How the low-tech internet tackles high-tech threats

How high-tech is the internet?

Despite feeling like the behind-the-scenes web is inaccessible to most, you’ll be pleased to know that the internet is not magic: there’s a reason and explanation for everything, and while technical, it’s not always as complicated as it might seem. One thing that brings the hypercomplex aura of the internet back down to earth is the quirky, low-tech side of what makes it work—there really are some things computers and algorithms just cannot do.

Let’s consider randomness: as human beings, with complex thought patterns and a penchant for unpredictability, we can be random. We could pick a number between 1 and 1,000 for no reason besides it feeling ‘random,’ and follow that up with another entirely random number, so that even we ourselves don’t know which choice we’ll make next. That said, humans are not flawless randomizers, as we can quickly descend into creating patterns or memorable combinations. Computers, on the other hand, cannot be random—it is genuinely impossible. They can simulate randomness, of course, like an online dice roller or random number generator does, and it can seem more or less random to us as the receiver of information.

This randomness-aversion also appears in other ways. When was the last time you felt your Spotify playlist was well and truly ‘shuffled’? While it’s true that the platform’s ‘automix’ features give preference to similar sounding songs and your recent listening history, some songs will never come up because there is often no ‘true shuffle’ on algorithm-based platforms like Spotify. This is called psuedorandomness, and yes, for the most part, it is ‘random enough’ for the purposes we need on the user-end. But the computer will always know what comes next: the sequence of results is always calculated, always predetermined.

Why is randomness important for security?

For low-stakes things like song play orders or random number generators, the lack of true randomness is not a big deal. As long as it seems random to us as humans, the mission has been accomplished.

The real issue arises when considering (online) security and computer to computer (and other M2M) communication. Much of our online experience is encrypted: consider the padlock in your browser bar, indicating SSL status, or how much time you spend ‘logged in’ on social media, email, or e-commerce sites. And much of our online experience must be encrypted to keep us safe as we share personal data like contact information, photographs, payment details, and other confidential kinds of records. Online security is based on keys, which rely on randomness and undecipherability to ensure unpredictability—if a computer and malicious actor can predict or decipher the key, it cannot be secure. Strong, unique numbers are crucial for this, as they become the secure encryption keys for wifi passwords, SSH and SSL certificates, and more.

donut graph showing shares of SSL certificate algorithms for .com domains — Figure 1: A graph showing the shares of SSL certificate algorithms for .com domains.

Let’s take a look at the data: the Secure Hash Algorithm (SHA) in SSL certificates refers to cryptographic hash functions used in the digital signatures (keys) of these certificates. The functions are essential for ensuring data integrity and authenticity in SSL/TLS communications. In essence, generating an SHA hash involves processing the input data—like a prime or truly random number—through a series of mathematical operations—like multiplying by another prime or random number—to produce an output that uniquely, securely represents the original input. Figure 1 shows the four more-used SHA types for .com domains in our database.

Chaos, entropy, and lava lamps

So, if humans are not effective randomizers, and computers cannot be random, how does online security work? This is where the low-tech internet shines: it utilizes the true randomness of the outside world and the physical things around us to ‘seed’ randomness. An excellent example of this is IT management services company Cloudflare and their lava lamps. Referring to their lamp wall, cryptographer Nick Sullivan explains that it's the photographing of the lava bubbles, the room’s light ambience, (white) noise levels, and a number of other—completely offline—factors that form the basis for solid internet encryption capabilities. Their branch in London uses a ‘chaotic pendulum,’ and the Singapore office tracks the decay of radioactive isotopes to derive randomness for encryption keys. Digital security companies use multiple sources and layers to introduce randomness in their security.

lava-lamp style gif of blue lava on a purple background — The rise and fall of the 'lava' in a lamp is impossible to accurately predict, making it a prime source of entropy.

The mentioned examples are physical sources of entropy, which means they produce randomness in a physically observable manner. Other sources of entropy are just as useful. Thermal noise can be tracked to harness randomness from the hums and jitters in electronic circuits, and Quantum Random Number Generators (QRNGs) are devices that leverage quantum phenomena, such as the behavior of photons, to produce truly random numbers. When operating systems collect entropy from various sources (like mouse movements, keyboard timings, or system events) this is called Software-Based Randomness, which relates to the randomness that can be generated by human-device interaction. User-generated entropy is also a popular contribution to encryption, as Tom Scott explains: personal computers can use the milliseconds between clicks, or smartphones can use movement and tilt data to generate randomness.

These methods highlight the importance of both physical and digital randomness in maintaining security protocols across the internet. Each method has both strengths and weaknesses, and it’s often a combination of these techniques that get employed to ensure high-quality randomness. These low-tech solutions solve incredibly high-tech problems, and help us understand how the internet works just a little better. ‘Low-tech’ should not imply that the solutions are simple or effortless, but rather that they are graspable for those outside the industry, too.

Low-tech solutions for high-tech problems

Honorable mention: Low-Tech Magazine

Barcelona, ES: this solar internet project is a solar-powered website and magazine, created by Belgian author Kris de Decker. It focuses on and explores the sustainability of technology, reduction of (power) consumption, and prioritization of low-tech solutions to socially constructed high-tech problems. Its solar base is in Spain, where the good weather helps to keep it online, but the site gives its visitors the heads-up that it may be down when the weather has been bad. Take a look at the website to learn about dithered images, technological sustainability, using history to inform our futures.

screenshot of the "how to build a low-tech internet" page of the Low Tech Magazine website — How to Build a Low-tech Internet, via solar.LowTechMagazine.com.

___________________________________

This article is part of the Modern Internet series, where we dive into today's digital culture and the online landscape. Check out Internet Nostalgia, for a head start on finding great spaces to hang out online, or GenAI Transparency to learn about maintaining the Living Internet. Keep an eye out for our upcoming piece on the rise of mini-games where they're least expected, and later, the consequences of digital hoarding.