Towards More Trustworthy Trust- Based Systems for Anonymity and Web Security

In today’s Internet, trust has been widely used to design anonymity and security enhanced systems. Some of these trust-based systems have been successfully deployed in the Internet for a long time and benefit a large population of Internet users. In particular, trust-based onion routing network is a representative example for the use of trust in protecting anonymity. As one of the most popular onion routing systems, Tor serves more than 3 millions of Internet users. It hides Internet users’ identities behind a circuit of selected onion routers but runs a high risk of being compromised by attackers who employ malicious onion routers to launch correlation-like attacks. Without an effective trust model, it is very difficult for Internet users to evade attackers’ routers when establishing onion circuits. As a result, recent research proposes trust-based onion routing to thwart the correlation-like attacks. Using a priori trust that users have readily assigned to routers’ owners, attackers’ routers are likely to be identified and excluded from users’ onion circuits. As an example to demonstrate the effectiveness and popularity of trust in protecting security, we study the public key infrastructure (PKI for short) which has been successfully deployed in the web for more than two decades. This infrastructure employs a well-known certification based trust model for website authentication. Based on this trust model, modern browsers trust a group of trust anchors (also known as root certificate authorities or CAs for short) in advance, and authenticate remote websites by checking whether the site certificate is signed by one of the pre-trusted trust anchors. Although trust-based systems are widely used for securing anonymous communications and web services, recent studies reveal that the use of trust could incur new problems. For example, despite that trust-based onion routing successfully defeats correlation-like attacks by using a priori trust among users, the use of trust for onion routing still suffers from two challenging problems due to the inherent weakness of trust. One is the biased trust distributions among users, and the other is how to verify the correctness of trust one person assigns to the other. The biased distribution will reduce the entropy (i.e., anonymity) of the whole routing system and hence induce a new inference attack, whereas the incorrect trust could render trust-based onion routing ineffective in protecting anonymity. On the other hand, the trust-based systems