Skip to main content
SpringerLink
Log in

PKI as Part of an Integrated Risk Management Strategy for Web Security

  • Conference paper
Book cover Public Key Infrastructures, Services and Applications (EuroPKI 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7163))

Included in the following conference series:

  • 614 Accesses

Abstract

In the real world, risk is never binary but always comes in shades of grey. When security systems treat risk as a purely boolean process, they’re prone to failure because the quantisation that’s required in order to produce a boolean result has to over- or under-estimate the actual risk. What’s worse, if an all-or-nothing system like this fails, it fails completely, with no fallback position available to catch errors. Drawing on four decades of experience with security design for the built environment (buildings and houses) known as crime prevention through environmental design (CPTED), this paper looks at how CPTED is applied in practice and, using browser PKI as the best-known example of large-scale certificate use, examines certificates as part of a CPTED-style risk-mitigation system that isn’t prone to all-or-nothing failures and that neatly integrates concepts like EV vs. DV vs. OV and OCSP vs. non-checked certificates into the risk-assessment process, as well as dealing with the too-big-to-fail problem of trusted browser CAs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Borge, D.: The Book of Risk. John Wiley and Sons (2001)

    Google Scholar 

  2. Jeffery, C.: Crime Prevention Through Environmental Design. Sage Publications (1971)

    Google Scholar 

  3. Defensible Space: Crime Prevention Through Urban Design. Oscar Newman, Macmillan (1973)

    Google Scholar 

  4. Poyner, B.: Design Against Crime: Beyond Defensible Space, Butterworth (1983)

    Google Scholar 

  5. Crowe, T.: Crime Prevention Through Environmental Design. Butterworth-Heinemann (1991)

    Google Scholar 

  6. Jacobs, J.: The Death and Life of Great American Cities. Random House (1961)

    Google Scholar 

  7. Atlas, R., Schneider, R.: Creating Safe and Secure Environments for Schools and Colleges. In: 21st Century Security and CPTED, p. 279. CRC Press (2008)

    Google Scholar 

  8. Whyte, W.: The Exploding Metropolis. Doubleday/Anchor (1958)

    Google Scholar 

  9. Biancuzzi, F.: Phishing with Rachna Dhamija (June 19, 2006), http://www.securityfocus.com/columnists/407

  10. Abu-Nimeh, S., Chen, T., Alzubi, O.: Malicious and Spam Posts in Online Social Networks. IEEE Computer 44(9), 23 (2011)

    Article  Google Scholar 

  11. Zhang, Y., Hong, J., Cranor, L.: CANTINA: A Content-Based Approach to Detecting Phishing Web Sites. In: Proceedings of the 16th International World Wide Web Conference (WWW 2007), p. 639 (May 2007)

    Google Scholar 

  12. Shin, Y., Gupta, M., Myers, S.: The Nuts and Bolts of a Forum Spam Automator. In: Proceedings of the 4th Workshop on Large-Scale Exploits and Emergent Threats, LEET 2011 (March 2011), http://www.usenix.org/-event/leet11/tech/full_papers/Shin.pdf

  13. Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: A Fast Filter for the Large-Scale Detection of Malicious Web Pages. In: Proceedings of the 20th International World Wide Web Conference (WWW 2011), p. 197 (March 2011)

    Google Scholar 

  14. Cova, M., Kruegel, C., Vigna, G.: Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In: Proceedings of the 19th World Wide Web Conference (WWW 2010), p. 281 (April 2010)

    Google Scholar 

  15. Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. In: Proceedings of the 20th Usenix Security Symposium (Security 2011), p. 33 (August 2011)

    Google Scholar 

  16. Doshi, S., Provos, N., Chew, M., Rubin, A.: A Framework for Detection and Measurement of Phishing Attacks. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM 2007), p. 1 (November 2007)

    Google Scholar 

  17. Seifert, C., Welch, I., Komisarczuk, P.: Identification of Malicious Web Pages with Static Heuristics. In: Proceedings of the Australasian Telecommunication Networks and Applications Conference (ATNAC 2008), p. 91 (December 2008)

    Google Scholar 

  18. Ma, J., Saul, L., Savage, S., Voelker, G.: Identifying Suspicious URLs: An Application of Large-Scale Online Learning. In: Proceedings of the 26th International Conference on Machine Learning (ICML 2009), p. 681 (June 2009)

    Google Scholar 

  19. Ma, J., Saul, L., Savage, S., Voelker, G.: Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs. In: Proceedings of the 15th Conference on Knowledge Discovery and Data Mining (KDD 2009), p. 1245 (June 2009)

