11

From @GrahamLee's comment over on this question, this is a very good point:

How do I choose whether to trust a particular website when the only information I have relevant to my trust decision is the web?

Do I trust it because of history? It has always appeared right so probably is now? Do I count the number of other sites that trust it? The web of trust concept?

or what else?

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • Reminds me of this question, but not the same: http://security.stackexchange.com/questions/4983/noscript-how-to-determine-which-sites-scripts-to-whitelist – Iszi Jan 08 '12 at 23:43
  • Trust it to... not exploit your browser or serve malicious downloads? Safely handle sensitive information you voluntarily offer it? Not scam you? Or do you mean specifically in the context of that other question with trusted downloads? – multithr3at3d Nov 23 '20 at 23:50

8 Answers8

8

I believe in cross-fertilizing between sources of information. Most of them start on the internet, but we have more and more ways to link virtual resources (e.g. websites) with the physical world. Following are a few ways I use to see if I can trust a website. I hope it helps :)

  • Does the site look professionally made?
  • Does the site have a certificate? Is it valid? Please keep in mind that invalid certificates are unfortunately very common.
  • If there is a login/e-business part in the site, is it using SSL?
  • Do I find any positive/negative feedback on this website on forums/mailing lists?
  • Does the whois.net information give me any information that would help me trust the namespace owner?
  • In the contact section of the website if there is an address? Using a research engine, can I find other businesses at the same address? Can I find a telephone number of another company to check with them if the site is legit?
  • Can I see the building on Google street view? Does this building give me confidence?

A bit more advanced:

  • If there is a login feature, do simple injections techniques work?
  • Browsing through the HTML/JavaScript code, do I see any reason not to trust that website? Here I'm looking for visible access control flaws, stored logging and passwords...
  • If the website is using a CMS (e.g. wordpress, SPIP) is it a "safe" version?
  • 4
    one thing with your advanced methods, I'd be very careful before trying any injection techniques on sites that you don't own/control/have authorisation to test. Whilst it's not likely that they'll respond, it is possible and there have been cases where doing that kind of test has led to prosecution for hacking – Rory McCune Dec 21 '12 at 11:13
4

There was been some interesting research on trust metrics: Attack Resistant Trust Metrics, A Model for Trust Metrics Analysis, How to incorporate revocation status information into the trust metrics for public-key certification

The basic concept is building a set of links from you to your target. Unfortunatly web sites dont embody trust. People are the appropriate trust originators. This is a concept easily lost in the modern era where technology is portrayed as sterile and disconnected from its creators and manufacturers.

However all web sites are made by people, at least as far as I know. The problem on some sites is that the content creater is not always recognized. Links are not vouched for.

One principal I apply when trying to gain confidence in a piece of data is diversity of source. If I am seeking an evaluation on a tool I try to get opinions from experts, amature enthusiasits, and from publications.

For example If I was interested in buying a new camera, I would look on user forums, professional blogs, and magazines that cover photography. Of course each group could potentially give wrong or misleeding opinions, but the likeliness of at least two being wrong or misleading is smaller than the likelyness of any one group being wrong or misleading.

Notice that this does not guarantee me good results. It only gains you a higher level of assurance that the evaluation is correct.

Second I devote more resources to collecting evaluation on high value data. Not all questions deserve thorough vetting. The opinions on which web comic will make you laugh don't require more checking because you can trivially confirm the claim. Likewise purchases under $20 US rarely require much though unless they may have an impact on my health or safety. i.e. is the generic pain killer as safe as taking a generic brand? or Should I buy the USB flash drive from vender A or vender B?

this.josh
  • 8,843
  • 2
  • 29
  • 51
3

I trust sites that many people trust. Consequences of attacks are all the more lessened if there are many victims. In a business context, this translates to the following: it is not a problem (for me !) to be attacked as long as most of (or all of) my competitors are similarly attacked. To some extent, not being attacked when the competitors are, could be a tactical failure and rise suspicion.

This is a generic trend. This advocates using Windows on servers, instead of, say, NetBSD: any security hole intrinsic to Windows will be present on millions of other servers, which severely dilutes any potential blame. Similarly, you should keep in your browser the standard set of root certificates, because "that's what everybody does": if a rogue CA allows a wide scale fraud, there would be so many victims that banks would be forced to take a reasonable, amiable stance.

In a world of wolves and sheep, the sheep salvation lies in big numbers: stick to the herd. Don't try to be a wolf if you cannot afford it.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • That is a scary perspective, but one that is unfortunately true in many cases - it makes it very difficult to push for a move towards more secure systems. You need a critical mass before some organisations will even consider a move. Which is why XP will be around for a while yet :-) – Rory Alsop Jan 09 '12 at 14:54
  • 1
    Individual risk and group risk are not equatable. Many people will feel sad if a airplane crashes because it was not properly maintained. No more people will feel badly if I am on that plane. Individuals need to look at their risk decisions with a view towards the possibility of ruin. Shared loss is only advantageous when it transforms excessive individual loss into acceptable individual loss by diffusing it across a group. Equal or proportional loss provides no guarantee of achieving acceptable loss. – this.josh Jan 11 '12 at 03:47
3

The question isn't quite right: Trust isn't binary. I think you really want to know "How can I decide how much to trust a particular website?"

In the end I think it comes down to how much I must trust each particular site.

