About

Search

My Photo
The Skeptic's email address

Categories

Recent Posts

Popular Posts

Firewall Best Practices - Egress Traffic Filtering
How Many Legs Does Your Security Stool have
Anatomy of DNS DDoS Attack
The Worrisome Threat of DNS DDoS Amplification Attacks
IDS and DDOS Protection - Better Days Ahead
The dark side of DNS error resolution
DNS Cache Poisoning
How To Protect Yourself Against Domain Name Hijackers
Redirection and synthesized DNS responses do more harm than good
Ethical Hacking Redux
Ethical Hacking could be so much more than an oxymoron
Security Hats: Black Hats or White Hats, There's No Grayscale
Trust and the Future of the Internet
E-crime facts, figures, frustrations, and fixes
Care and Handling of Credit and Personal Information
Security Resource Pages
The Skeptic's Library

Books

Understanding VOIP Security
Open Systems Interconnection

Trust and the Future of the Internet

Originally published Monday, 25 August 2008 

The Internet Society recently published a report on the issue of Trust and the Future of the Internet. Within the context of trust, ISOC has elected to focus on three areas it deems critically important:

  • "Advancing Internet architecture by supporting the implementation of open trust mechanisms throughout the full cycle of research, standardization, development, and deployment
  • "Strengthening the current Internet model by focusing on the mitigation of social, policy, and economic drivers that could hinder development and deployment of trust-enabling technologies, and
  • "Facilitating end users’ ability to manage personal data and ensure personal security by elevating identity to a position as a core issue in network research and standards development".

The report is a nicely prepared summary of the discussions among industry experts during an ISOC-sponsored retreat. The experts considered technology, sociological, and economic issues. One discussion I would have dearly loved to attend attempted to define trust and trustworthiness. During this discussion, it was suggested that “behaves as expected in a given context” might be a useful formulation for what it meant to be trustworthy.

Behaves as expected in a given context...

If this is a principle of trustworthiness the ISOC truly seeks to embed in the future Internet, there are possibly no two areas more desperately needing attention and redress than the following:

Informed consent. A short list of actors who do not behave as expected in their particular contexts includes:

  1. ISPs who modify DNS name error responses "on the fly" and substitute self-serving ad or search pages. I know of no circumstances where ISPs who engage in this behavior explain what they are doing nor do they seek consent.
  2. Registrars and DNS operators who add synthesized DNS responses to zone files of domains they manage on behalf of registrants and customers. An obscure clause in a terms of service web page that claims a right by default to perform so-called error resolution is hardly an adequate means of providing notice and seeking consent. Moreover, in both this case and (1), I have yet to find any terms of service agreement that mentions the unintended consequences of such practices (read SSAC's Preliminary Report on DNS ResponsModification for the ugly details).
  3. Spyware, adware, and 3rd party cookies: need I say more?
  4. Domain name front runners and so-called customer protection services. The former is just wrong and the latter is just as wrong when the details of the practice are not readily displayed and when the target audience is not technically astute enough to appreciate the implications of this behavior when they opt-in.

Opt-in versus opt-out. No behavior on the Internet today is more frequently associated with suspicious or often reprehensible behavior than Opt-out. Opt-out puts the decision in the hands of someone who is offering a service. The provider chooses rather than the customer. This might actually be desirable in some situations except for the small fact that the details and consequences of the provider's actions are rarely fully disclosed and easily acquired. This is especially true at the moment the service is performed. Ask yourself, "why is this so?", you have to wonder, "what are they hiding?".

Perhaps it's because they aren't behaving as expected in a given context. Perhaps they aren't trustworthy.

The report concludes with a list of directives for ISOC's Trust Initiative. The first directive is "Promote the stand that trustworthiness is crucial for the long-term growth and success of the Internet." Now, ISOC speaks for the Internet users, and in addition to promoting trustworthiness, I'd dearly love to have ISOC say, "don't do business with parties who don't behave as you expect in a given context" and "help us by calling them out".

| |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)