The Emerging Threat to Online Trust

Princeton’s Center for Information Technology and the New America Foundation’s Open Technology Initiative on October 22 hosted a discussion on the emerging threat to online trust, moderated by Sascha Meinrath, Director of the Open Technology Initiative. As outlined by Edward W. Felten, Director of Princeton’s Center for Information Technology Policy, the use of https and security certificates are intended to ensure that Internet users have secure connections to online entities they trust. However, a number of technical, social and political problems at many levels combine to undermine what introductory speaker Stephen Schultze, Associate Director of Princeton’s CITP, calls the online “chain of trust.” This chain is the security path interlinked between the web browser and / or operating system, some 650 certificate authorities which issue digital certificates to websites, the sites or “subscribers” that populate the World Wide Web, and end users, called “relying parties” in Secure Socket Layer terminology. Dr. Schultze discussed unconstrained delegation of certificate authority to subordinates, lack of excludability of certificate authorities by browsers when identifying a particular trustworthy site, and how even “perfect audits” cannot include subordinate certificate authorities.

Keynote speaker Andrew McLaughlin, the White House Deputy Chief Technology Officer for Internet and technology policy, outlined some of the fundamental behavioral barriers to a more secure Internet, like the “externalities” imposed on browser makers by certificate authorities lacking due diligence. He then asserted that increased governmental regulation cannot fix these problems, both for reasons of the freedom of the Internet and the technical impossibility of bringing the security chain of trust under a common regulatory scheme. Mr. McLaughlin concluded by praising the possibilities of DNSSEC to improve security and calling for more improved standardization of security tools.

The panelists represented several stakeholders in the technical and policy realms of Internet security. Peter Eckersley, Senior Staff Technologist at the Electronic Frontier Foundation, outlined his research on the issue of certificate authorization and stated that it only takes one certificate authority to sign a malicious website in order for it to receive SSL verification. Adam Langley, who develops Chrome and encryption technologies at Google, pointed to the fact that half of users on the Internet use legacy browsers with outdated certificate information and lacking modern security tools. Scott Rea, Senior PKI Architect at DigiCert, acknowledged that while untrustworthy certificate authorities do exist, there are many authorities whose core mantra is “trust.” Andy Steingruebl of PayPal cast much of the security debate in ideological terms, saying that for many people the question is whether to cooperate with certificate authorities to improve security or to embed the security in DNSSEC. Mr. Steingruebl finished his response by noting that progress is already happening in these areas.

It is clear that the online chain of trust has weak areas, and different stakeholders view different entities as the weakest link. Everyone agreed, however, that a holistic approach requires understanding the different strategies needed to engage and ultimately change the makeup and behavior of all parts of the security equation, from better browsers to more diligent certificate authorities and, perhaps most importantly, more security-conscious Netizens.

Participants

Introduction
Sascha Meinrath
Director, Open Technology Initiative
New America Foundation

Overview
Edward W. Felten
Director, Princeton’s Center for Information Technology Policy

Stephen Schultze
Associate Director, Princeton’s Center for Information Technology Policy

Keynote Speaker
Andrew McLaughlin
White House Deputy Chief Techonology Officer, Internet Policy

Panelists
Adam Langley
Google

Scott Rea
Senior PKI Architect, DigiCert

Paul Vixie
President, Internet Software Consortium

Peter Eckersley
Senior Staff Technologist, Electronic Frontier Foundation

Respondents
Ari Schwartz
Senior Internet Policy Advisor, National Institute of Standards and Technology

Andy Steingruebl
Manager, Internet Standards and Governance
PayPal