Updated on: January 20, 2025
Colin Constable is a visionary in the realm of secure internet communication and a co-founder of Atsign and NoPorts. In this SafetyDetectives interview, Colin shares insights into how his groundbreaking work addresses key cybersecurity challenges. By leveraging Atsign’s innovative technology, NoPorts eliminates open ports—a major vulnerability in traditional network infrastructure—while enabling end-to-end encrypted connections. Focused on simplicity, security, and zero-trust principles, NoPorts is redefining how devices and services communicate safely across the internet.
Can you introduce yourself and talk about your role at NoPorts?
My name is Colin Constable, and I’m one of the co-founders of a company called Atsign. Over the years, we’ve developed a platform that enables people, entities, and devices to communicate securely over the internet.
NoPorts emerged from this work. It’s built on Atsign’s technology and allows for end-to-end encrypted TCP connections from anywhere to anywhere. What makes it unique is that it requires no open ports. This means you can run anything that relies on TCP/IP—like SSH, RDP, websites, or APIs—without exposing your infrastructure. No open ports mean a significant reduction in the attack surface for network-based threats.
The name reflects exactly what it does: no ports need to be open. Traditionally, any service—like SSH or a website—requires open ports, which serve as entry points for attackers. With NoPorts, you can access these services securely without any ports exposed. It’s a simple yet revolutionary concept because having no open ports is one of the most secure states for any network.
What are the core challenges NoPorts aims to solve, and how does your platform stand out in today’s competitive cybersecurity landscape?
Although we like to think the internet is new and shiny, it’s actually over 50 years old. The protocols we’re using, like TCP/IP, celebrated their 50th birthday last year. TCP/IP is everywhere, and while we don’t often think about it, it has inherent problems that we’ve just gotten used to. NoPorts was designed to address these decades-old issues.
One of the biggest problems with TCP/IP is the client-server model. In this model, you have a client, typically a web browser or device like your PC or phone, communicating with a server—web servers, email servers, etc. These servers hold data in the clear to function, and they also require open ports, which act as doors to the infrastructure. This is where vulnerabilities arise.
What we set out to solve with NoPorts is this: while you might need to use TCP/IP and open ports, there should never be anything of value on infrastructure with open ports. Valuable data should either be encrypted or replaced with public information, like public keys, that are designed to be exposed. This approach allows you to run TCP/IP without having sensitive infrastructure exposed. Effectively, we treat the entire internet as a DMZ. Any infrastructure that must have open ports contains nothing of value, so even if it’s attacked, there’s no payoff—like breaking into a safe that’s empty. That’s the principle we’ve built NoPorts on.
With the increasing adoption of zero-trust architecture, how does NoPorts integrate this approach into its technology, and what makes your implementation unique?
Before zero trust, I and a few fellow Brits launched the Jericho Forum, a project inspired by the idea of tearing down traditional security walls, much like the biblical reference to Jericho. Around 1999-2000, we were frustrated by the increasing reliance on firewalls, which were becoming unmanageable. The question we posed was, “What if everything could protect itself?” That vision, which seemed bold and ahead of its time, has now evolved into the zero-trust architecture we see today. It took nearly 20 years to transition from the Jericho Forum’s ideas to the global zero-trust transformation happening now.
Everything we’ve built at Atsign, including NoPorts, is based on zero-trust principles. Our approach is cryptographic zero trust. At its core, every entity—be it a person, device, or service—has a unique address, known as an atSign. This atSign is a unique identifier, much like a X (Twitter) handle, but backed by cryptographic keys that each entity generates.>
Having your own cryptographic keys enables a range of possibilities. For instance, you can prove your identity before accessing any information. This might not sound transformative until you realize that it allows for context-aware interactions. If someone asks for my location, I can provide a different answer depending on who’s asking. Traditional computer systems struggle with this level of adaptability, but our technology makes it possible. Knowing exactly who you’re communicating with before sharing any data has profound implications for identity-driven networking, which we believe is the future of internet services.
Our zero-trust implementation ensures that nothing is accessible until identity is proven. If an entity’s digital identity doesn’t match, they won’t even receive a response, let alone access. This approach not only secures interactions but scales effectively for global use. It’s security at a large, transformative scale.
Cyber threats targeting remote access and IoT devices are on the rise. How does NoPorts ensure security for these use cases, particularly for businesses managing diverse and complex networks?
The basic premise of NoPorts is that nothing is open until you prove who you are, and even then, it’s only open for you. This is a significant shift from traditional connectivity models. Historically, devices have to speak to a server because servers are the only addressable entities on the internet. This creates a fundamental problem for IoT devices and other hardware because they are often not directly addressable.
NoPorts flips this paradigm. For instance, I’m currently talking to you over Starlink. Starlink uses IPv6 and CGNAT, which allows me to connect to the internet but prevents direct access to devices on my network. With NoPorts, we bypass these limitations by creating outbound connections to what we call “atServers.” These connections allow secure access to devices once identity is verified.
Here’s a practical example: I can SSH into any machine on my home network from anywhere on the planet without opening a single port. I don’t need to reconfigure Starlink, switch to IPv6, or worry about NAT traversal. With NoPorts, everything remains secure and invisible. This extends to other use cases like accessing web servers or APIs behind Starlink.
What’s exciting is that this approach offers perfect security. It’s completely invisible. Some users have asked if this concept can extend to their login systems or make their websites invisible. The answer is yes. We’re constantly discovering new use cases based on this capability. If someone explains a specific problem, there’s a good chance we can solve it using NoPorts.
For organizations still relying on traditional methods like VPNs or open-port configurations, what are the key risks, and how can NoPorts help mitigate them?
Just having a port open is a huge risk. When we started, we often had to explain to people what a port was and why it mattered. Ports may seem like arcane networking details, but they are critical vulnerabilities. Recently, organizations like the FBI have been urging companies to close all non-essential ports. These ports act as doors into your infrastructure, and unless they’re serving public data, they shouldn’t be open.
NoPorts eliminates this risk entirely. By enabling secure connections without requiring open ports, we remove these vulnerabilities. If your infrastructure still has open ports exposing sensitive data, we can help you close them. This isn’t just our recommendation; it’s aligned with guidance from global organizations like the FBI.
It’s important to note that even small organizations with limited internet presence are at risk. Many think, “It won’t happen to me,” but it will. Attackers don’t discriminate based on size or prominence. NoPorts provides a practical solution for organizations of all sizes to secure their infrastructure and eliminate unnecessary exposure.
Looking ahead, how do you see the cybersecurity landscape evolving, and what role will NoPorts play in addressing emerging threats?
Mobility and simplicity are becoming essential. Organizations need the ability to move services seamlessly across clouds and infrastructures without complex firewall rules. NoPorts facilitates this by being portable and software-defined. As long as the correct cryptographic keys are in place, services can move instantly.
AI also presents a new frontier. Ensuring secure communication between AIs will be crucial. NoPorts provides cryptographic identity verification, ensuring that data is exchanged only with trusted entities. Additionally, cryptographic signing will help combat misinformation and provide accountability.
Ultimately, NoPorts reduces complexity, enhances portability, and embeds cryptographic security, making it a vital tool for securing the future of digital transformation while addressing budget and resource constraints.