The internet is often considered to be an open environment where no one really controls anything. A company or a person might have control over a particular website but in the big scheme of things you can set up whatever websites you want without anyone’s permission.
This is mostly true, but not totally true. If you keep going up the chain of control on the internet, you will eventually reach the top, where there sit people who hold seven keys. Those keyholders are ultimately the ones who control the internet.
Learn more about the internet’s key masters on this episode of Everything Everywhere Daily.
If the idea of seven key masters holding the keys which control the internet might sound a bit like something out of Lord of the Rings, or maybe Game of Thrones, I get it. But as you’ll soon see, it’s quite literally true. There are even ceremonies involved, but it does not involve the sacrificing of goats or chickens.
Before we get to the key masters, we need a bit of a backgrounder on how the internet works.
Let’s say you are at your computer and you want to go to a website. You open your browser and you type in some random website like everything-everywhere.com.
How does your browser know which computer in the world to go to, to get the information you are looking for?
The names we type into browsers are not what is actually used to identify computers. In reality, every computer on the internet has what is called an IP address, or an internet protocol address. This is a 32-bit number that is written out in a human-readable form as a series of four numbers from 0 to 255 separated by periods.
An example of an IP address would be 126.96.36.199. This happens to be one of the IP addresses used for my website.
Remembering a long string of numbers for everything would be confusing, so instead, we use domain names to direct us to the IP address which is behind the scenes.
To use an analogy, every telephone has a telephone number. However, if you call your friend from a smartphone, you might just click on their name in your address book. Many of us have completely forgotten people’s phone numbers because we just use their names.
Same thing on the internet, except we have many billions of IP addresses.
When you type that domain name into your browser, it needs to figure out what the IP address is that is associated with that domain name.
So, the first step in visiting a website is figuring out what the IP address is. That information is held on a domain name server or a DNS.
So, when you visit a website, you first visit a domain name server, which gives you the IP address, and from there you can visit the website. It all happens so fast, you don’t even realize it’s happening.
So, how does the DNS know what the right IP address is?
The DNS system is organized in a hierarchical fashion like a tree diagram. Above the DNS server are organizations that issue domain names. Companies like Godaddy and many other companies issue domain names for top-level domains.
Top-level domains include ones you are familiar with such as .com, .net, .eu, as well as national-level top level domains such as .ca, .uk, etc.
Every top-level domain has its own master server which has all the information from which the lower level DNS gets their data from.
What sits above the top-level domains on the DNS network?
At the very top of everything, the organization which is responsible for the DNS system, and the organization which ultimately is responsible for issuing all of the IP addresses is ICAAN: the Internet Corporation for Assigned Names and Numbers. ICANN runs the root servers for the entire DNS system.
All of these DNS servers use a form of an encrypted signature that verifies the trustworthiness of each DNS server below it. ICAAN has a cryptographic signature on which everything is dependent.
These signatures consist of a public key, which everyone can see, and a private key, which as the name would suggest is very private.
The private keys are held on devices known as secure hardware security modules or HSM’s which are kept inside safes in two facilities. Two each are stored in Culpeper, Virginia, and in El Segundo, California.
Each HSM is physically resistant to tampering. If someone were to try to open it or even move it too much, it will shut down.
What would happen if all four of the HSM’s were to fail? What would happen to the internet?
The master keys can be recreated. In fact, this process happens every three months in what’s called a key signing ceremony.
To create a new key, seven smart cards are required. Each smart card is held in a safe and each safe is opened with a unique key, each of which is held by seven different people around the world.
Each person, known as a Trusted Community Representative, is a technical expert from a different country and their names are publicly listed on the ICANN website.
Each key signing ceremony is a highly organized affair with over 100 steps that have to be followed. The ceremony takes place in an ultra-secure facility with multiple layers of security just to get in. This includes pin codes, smart cards, and biometric scans. Something you know, something you have, and something you are.
During the ceremony, all unnecessary staff leaves the building. The signing ceremony is held inside of a faraday cage.
There are witnesses for each key signing ceremony who are invited. They are presented with a hash of the private key. This is a code that can verify the key but can’t determine what the key is.
The reason for all the security and protocol is trust. Ultimately, everyone has to trust the secure keys which are at the top of everything.
So you can think of the seven keyholders as have the ability to reboot the internet if you will if something were to go wrong. That makes them some of the most important people in the world.
The entire internet works pretty seamlessly most of the time. When you are surfing the internet, it’s easy to forget that all the billions of devices are all dependent on a few computers sitting in El Segundo, California.