The sites that I have to trust the most (bank, brokerage, etc) I have a physical offline relationship with. The companies that run those websites have a significant offline reputation and presence; they correspond with me on dead trees via snail mail and they have a phone number where you can talk to a human. This is somewhat outside the scope of the question since you have said the only information you have is from the web itself, but even then you can verify the physical presence via multiple avenues. (Google, WHOIS, Wikipedia, online reviews -- e.g. bank comparison websites, etc.) Also, if I have to "fully" trust a site -- for financial info or other sensitive data -- then I am unlikely to do so unless I can have a reason to trust them that is backed up by a trustworthy significant offline presence.

The sites that I trust the least are those that I don't have to trust. JimBob's Game Zone & Happy Fun Time, for example: hmm, you say you've got this really fun game that I've got to enable java to play? Sorry, but no thanks. (The same is true even for somewhat more reputable sites that still have, say, java-based financial calculators that I'd like to use. I can find an alternative that doesn't expose me to a huge attack surface.)

In between there are sites that you have to trust somewhat, but not fully. In other words, you may need to expose yourself to some risk. For example, H&R Block has a calculator that estimates how much tax I owe for last year. I have to enable scripting and flash for their calculator to work, and I have to enter personal data (e.g. income, family status) -- and it has to be accurate (though not perfectly precise) in order for me to get the answer I want. I don't have to give any identification, so beyond the exposure to scripting and some limited data it's an acceptable risk; I may access via proxy to hide my data from my ISP and hide my location from the site.

Other sites want to collect tons of data from you, they want to identify you personally, etc, and they give you a service in return. Facebook or Google, for example; to a lesser extent, Stack Exchange. I, for one, choose to actively distrust the omnipresent sites: this takes effort since you have to block multiple domains via NoScript or other browser plugins to prevent the company from tracking you around the web. I choose not to use Facebook. I use multiple Google products, but here I've chosen to pay for their service with my data; I still block their tracking domains when I not using their products.

The issue at hand in the linked question is whether to trust an Ubuntu ISO image downloaded from a particular website. Based on what I've written above, I think the answer is that you don't have to trust it much, so you shouldn't. ("Trust, but verify.") Download the image from anywhere reputable enough that you don't waste your time and bandwidth. I'd probably pull the torrent: you don't have to trust any single site. Then verify the hash via multiple channels: check Canonical's website, check other websites, use multiple proxies to check those websites (so you are less likely to be MITM'd), ask on IRC, call a friend, etc.

bstpierre
  • 4,888
  • 1
  • 21
  • 34
2

My approach to trust a website is indeed some kind of web of trust. For example: When I hear about a piece of software that I want to use, but I do not know the URL, I don't trust googles results. Those could be forged, due SEO or paid pagerank.

My web of trust in this case is Wikipedia. Of course a link on Wikipedia can be forged as well, but is more unlikely. Just because fewer people choose this way and more people control the links authenticy.

And of course a page linked from a page that I already trust is likely to be trusted as well.

Baarn
  • 248
  • 4
  • 15
  • 3
    I think discounting Google is a bit short-sighted as it is invaluable for cross-confirmations. If Wikipedia says one thing and Google says another, then you need to find more sources to confirm. – logicalscope Jan 09 '12 at 00:20
  • I did not mean to completely distrust google, but i would not solely rely on its results. – Baarn Jan 09 '12 at 00:22
  • Check out the mywot add-on. http://www.mywot.com/ – user6255 Jan 10 '12 at 21:59
2

I think my view is a combination of the above

  • generally trusting certain key sites and their rating of the site in question
  • usage of plugins and tools (eg NoScript, SafeSearch)
  • a good antimalware
  • reputation from individuals I trust
  • gut feel
Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • 2
    The term "gut feeling" is an interesting choice. It's commonly used to refer to a purely intuitive analysis of trustworthiness, but in reality you're really drawing on a wide range of subconscious experience in deciding whether or not to trust someone or something. So, when *you* rely on a "gut feeling", you're actually relying on years of personal and professional experience in dealing with technology. Other people may not have this experience, so their "gut feeling" is likely to be significantly less accurate than yours. – Polynomial Dec 21 '12 at 11:26
2

It depends of course on what you want to do with the site. I mainly consider this kind of thing before I purchase something from them or put personal details into a form on the site.

My personal decisions tend to revolve around whether the site

  • Is well known in it's field (e.g. eBay, Amazon etc)
  • Looks well designed and maintained (so negative points for classic ASP or Perl CGI sites for example)
  • Uses SSL or EV SSL.

Another big factor for purchases is whether I actually have to put my Credit card details into the site. I'm a lot less bothered about the site when it takes Paypal or hands me off to a known merchant gateway like Worldpay, so the site doesn't get to see my CC details. Conversely if the site offers to store my CC details for later purchases I would be extremely unlikely to use that facility unless I'm very sure of their likely level of security (in my case there's only one site I've used that on which is Amazon), and in fact a smaller site offering that facility makes me somewhat nervous about the site in general.

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
2

I am considering using simple techniques like installing WOT add-one for knowing the reputation of a particular site. If the site has more reputation then its very less chance for security problems.

Jithin Raju
  • 51
  • 1
  • 1
  • 3
  • 1
    **WARNING:** WOT-ratings may be (partly) ok, but do **NOT install any WOT-software**, it can/must be considered as malware!!! - https://thehackernews.com/2016/11/web-of-trust-addon.html – DJCrashdummy Nov 11 '16 at 07:40