Skip to main content
banner image
venafi logo

Exploring Trust in the Digital World

Exploring Trust in the Digital World

The concept of trust is transient in the digital world, where an identity changes constantly over time.
December 2, 2016 | Hari Nair

What is trust?

The Oxford dictionary defines trust as the “firm belief in the reliability, truth, ability, or strength of someone or something." A wonderful article on changingminds.org offers multiple interpretations for trust. When considering trust in the digital world, one in particular caught my attention:  

“Trust means making an exchange with someone when you do not have full knowledge about them, their intent and the things they are offering to you.”

In the physical world, trust is established based on identity or context, built on familiarity (the frequency of our interactions), and ultimately dependent on experience. Just as importantly, trust is nuanced: We don't trust everyone equally. For example, we trust friends and family more than neighbors or casual acquaintances.

Yet frequently, we have to trust people that we don’t see often, such as doctors, mechanics, and tax accountants. What gives us the confidence to depend on these people? Specifically, how do we know that a doctor is a doctor? Probably, the fact that we can see the doctor is accredited or affiliated with a well-known hospital.

Now let’s contrast how we build trust in the physical world with how we establish trust in the digital world, where we cannot "see" anything. For example, I connect to my bank, my email provider, and to a variety of e-commerce sites—each of which requires me to provide personally identifiable information (PII) and, in some cases, credit card data. I can identify the websites I frequently visit based on the logo, colors, and layout, but attacks like phishing have long since rendered my ability to recognize the "look and feel" of an (online) entity practically useless. Without a tangible identity, there's no way I can build familiarity and hence trust.

How, then, do I know I am connecting to the online service provider that I want to use? Most merchants attempt to solve this problem by using digital certificates to verify their virtual identity. A certificate, much like a credit card or a passport, is issued by a "trusted" authority (a financial or government institution in the real world) and has an associated validity and purpose.

The similarities end there, however. Although we can “view” certificates, the attributes that make them unique (and hence, linked irrevocably to a physical entity) can only be "verified" by applications such as a web browser or an email client. Theoretically, then, it should be possible for an application to identify and, over time, trust an entity, shouldn't it?

Not so fast. There are a couple of reasons this isn't practical yet:

  1. Unlike a physical attribute (such as a face, voice, or fingerprint), a digital attribute is inherently transient in nature. The digital "key" that serves as the unique attribute to identify an online entity is valid for a specified period of time and must then be replaced. Periodically replacing a digital key mitigates the risk of the key being duplicated. The more a key is used, the greater the chance it will be compromised. As such, best practices recommend the periodic re-generation of keys. The familiarity with a specific key (sometimes referred to as “certificate pinning”) isn’t particularly useful—especially when the keys themselves get replaced as often as every 90 days.
  2. Digital keys and certificates are being stolen—and increasingly often. Individuals and state-sponsored organizations are targeting them with the specific goal of misrepresenting themselves to steal sensitive information. Given the fact that keys and certificates are the most widely used means for establishing online identity, they are constantly under attack. In a recent survey conducted by The Ponemon Institute 100% of respondents (from Global 2000 companies) reported that they have had at least one attack on keys and certificates in the last 2 years.

Unlike the physical world, on the internet, the concept of trust is not as tangible. We cannot establish identity based on sight, and digital keys—the mechanism designed to verify identity and establish trust—are frequently updated, rendering familiarity impractical. Trust must be established every time, and cannot be based upon frequent interactions. Are we, then, limited to placing the same amount of trust in all our online transactions?

 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Vault 8 Exposure: What Do the Impersonated Certificates Actually Tell Us?

Unauthorized DevOps Certificates

Self-signed Certificates Open a Can of Worms for DevOps Security Teams

generic_blog_banner_image

Using Certificates to Secure the Rising Tide of Mobile Apps

About the author

Hari Nair
Hari Nair

Hari Nair writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat