DEV Community

suiiii
suiiii

Posted on

Trust Issues

This is just an abbreviated chain of thoughts to get you thinking.

Who do you trust and why?

Our world is based on trust. We trust our bank to safeguard our huge stacks of money, we trust our girlfriend or boyfriend and we trust this little lock in browser address bar.

But why do we trust them? How have they earned our trust so that we entrust them with our valuables and our secrets?

I hope your SO has proven worthy of your trust. But what about your bank? Why do you put your money in the bank? Because everybody does that and only criminals and paranoid weirdos keep their money in their mattresses? Well having money in the bank has some upsides like being able to do money transfers (and other stuff which are other issues) and if the bank gets robbed your money is hopefully insured. But is your money actually safe, does your bank actually have your money? Just think of the last financial crisis(es) and money runs...

And what about that SSL certificate on this website? It is trusted because it was issued by a CA that is trusted by the browser. But why is that CA trusted? Do you actually trust that company that you might have never heard of? How has it earned your trust? Is it just because your browser says that it's fine? And do you trust this site that is using this cert? Do they properly handle the private key or is this encryption just for nothing?

Verfification

To compensate these trust issues you could actually verify everything.

You could go to the bank every day and let them show you your stacks of money. (Which they won't show you, because they don't actually have it.)

You could follow your SO everywhere, check their email, phone, and social media so you are sure that they don't cheat on you. (This will probably kill your relationship, so let's skip this example)

And you could try to get verification that the SSL certificate was properly delivered and handled all the way from creation to deployment. But that are probably a lot of verification points you need to check. So this is kind of hard to do.

Let's be real

You cannot verify everything by yourself. You actually need to have trust in something that is worthy of your trust. But you have to define that what is trustworthy for yourself. Is the government trustworthy just because it is the government? Is that IMDB rating trustworthy because 100k user supposedly rated it? Is an equation like 1 + 1 = 2 worthy?

Math is probably a thing we all can agree on, because we can "easily" verify it. From here we quickly get to cryptography and cryptographic proofs that give us a very high probability that some fact holds true.

However those kind of systems still require some sort of trust in math and something else. Thinking of email encryption, you need to trust the encryption method and the public key of the message recipient. Meaning you have to trust that the key does actually belong to the person you want to communicate with and that he or she is still in control of that private key.

I'd argue that something like wikipedia in its concept is more or less trustworthy but that trust requires your attention. The ideal wikipedia article is crowd sourced by multiple "experts" and proofed with multiple factual sources. So you need to fact check that information you read in an article. But who actually does that? There are people who do that and change the article in case of issues. So most people trust that this system works out somehow. But there is no guarantee for that and there is actually no real incentive for people to add correct information other than their pride maybe.

But let's imagine for a second: What if wikipedia would pay you if you contribute useful and correct information. And if it turns out, your information was BS you would actually have to pay wikipedia. In general this would incentivise people to make wikipedia better and thus more trustworthy for everyone.

These kind of systems do actually exist, for example in some crypto systems. Are they fault proof? No! But I would argue that open and publicly verifiable systems are more trustworthy than closed ones. There is a reason why all "good" encryption methods are public and why your bank's systems are closed off.

But having one trustworthy system is not enough. Imagine you can actually trust that green lock in the browser bar. Does that actually mean that the site you visit is safe? Does this prevent the web dev from injecting malware in your browser? We do actually need a complete chain of trustworthy systems...

Top comments (0)