Abstract
Dangers exist on the Internet in the sense that there are attackers who try to break into our computers or who in other ways try to trick us when we engage in online activities. In order to steer away from such dangers people tend to look for signals of security and trustworthiness when navigating the Internet and accessing remote hosts. Seen from an online service provider’s perspective it therefore is an essential marketing requirement to appear trustworthy, especially when providing sensitive or professional services. Said more directly, any perception of weak security or low trustworthiness could be disastrous for an otherwise secure and honest online service provider. In this context many security vendors offer solutions for strengthening security and trustworthiness. However there is also a risk that security vendors through their marketing strategy create an illusion that an online service provider which does not implement their solutions might therefore be insecure or untrustworthy. This would represent what we call trust extortion, because service providers are forced to implement specific security solutions to appear trustworthy although there might be alternative security solutions that provide equal or better security. We describe real examples where this seems to be the case. Trust extortion as a marketing strategy does not have to be explicit, but can be done very subtly e.g. through standardisation and industry fora, which then gives it a veil of legitimacy.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033 - DNS Security Introduction and Requirements. IETF (March 2005), http://www.rfc-editor.org/
Bellovin, S.M.: Using the domain name system for system break-ins. In: Proceedings of the Fifth Usenix Unix Security Symposium (1995)
Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: RFC 4880 - OpenPGP Message Format. IETF (November 2007), http://www.rfc-editor.org/
Michael Chernick, C., Edington III, C., Fanto, M.J., Rosenthal, R.: Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations – NIST Special Publication 800-52. Technical report, National Institute of Standards and Technology (2005)
Cranor, L., Egelman, S., Hong, J., Zhang, Y.: Phinding Phish: An Evaluation of Anti-Phishing Toolbars. Technical Report CMU-CyLab-06-018, Carnegie Mellon University CyLab (November 13, 2006)
Dierks, T., Allen, C.: RFC2246 - The TLS (Transport Layer Security) protocol, Version 1.0. IETF (January 1999), http://www.ietf.org/rfc/rfc2246.txt
Ferdous, M. S., Jøsang, A., Singh, K., Borgaonkar, R.: ecurity Usability of Petname Systems. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 44–59. Springer, Heidelberg (2009)
Herzberg, A., Gbara, A.: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks. Technical Report 2004/155, Cryptology ePrint Archive (2004)
Hovlandsvåg, J.S.: The support of key exchange algorithms in todays web browsers. Technical Report Assignment Paper. University of Oslo (April 27, 2011)
ISO. IS 7498-2. Basic Reference Model For Open Systems Interconnection - Part 2: Security Architecture. International Organisation for Standardization (1988)
Jøsang, A., AlFayyadh, B., Grandison, T., AlZomai, M., McNamara, J.: Security Usability Principles for Vulnerability Analysis and Risk Assessment. In: The Proceedings of the Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach (December 2007)
Jøsang, A., Møllerud, P.M., Cheung, E.: Web Security: The Emperors New Armour. In: The Proceedings of the European Conference on Information Systems (ECIS 2001), Bled, Slovenia (June 2001)
Josefsson, S.: RFC 4398 - Storing Certificates in the Domain Name System (DNS). IETF (March 2006), http://www.rfc-editor.org/
Kaminsky, D.: Details. Dan Kaminsky’s blog at dankaminsky.com (July 24, 2008), http://dankaminsky.com/2008/07/24/details/
Microsoft. Microsoft Security Bulletin MS01-017 Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard (March 22, 2001), http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
Mills, E.: Fraudulent Google certificate points to Internet attack (August 29, 2011), http://news.cnet.com/
Shakarian, P.: Stuxnet: Cyberwar revolution in military affairs. Small Wars Journal (April 2011)
Simmons, G.J., Meadows, C.: The role of trust in information integrity protocols. Journal of Computer Security 3(1), 71–84 (1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jøsang, A. (2012). Trust Extortion on the Internet. In: Meadows, C., Fernandez-Gago, C. (eds) Security and Trust Management. STM 2011. Lecture Notes in Computer Science, vol 7170. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29963-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-29963-6_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29962-9
Online ISBN: 978-3-642-29963-6
eBook Packages: Computer ScienceComputer Science (R0)