Abstract
In the real world, risk is never binary but always comes in shades of grey. When security systems treat risk as a purely boolean process, they’re prone to failure because the quantisation that’s required in order to produce a boolean result has to over- or under-estimate the actual risk. What’s worse, if an all-or-nothing system like this fails, it fails completely, with no fallback position available to catch errors. Drawing on four decades of experience with security design for the built environment (buildings and houses) known as crime prevention through environmental design (CPTED), this paper looks at how CPTED is applied in practice and, using browser PKI as the best-known example of large-scale certificate use, examines certificates as part of a CPTED-style risk-mitigation system that isn’t prone to all-or-nothing failures and that neatly integrates concepts like EV vs. DV vs. OV and OCSP vs. non-checked certificates into the risk-assessment process, as well as dealing with the too-big-to-fail problem of trusted browser CAs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Borge, D.: The Book of Risk. John Wiley and Sons (2001)
Jeffery, C.: Crime Prevention Through Environmental Design. Sage Publications (1971)
Defensible Space: Crime Prevention Through Urban Design. Oscar Newman, Macmillan (1973)
Poyner, B.: Design Against Crime: Beyond Defensible Space, Butterworth (1983)
Crowe, T.: Crime Prevention Through Environmental Design. Butterworth-Heinemann (1991)
Jacobs, J.: The Death and Life of Great American Cities. Random House (1961)
Atlas, R., Schneider, R.: Creating Safe and Secure Environments for Schools and Colleges. In: 21st Century Security and CPTED, p. 279. CRC Press (2008)
Whyte, W.: The Exploding Metropolis. Doubleday/Anchor (1958)
Biancuzzi, F.: Phishing with Rachna Dhamija (June 19, 2006), http://www.securityfocus.com/columnists/407
Abu-Nimeh, S., Chen, T., Alzubi, O.: Malicious and Spam Posts in Online Social Networks. IEEE Computer 44(9), 23 (2011)
Zhang, Y., Hong, J., Cranor, L.: CANTINA: A Content-Based Approach to Detecting Phishing Web Sites. In: Proceedings of the 16th International World Wide Web Conference (WWW 2007), p. 639 (May 2007)
Shin, Y., Gupta, M., Myers, S.: The Nuts and Bolts of a Forum Spam Automator. In: Proceedings of the 4th Workshop on Large-Scale Exploits and Emergent Threats, LEET 2011 (March 2011), http://www.usenix.org/-event/leet11/tech/full_papers/Shin.pdf
Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: A Fast Filter for the Large-Scale Detection of Malicious Web Pages. In: Proceedings of the 20th International World Wide Web Conference (WWW 2011), p. 197 (March 2011)
Cova, M., Kruegel, C., Vigna, G.: Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In: Proceedings of the 19th World Wide Web Conference (WWW 2010), p. 281 (April 2010)
Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. In: Proceedings of the 20th Usenix Security Symposium (Security 2011), p. 33 (August 2011)
Doshi, S., Provos, N., Chew, M., Rubin, A.: A Framework for Detection and Measurement of Phishing Attacks. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM 2007), p. 1 (November 2007)
Seifert, C., Welch, I., Komisarczuk, P.: Identification of Malicious Web Pages with Static Heuristics. In: Proceedings of the Australasian Telecommunication Networks and Applications Conference (ATNAC 2008), p. 91 (December 2008)
Ma, J., Saul, L., Savage, S., Voelker, G.: Identifying Suspicious URLs: An Application of Large-Scale Online Learning. In: Proceedings of the 26th International Conference on Machine Learning (ICML 2009), p. 681 (June 2009)
Ma, J., Saul, L., Savage, S., Voelker, G.: Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs. In: Proceedings of the 15th Conference on Knowledge Discovery and Data Mining (KDD 2009), p. 1245 (June 2009)
Gutmann, P.: The Commercial Malware Industry, talk at Defcon (August 15, 2007), https://www.defcon.org/images/defcon-15/dc15-presentations/dc-15-gutmann.pdf , updated version at http://www.cs.auckland.ac.nz/-pgut001/pubs/malware_biz.pdf
Leiba, B., Ossher, J., Rajan, V., Segal, R., Wegman, M.: SMTP Path Analysis. In: Proceedings of the 2nd Conference on Email and Anti-Spam, CEAS 2005 (July 2005), http://ceas.cc/2005/papers/176.pdf
Esquivel, H., Mori, T., Akella, A.: Router-Level Spam Filtering Using TCP Fingerprints: Architecture and Measurement-Based Evaluation. In: Proceedings of the 6th Conference on Email and Anti-Spam, CEAS 2009 (July 2009), http://ceas.cc/2009/papers/ceas2009-paper-10.pdf
Venema, W.: Postfix: Past, Present, and Future. In: Invited Talk at the 24th Large Installation System Administration Conference, LISA 2010 (November 2010)
Levine, J.: Experiences with Greylisting. In: Proceedings of the 2nd Conference on Email and Anti-Spam, CEAS 2005 (July 2005), http://ceas.cc/2005/-papers/120.pdf
Lundgren, B.: Greylisting implementations (2011), http://www.greylisting.org/implementations/
Colvin, R.: Stranger Danger’ — Introducing SmartScreen Application Reputation, October 13 (2010), http://blogs.msdn.com/b/ie/-archive/2010/10/13/stranger-danger-introducing-smartscreen-application-reputation.aspx
Colvin, R.: SmartScreen Application Reputation — Building Reputation, March 22 (2011), http://blogs.msdn.com/b/ie/archive/2011/03/22/-smartscreen-174-application-reputation-building-reputation.aspx
Haber, J.: SmartScreen Application Reputation in IE9, May 17 (2011), http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx
Web Browser Group Test Socially-Engineered Malware — Europe Q2 2011, NSS Labs (May 2011), http://www.nsslabs.com/assets/noreg-reports/2011/nss%20labs_q2_2011_browsersem_FINAL.pdf
Leitch, M.: Intelligent Internal Control and Risk Management. Gower Publishing (2008)
Ciancutti, J.: 5 Lessons We’ve Learned Using AWS, December 16 (2010), http://techblog.netflix.com/2010/12/5-lessons-weve-learned-using-aws.html
‘timf’, Some quotes regarding how Netflix handled this without interruptions, April 21 (2011), http://news.ycombinator.com/item?id=2470773
Hicks, C., Orzell, G.: Lessons Netflix Learned from the AWS Outage, Adrian Cockroft (April 29, 2011), http://techblog.netflix.com/-2011/04/lessons-netflix-learned-from-aws-outage.html
Turner, C., Zavod, M., Yurcik, W.: Factors that Affect the Perception of Security and Privacy of E-Commerce Web Sites. In: Proceedings of the 4th International Conference on Electronic Commerce Research, p. 628 (November 2001)
Egelman, S., Cranor, L., Hong, J.: You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In: Proceedings of the 2008 Conference on Human Factors in Computing Systems (CHI 2008), p. 1065 (April 2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gutmann, P. (2012). PKI as Part of an Integrated Risk Management Strategy for Web Security. In: Petkova-Nikova, S., Pashalidis, A., Pernul, G. (eds) Public Key Infrastructures, Services and Applications. EuroPKI 2011. Lecture Notes in Computer Science, vol 7163. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29804-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-29804-2_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29803-5
Online ISBN: 978-3-642-29804-2
eBook Packages: Computer ScienceComputer Science (R0)