Trust coercion in the name of usable public key infrastructure

Abstract

ABSTRACTWe are currently witnessing an alarmingly increasing array of attacks on secure infrastructures used for industrial and commercial purposes. The success of these attacks has relied heavily on an innovative stratagem. This stratagem makes use of digital certificates to devise malicious code or servers as trustworthy, ultimately deceiving end users. This has led to an escalating demand for forged or stolen valid digital certificates on the electronic black market. Certification authorities (CAs) themselves are now coming under fire. Virus reports have surfaced on malicious software whose sole purpose was to grab certificates from within certain CAs' infrastructures. The growing popularity of these attacks is putting in doubt the effectiveness of one of the pillars upon which security in the digital world is built, cryptography and digital signatures. What is to blame? In a phrase, “Trust by default”. To increase the usability of public key infrastructure interactions, a number of CAs are pre‐included in users' browsers and operating systems. These entities are trusted by default, and this trust is now being exploited. In this paper, we shall try to shed light on the true dimensions and implications of “trust by default” in public key infrastructure environments. We attempt to raise awareness about the severity of this kind of attacks, demystify the security challenges and identify unique security threats. We need to ring the alarm about trust‐related issues in online communications. We analyze the issue from an information and communication security perspective and explore the notion of trust relations in this context. We support the doctrine that trust should be built on informed judgment, and this can only be achieved through increased openness. Following this, we put forward for consideration a number of proposals that attempt to overcome the issue at hand, by increasing user‐side awareness and thus solution effectiveness, regarding digital certificate transactions. We present an experimental mechanism that is able to provide users with customized digital certificate repositories based on an open crowd sourcing method. Copyright © 2013 John Wiley & Sons, Ltd.