Safety Meshing: Hybrid trust models in social networks for end-to-end encryption

End-to-end encryption on social networks is the new vogue. New platforms, however, still face the same old problem: trust. We need new solutions. In a world with capable nation states, criminal gangs, hacktivists and everyone in between seeking to take advantage of the connected world, how do users stay safe? Centralised trust systems like certificate authorities ask us to put all of our trust in one place, a place we might not trust, at least not all of the time. Decentralised systems allow us to be discerning about who we trust and when, but are people really paying attention? In this article we introduce a way of taking elements of centralised and decentralised systems and combining them to combat some of their inherent weaknesses.a aThis article is published online by Computer Weekly as part of the 2017 Royal Holloway information security thesis series http://www.computerweekly.com/ehandbook/ Safety-Meshing-Hybrid-trust-models-in-social-networks-for-end-to-end-encryption. It is based on an MSc dissertation written as part of the MSc in Information Security at the ISG, Royal Holloway, University of London. The full thesis is published on the ISG’s website at https://www.royalholloway.ac.uk/isg/. Online social networks have become a significant part of our lives. Three of the largest networks lay claim to over 1.5 billion users between them. These platforms, most of which are barely over 10 years old, already lay claim to a user base which spans over 20% of the world’s population. In the UK at least, you would be hard pressed to find someone who does not use an online social network in one way or another. Whether used to exchange ideas, communicate or broadcast information their pervasive nature creates numerous opportunities for threat actors. As their worth to users increases, their worth to attackers also increases. In the last few years the topic of encryption has taken centre stage. Our understanding of the capabilities of well-placed and motivated actors has fundamentally evolved. As a result, there has been a major reboot of the public conversation about encryption. The level of public interest probably eclipses the last major public cryptography debate at the turn of the century, when encryption was still classed as a munition. End-to-end Encryption End-to-end encryption ensures that secrecy is maintained between the sender and receiver of a message. But encryption isn’t the full story. For many users, service providers being compelled or coaxed into turning over decrypted traffic passing through their infrastructure is a serious concern. As a result, the gold standard became end-to-end encryption. The majority of systems used for building end-to-end encrypted channels rely on public key cryptography. The crux of any security system based on public keys revolves around trust : trust that the public key you are using really does belong to the person you think it does, that it is authentic. A number of different systems have been devised over the years to provide this authenticity: • Certificate authorities (CAs): Trusted entities who sign certificates attesting to the authenticity of public keys. • Web of trust : A decentralised approach where individuals choose to sign the certificates of others and attest to their authenticity. Users then have to make a value judgement on whether or not to trust a given signatory. Certificate authorities have been hugely successful. The deployment of SSL and TLS has powered commerce on the internet , but has not been without issues. The fundamental challenge with a central