Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Security and Trust Management

STM 2011: Security and Trust Management pp 6–21Cite as

Trust Extortion on the Internet

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7170))

Abstract

Dangers exist on the Internet in the sense that there are attackers who try to break into our computers or who in other ways try to trick us when we engage in online activities. In order to steer away from such dangers people tend to look for signals of security and trustworthiness when navigating the Internet and accessing remote hosts. Seen from an online service provider’s perspective it therefore is an essential marketing requirement to appear trustworthy, especially when providing sensitive or professional services. Said more directly, any perception of weak security or low trustworthiness could be disastrous for an otherwise secure and honest online service provider. In this context many security vendors offer solutions for strengthening security and trustworthiness. However there is also a risk that security vendors through their marketing strategy create an illusion that an online service provider which does not implement their solutions might therefore be insecure or untrustworthy. This would represent what we call trust extortion, because service providers are forced to implement specific security solutions to appear trustworthy although there might be alternative security solutions that provide equal or better security. We describe real examples where this seems to be the case. Trust extortion as a marketing strategy does not have to be explicit, but can be done very subtly e.g. through standardisation and industry fora, which then gives it a veil of legitimacy.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033 - DNS Security Introduction and Requirements. IETF (March 2005), http://www.rfc-editor.org/

  2. Bellovin, S.M.: Using the domain name system for system break-ins. In: Proceedings of the Fifth Usenix Unix Security Symposium (1995)

    Google Scholar 

  3. Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: RFC 4880 - OpenPGP Message Format. IETF (November 2007), http://www.rfc-editor.org/

  4. Michael Chernick, C., Edington III, C., Fanto, M.J., Rosenthal, R.: Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations – NIST Special Publication 800-52. Technical report, National Institute of Standards and Technology (2005)

    Google Scholar 

  5. Cranor, L., Egelman, S., Hong, J., Zhang, Y.: Phinding Phish: An Evaluation of Anti-Phishing Toolbars. Technical Report CMU-CyLab-06-018, Carnegie Mellon University CyLab (November 13, 2006)

    Google Scholar 

  6. Dierks, T., Allen, C.: RFC2246 - The TLS (Transport Layer Security) protocol, Version 1.0. IETF (January 1999), http://www.ietf.org/rfc/rfc2246.txt

  7. Ferdous, M. S., Jøsang, A., Singh, K., Borgaonkar, R.: ecurity Usability of Petname Systems. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 44–59. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  8. Herzberg, A., Gbara, A.: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks. Technical Report 2004/155, Cryptology ePrint Archive (2004)

    Google Scholar 

  9. Hovlandsvåg, J.S.: The support of key exchange algorithms in todays web browsers. Technical Report Assignment Paper. University of Oslo (April 27, 2011)

    Google Scholar 

  10. ISO. IS 7498-2. Basic Reference Model For Open Systems Interconnection - Part 2: Security Architecture. International Organisation for Standardization (1988)

    Google Scholar 

  11. Jøsang, A., AlFayyadh, B., Grandison, T., AlZomai, M., McNamara, J.: Security Usability Principles for Vulnerability Analysis and Risk Assessment. In: The Proceedings of the Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach (December 2007)

    Google Scholar 

  12. Jøsang, A., Møllerud, P.M., Cheung, E.: Web Security: The Emperors New Armour. In: The Proceedings of the European Conference on Information Systems (ECIS 2001), Bled, Slovenia (June 2001)

    Google Scholar 

  13. Josefsson, S.: RFC 4398 - Storing Certificates in the Domain Name System (DNS). IETF (March 2006), http://www.rfc-editor.org/

  14. Kaminsky, D.: Details. Dan Kaminsky’s blog at dankaminsky.com (July 24, 2008), http://dankaminsky.com/2008/07/24/details/

  15. Microsoft. Microsoft Security Bulletin MS01-017 Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard (March 22, 2001), http://www.microsoft.com/technet/security/bulletin/MS01-017.asp

  16. Mills, E.: Fraudulent Google certificate points to Internet attack (August 29, 2011), http://news.cnet.com/

  17. Shakarian, P.: Stuxnet: Cyberwar revolution in military affairs. Small Wars Journal (April 2011)

    Google Scholar 

  18. Simmons, G.J., Meadows, C.: The role of trust in information integrity protocols. Journal of Computer Security 3(1), 71–84 (1995)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Oslo, Norway

    Audun Jøsang

Authors
  1. Audun Jøsang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Naval Research Laboratory, Code 5543, 20375, Washington, DC, USA

    Catherine Meadows

  2. Department of Computer Science, University of Malaga, 29071, Málaga, Spain

    Carmen Fernandez-Gago

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Jøsang, A. (2012). Trust Extortion on the Internet. In: Meadows, C., Fernandez-Gago, C. (eds) Security and Trust Management. STM 2011. Lecture Notes in Computer Science, vol 7170. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29963-6_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29963-6_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29962-9

  • Online ISBN: 978-3-642-29963-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation