell (or you know, they just give you) SIM cards and an even bigger amount of stores have top-ups available.
And of course the "proposed solution" relies on login/password which is such a bad taste joke I don't even find funny. A SIM card is a hardware crypto auth module, if there's one thing that deserves to be called "stupid technology of the past century" are usernames and passwords.
Sure, phone numbers are old. It's an old standard that has a big backwards compatibility requirement.
The idea that one has to return to the shop you purchased the SIM from is insane, in fact, there are many places where this is impossible, for example the local pound store sells all manner of SIM cards for GBP 1.00 (identification? nope, but here, have a pound coin...) but don't do top ups.
If you want the future, look at software SIM cards or e-SIMs [0] (like the Apple one[1] in the latest iPad) which can be provisioned remotely.[2][3]
[0] http://www.gsma.com/connectedliving/embedded-sim/ [1] http://www.apple.com/uk/ipad/apple-sim/ [2] http://www.gsma.com/rsp/frequently-asked-questions-gsmas-rem... [3] https://en.wikipedia.org/wiki/Remote_SIM_provisioning
Login/password is the current de-facto standard. Until something better, widely accepted comes along, I don't see why my phone number should be safer than my facebook account or my bank account (it's not username/password, but the security of cards that we use for payment is pretty bad)
The reason they do this is because my phone is safer than a simple user / password.
As an UX concept, correct. But UX cannot go against technological limitations, physical reality or security
> When you go to a new country for the first time, you need to search online or ask around how and where to buy sim card
Go walk in the city center maybe? Ask around?
Yes, you usually need to do some research if you want the best price, but that goes for most things . Also a lot of electronics stores can give you the different plans as they have sim cards.
Asking around and doing price research is part of being an adult, sellers won't come together to offer you a price and plan comparison in one page.
You're also assuming that people will want to change their mobile operator when they get to a different country (for a short trip they won't need it, some will need to keep their original phone working)
Now, remote SIM provisioning may be a good option for some devices (not all of them have wifi or are a smartphone), but that's much different from having a user/pwd combination
> Login/password is the current de-facto standard.
Until people start having their cell phones cloned, which already happened and that's why they came up with something better
> Until something better, widely accepted comes along
It's called SIM card, and it is widely accepted, since most carriers went for GSM worldwide https://en.wikipedia.org/wiki/Comparison_of_mobile_phone_sta...
[0] https://en.wikipedia.org/wiki/E.164#DNS_mapping_of_E.164_num...