[Cryptography] Sites certified as secure often more vulnerable
ianG
iang at iang.org
Sun Dec 7 11:41:35 EST 2014
On 4/12/2014 19:53 pm, Henry Baker wrote:
> Sites certified as secure often more vulnerable to hacking, scientists find
> Security seals aren't worth the bits they're made of, let alone the fees.
>
> by Dan Goodin - Dec 4, 2014 6:36 pm UTC
>
> http://arstechnica.com/security/2014/12/sites-certified-as-secure-often-morevulnerable-to-hacking-scientists-find/
"Seals certifying the security of e-commerce sites and other online
destinations have long aroused suspicions that they're not worth the
bits they're made of—much less the hundreds or thousands of dollars they
cost in yearly fees. Now, computer scientists have presented evidence
that not only supports those doubts but also shows how such seals can in
many cases make sites more vulnerable to hacks."
===
These seals sellers are examples of /institutions/, which are ways to
move information or resources from one group to another in a trusted
fashion, when they can't clear the market for direct trade.
The market for security exhibits a paucity of hard information. It is
very clear that the buyer has no way to know if some product is helpful
or not, if she is left to looking directly at the product.
E.g., an anti-virus product does stuff, but the buyer doesn't and can't
measure whether it is doing any good.
The buyer needs help. Where does that help come from?
An institution can help to capture seller information and move it to the
buyer. Brands can use past good behaviour and leverage it to promise
future protection. Closely related, word-of-mouth or reputation can
also inform. Insurance can share the losses across a large group.
Warranties can put 'skin in the game' for the vendor. Audit is another.
But brands [0] and word-of-mouth need to be built on these other things,
and can quickly flip. Warranties or insurance are unheard of in the
security business [1]. Audits are impenetrable, unreliable and
self-serving. Which leaves institutions?
What the above research is saying is that these institutions in
particular are not doing any good, and are possibly opening new holes
and encouraging users to relax. Which says something bad about
institutions, but it is difficult to sort out the correlations from the
causalities.
Are all institutions in security failures? Is there a successful
institution in security?
Is there a tweak that these seal sellers could perform, perhaps at
greater cost, to push their institution into positive benefit? If so,
why didn't they?
Is the information base so suspect that an institution cannot be
honestly built?
Is there something about the economic incentives that leads all
well-meaning ventures into a race to the bottom, and eventual
irrelevance on security if not incumbency questions?
iang
[0] The 10 brands that are involved: Norton Secured, McAfee Secure,
Trust-Guard, SecurityMetrics, WebsiteProtection (provided by GoDaddy),
BeyondSecurity, Scan Verify, Qualys, HackerProof, and TinfoilSecurity
are mostly well known, perhaps we can say this is as good as it gets.
[1] Perhaps not unheard of but notable through its rarity. PHB
mentions it recently for CAs, and there are occasional people popping up
claiming that they are going to build it.
More information about the cryptography
mailing list