Article

Trust extortion on the internet

Author:

Audun JøsangAuthors Info & Claims

STM'11: Proceedings of the 7th international conference on Security and Trust Management

Pages 6 - 21

https://doi.org/10.1007/978-3-642-29963-6_2

Published: 27 June 2011 Publication History

Abstract

Dangers exist on the Internet in the sense that there are attackers who try to break into our computers or who in other ways try to trick us when we engage in online activities. In order to steer away from such dangers people tend to look for signals of security and trustworthiness when navigating the Internet and accessing remote hosts. Seen from an online service provider's perspective it therefore is an essential marketing requirement to appear trustworthy, especially when providing sensitive or professional services. Said more directly, any perception of weak security or low trustworthiness could be disastrous for an otherwise secure and honest online service provider. In this context many security vendors offer solutions for strengthening security and trustworthiness. However there is also a risk that security vendors through their marketing strategy create an illusion that an online service provider which does not implement their solutions might therefore be insecure or untrustworthy. This would represent what we call trust extortion, because service providers are forced to implement specific security solutions to appear trustworthy although there might be alternative security solutions that provide equal or better security. We describe real examples where this seems to be the case. Trust extortion as a marketing strategy does not have to be explicit, but can be done very subtly e.g. through standardisation and industry fora, which then gives it a veil of legitimacy.

References

[1]

Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033 - DNS Security Introduction and Requirements. IETF (March 2005), http://www.rfc-editor.org/

[2]

Bellovin, S. M.: Using the domain name system for system break-ins. In: Proceedings of the Fifth Usenix Unix Security Symposium (1995)

Digital Library

[3]

Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: RFC 4880 - OpenPGP Message Format. IETF (November 2007), http://www.rfc-editor.org/

[4]

Michael Chernick, C., Edington III, C., Fanto, M. J., Rosenthal, R.: Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations - NIST Special Publication 800-52. Technical report, National Institute of Standards and Technology (2005)

Digital Library

[5]

Cranor, L., Egelman, S., Hong, J., Zhang, Y.: Phinding Phish: An Evaluation of Anti-Phishing Toolbars. Technical Report CMU-CyLab-06-018, Carnegie Mellon University Cy-Lab (November 13, 2006)

[6]

Dierks, T., Allen, C.: RFC2246 - The TLS (Transport Layer Security) protocol, Version 1.0. IETF (January 1999), http://www.ietf.org/rfc/rfc2246.txt

[7]

Ferdous, M. S., Jøsang, A., Singh, K., Borgaonkar, R.: ecurity Usability of Petname Systems. In: Jøsang, A., Maseng, T., Knapskog, S. J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 44-59. Springer, Heidelberg (2009)

Digital Library

[8]

Herzberg, A., Gbara, A.: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks. Technical Report 2004/155, Cryptology ePrint Archive (2004)

[9]

Hovlandsvåg, J. S.: The support of key exchange algorithms in todays web browsers. Technical Report Assignment Paper. University of Oslo (April 27, 2011)

[10]

ISO. IS 7498-2. Basic Reference Model For Open Systems Interconnection - Part 2: Security Architecture. International Organisation for Standardization (1988)

[11]

Jøsang, A., AlFayyadh, B., Grandison, T., AlZomai, M., McNamara, J.: Security Usability Principles for Vulnerability Analysis and Risk Assessment. In: The Proceedings of the Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach (December 2007)

[12]

Jøsang, A., Møllerud, P. M., Cheung, E.: Web Security: The Emperors New Armour. In: The Proceedings of the European Conference on Information Systems (ECIS 2001), Bled, Slovenia (June 2001)

[13]

Josefsson, S.: RFC 4398 - Storing Certificates in the Domain Name System (DNS). IETF (March 2006), http://www.rfc-editor.org/

[14]

Kaminsky, D.: Details. Dan Kaminsky's blog at dankaminsky.com (July 24, 2008), http://dankaminsky.com/2008/07/24/details/

[15]

Microsoft. Microsoft Security Bulletin MS01-017 Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard (March 22, 2001), http://www.microsoft. com/technet/security/bulletin/MS01-017.asp

[16]

Mills, E.: Fraudulent Google certificate points to Internet attack (August 29, 2011), http://news.cnet.com/

[17]

Shakarian, P.: Stuxnet: Cyberwar revolution in military affairs. Small Wars Journal (April 2011)

[18]

Simmons, G. J., Meadows, C.: The role of trust in information integrity protocols. Journal of Computer Security 3(1), 71-84 (1995)

Cited By

Migdal DJohansen CJøsang AWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)DEMOProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2989033(1847-1849)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2989033

Recommendations

Customer trust in internet banking systems: an empirical study of Thailand
CHINZ '03: Proceedings of the 4th Annual Conference of the ACM Special Interest Group on Computer-Human Interaction

Internet banking is one of many specific Internet applications which has a lot of potential customers. However, at the moment, the lower number of Internet banking customers than was predicted may be the result of customers' lack of trust in Internet ...
A Trust Model for Consumer Internet Shopping

E-commerce success, especially in the business-to-consumer area, is determined in part by whether consumers trust sellers and products they cannot see or touch, and electronic systems with which they have no previous experience. This paper describes a ...
Trust, Security and Perceived Risk Models for Designing Internet Banking

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

STM'11: Proceedings of the 7th international conference on Security and Trust Management

June 2011

238 pages

ISBN:9783642299629

Editors:
Catherine Meadows
Naval Research Laboratory, Code 5543, Washington, DC
,
Carmen Fernandez-Gago
Department of Computer Science, University of Malaga, Code 5543, Málaga, DC, Spain

Sponsors

ERCIM: European Research Consortium for Informatics and Mathematics

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 27 June 2011

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Migdal DJohansen CJøsang AWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)DEMOProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2989033(1847-1849)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2989033

View Options

View options

Media

Figures

Other

Tables

View Table of Contents