Your organization does its best to control its technology as much as possible. You monitor the activities of your employees and contractors. You compile performance metrics and analyze them. If a server experiences downtime, your network admins are right on it. And no one enters your facilities without authorization. But you can’t control your entire supply chain. That’s impossible. And the more third-party vendors you have, the more flexibility and preparedness you’ll need. The controversial new NGINX raid story illustrates this as far as your web operations are concerned.
Russian police raided the Moscow offices of NGINX, a subsidiary of F5 Networks, on December 12th. This is big news in the world of web technology. According to Netcraft’s Web Server Survey, NGINX has been steadily rising in web server market share since about 2009. As of December 2019, NGINX has more market share than their competitors, at 38%. Comparatively, Apache has 24%, and Microsoft has 15%. Having number one market share and even beating Apache is a big deal. Unfortunately, this means that the NGINX raid will likely affect a huge number of companies and their web operations, web apps, websites and machine identities. Events such as this may force you to make changes to your web infrastructure in a very short timeframe.
It started when Russia’s Rambler Group filed a copyright violation against NGINX, claiming full ownership of NGINX’s web server code. Rambler Group claims that NGINX founder Igor Sysoev developed the NGINX web server platform while working as a system administrator for Rambler Group. Therefore, Rambler Group claims that NGINX’s code is theirs. This reminds me of when Mattel sued MGA Entertainment in 2008. Mattel of course are famous for Barbie dolls. MGA’s Carter Bryant used to work for Mattel as a Barbie designer. Carter Bryant created MGA Entertainment’s Bratz dolls, which became a major competitor to Mattel’s Barbie doll line in the early 2000s. Mattel claimed that Bryant developed Bratz while working for Mattel, and therefore they should own the rights to them. So, Mattel claimed copyright infringement. By 2011, a US federal judge ruled in MGA Entertainment’s favor, saying that Mattel owed MGA $309 million in damages. But the web server business is very different from the doll business, and Russia’s legal system is very different from that of the United States.
When Russian police raided NGINX’s office, cofounders Igor Sysoev and Maxim Konovalov were detained, and computer equipment was seized. According to a 2012 interview with Sysoev, he said he did indeed develop NGINX while working at Rambler. According to a Google Translate translation, he said, “I worked as a system administrator. However, in addition to the direct work of the system administrator, I again began to write programs in my free time. It should be noted that programming was not part of my job responsibilities, but since there was time and traction, the first thing I did was adapt the patch to compress Apache responses... In 2003, they found out about my developments outside of Rambler, and, moreover, nginx began to be used on several sites. The first was the Estonian dating site Rate.ee, which still exists. This, by the way, is the most highly loaded website in Estonia. Then nginx began to be used on mamba.ru and on zvuki.ru, where it distributed MP3s.
At the beginning of 2004, Rambler launched the foto.rambler.ru service, and one of my colleagues, Oleg Bunin, asked me to complete request proxying functionality in nginx in order to start fully using it, including on the Rambler photo service. Up to this point, the project was quite academic, I gradually wrote it, but it could never end in anything, that is, it could not be put anywhere in production. In general, it turned out that I urgently completed and proxying. And somewhere in the beginning of 2004, a proxy version appeared, and the foto.rambler.ru service started working on the basis of nginx.
On October 4, 2004, on the anniversary of the launch of the first space satellite, I released the first public version: 0.1.0.”
So, versions of NGINX have been open source since 2004. People don’t usually release code as open source if they want to make money from it. Either way, this legal case should have a significant effect on the web operations of enterprises and businesses of all sizes.
Which brings the matter to this very crucial point. If your company needs to change your web server platform, can you bulk replace all of your TLS certificates accordingly? Those machine identities are integral to the security of your web operations. If you lose track of any of them, they become lucrative keys for cyber attackers to exploit your very sensitive data. Cyber attackers could impersonate your website or web app on the internet. They could perform man-in-the-middle attacks on the data that’s transmitted between your servers and your users’ endpoints. That’s bad news indeed, and way too much risk for your organization to handle.
Proper machine identity management can not only give your organization much better visibility into your certificates, but it can also help you transfer from one web platform to another when you must do so unexpectedly. And in addition to man-in-the-middle attacks, losing control of your certificates can also lead to website and web app downtime. And downtime leads to a loss of revenue and possible reputational damage for your company.
You can’t control everything that happens in your supply chain. You may need to suddenly switch vendors or platforms. When that happens, you must be prepared. Proper machine identity management makes everything much easier and gives your organization more control.