    Google Scholar 

  20. Gutmann, P.: The Commercial Malware Industry, talk at Defcon (August 15, 2007), https://www.defcon.org/images/defcon-15/dc15-presentations/dc-15-gutmann.pdf , updated version at http://www.cs.auckland.ac.nz/-pgut001/pubs/malware_biz.pdf

  21. Leiba, B., Ossher, J., Rajan, V., Segal, R., Wegman, M.: SMTP Path Analysis. In: Proceedings of the 2nd Conference on Email and Anti-Spam, CEAS 2005 (July 2005), http://ceas.cc/2005/papers/176.pdf

  22. Esquivel, H., Mori, T., Akella, A.: Router-Level Spam Filtering Using TCP Fingerprints: Architecture and Measurement-Based Evaluation. In: Proceedings of the 6th Conference on Email and Anti-Spam, CEAS 2009 (July 2009), http://ceas.cc/2009/papers/ceas2009-paper-10.pdf

  23. Venema, W.: Postfix: Past, Present, and Future. In: Invited Talk at the 24th Large Installation System Administration Conference, LISA 2010 (November 2010)

    Google Scholar 

  24. Levine, J.: Experiences with Greylisting. In: Proceedings of the 2nd Conference on Email and Anti-Spam, CEAS 2005 (July 2005), http://ceas.cc/2005/-papers/120.pdf

  25. Lundgren, B.: Greylisting implementations (2011), http://www.greylisting.org/implementations/

  26. Colvin, R.: Stranger Danger’ — Introducing SmartScreen Application Reputation, October 13 (2010), http://blogs.msdn.com/b/ie/-archive/2010/10/13/stranger-danger-introducing-smartscreen-application-reputation.aspx

  27. Colvin, R.: SmartScreen Application Reputation — Building Reputation, March 22 (2011), http://blogs.msdn.com/b/ie/archive/2011/03/22/-smartscreen-174-application-reputation-building-reputation.aspx

  28. Haber, J.: SmartScreen Application Reputation in IE9, May 17 (2011), http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx

  29. Web Browser Group Test Socially-Engineered Malware — Europe Q2 2011, NSS Labs (May 2011), http://www.nsslabs.com/assets/noreg-reports/2011/nss%20labs_q2_2011_browsersem_FINAL.pdf

  30. Leitch, M.: Intelligent Internal Control and Risk Management. Gower Publishing (2008)

    Google Scholar 

  31. Ciancutti, J.: 5 Lessons We’ve Learned Using AWS, December 16 (2010), http://techblog.netflix.com/2010/12/5-lessons-weve-learned-using-aws.html

  32. ‘timf’, Some quotes regarding how Netflix handled this without interruptions, April 21 (2011), http://news.ycombinator.com/item?id=2470773

  33. Hicks, C., Orzell, G.: Lessons Netflix Learned from the AWS Outage, Adrian Cockroft (April 29, 2011), http://techblog.netflix.com/-2011/04/lessons-netflix-learned-from-aws-outage.html

  34. Turner, C., Zavod, M., Yurcik, W.: Factors that Affect the Perception of Security and Privacy of E-Commerce Web Sites. In: Proceedings of the 4th International Conference on Electronic Commerce Research, p. 628 (November 2001)

    Google Scholar 

  35. Egelman, S., Cranor, L., Hong, J.: You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In: Proceedings of the 2008 Conference on Human Factors in Computing Systems (CHI 2008), p. 1065 (April 2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Auckland, Auckland, New Zealand

    Peter Gutmann

Authors
  1. Peter Gutmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Twente and Katholieke Universiteit Leuven ESAT-COSIC, Kasteelpark Arenberg 10, 3001, Leuven-Heverlee, Belgium

    Svetla Petkova-Nikova

  2. Katholieke Universiteit Leuven, ESAT/SCD (COSIC), Kasteelpark Arenberg 10, 3001, Leuven-Heverlee, Belgium

    Andreas Pashalidis

  3. Department of Information Systems, University of Regensburg, Universitätsstraße 31, 93053, Regensburg, Germany

    Günther Pernul

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Gutmann, P. (2012). PKI as Part of an Integrated Risk Management Strategy for Web Security. In: Petkova-Nikova, S., Pashalidis, A., Pernul, G. (eds) Public Key Infrastructures, Services and Applications. EuroPKI 2011. Lecture Notes in Computer Science, vol 7163. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29804-2_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29804-2_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29803-5

  • Online ISBN: 978-3-642-29804-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation