Trust Extortion on the Internet

  • Audun Jøsang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7170)


Dangers exist on the Internet in the sense that there are attackers who try to break into our computers or who in other ways try to trick us when we engage in online activities. In order to steer away from such dangers people tend to look for signals of security and trustworthiness when navigating the Internet and accessing remote hosts. Seen from an online service provider’s perspective it therefore is an essential marketing requirement to appear trustworthy, especially when providing sensitive or professional services. Said more directly, any perception of weak security or low trustworthiness could be disastrous for an otherwise secure and honest online service provider. In this context many security vendors offer solutions for strengthening security and trustworthiness. However there is also a risk that security vendors through their marketing strategy create an illusion that an online service provider which does not implement their solutions might therefore be insecure or untrustworthy. This would represent what we call trust extortion, because service providers are forced to implement specific security solutions to appear trustworthy although there might be alternative security solutions that provide equal or better security. We describe real examples where this seems to be the case. Trust extortion as a marketing strategy does not have to be explicit, but can be done very subtly e.g. through standardisation and industry fora, which then gives it a veil of legitimacy.


Server Authentication Domain Name System Security Solution Direct Trust Transport Layer Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033 - DNS Security Introduction and Requirements. IETF (March 2005),
  2. 2.
    Bellovin, S.M.: Using the domain name system for system break-ins. In: Proceedings of the Fifth Usenix Unix Security Symposium (1995)Google Scholar
  3. 3.
    Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: RFC 4880 - OpenPGP Message Format. IETF (November 2007),
  4. 4.
    Michael Chernick, C., Edington III, C., Fanto, M.J., Rosenthal, R.: Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations – NIST Special Publication 800-52. Technical report, National Institute of Standards and Technology (2005)Google Scholar
  5. 5.
    Cranor, L., Egelman, S., Hong, J., Zhang, Y.: Phinding Phish: An Evaluation of Anti-Phishing Toolbars. Technical Report CMU-CyLab-06-018, Carnegie Mellon University CyLab (November 13, 2006)Google Scholar
  6. 6.
    Dierks, T., Allen, C.: RFC2246 - The TLS (Transport Layer Security) protocol, Version 1.0. IETF (January 1999),
  7. 7.
    Ferdous, M. S., Jøsang, A., Singh, K., Borgaonkar, R.: ecurity Usability of Petname Systems. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 44–59. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Herzberg, A., Gbara, A.: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks. Technical Report 2004/155, Cryptology ePrint Archive (2004)Google Scholar
  9. 9.
    Hovlandsvåg, J.S.: The support of key exchange algorithms in todays web browsers. Technical Report Assignment Paper. University of Oslo (April 27, 2011)Google Scholar
  10. 10.
    ISO. IS 7498-2. Basic Reference Model For Open Systems Interconnection - Part 2: Security Architecture. International Organisation for Standardization (1988)Google Scholar
  11. 11.
    Jøsang, A., AlFayyadh, B., Grandison, T., AlZomai, M., McNamara, J.: Security Usability Principles for Vulnerability Analysis and Risk Assessment. In: The Proceedings of the Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach (December 2007)Google Scholar
  12. 12.
    Jøsang, A., Møllerud, P.M., Cheung, E.: Web Security: The Emperors New Armour. In: The Proceedings of the European Conference on Information Systems (ECIS 2001), Bled, Slovenia (June 2001)Google Scholar
  13. 13.
    Josefsson, S.: RFC 4398 - Storing Certificates in the Domain Name System (DNS). IETF (March 2006),
  14. 14.
    Kaminsky, D.: Details. Dan Kaminsky’s blog at (July 24, 2008),
  15. 15.
    Microsoft. Microsoft Security Bulletin MS01-017 Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard (March 22, 2001),
  16. 16.
    Mills, E.: Fraudulent Google certificate points to Internet attack (August 29, 2011),
  17. 17.
    Shakarian, P.: Stuxnet: Cyberwar revolution in military affairs. Small Wars Journal (April 2011)Google Scholar
  18. 18.
    Simmons, G.J., Meadows, C.: The role of trust in information integrity protocols. Journal of Computer Security 3(1), 71–84 (1995)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Audun Jøsang
    • 1
  1. 1.University of OsloNorway

Personalised recommendations