Phil Zimmermann’s web of trust and the browsing app WOT both promise security to users. But the concepts are not one and the same. Zimmermann’s web of trust is related to cryptography while WOT has to do with securing users’ browsing activities. But despite their creators’ goals, detractors believe Zimmermann’s web of trust is lacking while WOT isn’t worth trusting. You’ll find out why in the next sections. 

What Is a Web of Trust (Zimmermann’s That Is)?

A web of trust is a cryptographic concept. It is used in Pretty Good Privacy (PGP), GNU Privacy Guard (GnuPG), and other OpenPGP-compatible systems to establish the legitimacy of the tie that binds a public key and its owner.

A web of trust is decentralized and serves as an alternative to its centralized counterpart—public key infrastructure (PKI). You can liken it to a computer network. A computer network can work independently from others. Similarly, many independent webs of trust can exist at the same time.

Here’s a diagram of how a web of trust works:

What Is Zimmermann's Web of Trust
Source: Wikipedia

In the diagram, you can see that Ingo (the primary user) designates different levels of trust to different people. He trusts the people he knows directly (Eva and Axel, his friends) more than he does the people he doesn’t really know (Manuel, Susi, and Manfred).

The same concept is applied to a computer network, depending on the roles employees play. The IT administrator usually gives full access only to C-suites who need to know everything that happens in the company. Directors get access to more files and systems than managers do and so on down the line.  

When Was the Concept of a Web of Trust Introduced?

The web of trust concept was introduced by Phil Zimmermann in 1992 in his manual for PGP version 2.0. Zimmermann did so because he believed that:

“As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. That will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.”

While the direct quote above doesn’t specifically mention the term “web of trust,” it does describe what the technology’s purpose is. In the passage, “web of confidence” is equivalent to “web of trust.”

How Does Zimmermann’s Web of Trust Differ from PKI?

The main difference between a web of trust and PKI has to do with the way they use public keys. PKI users can have a single certificate that they can use to authenticate their identity on every server that uses the encryption for communications. A web of trust, meanwhile, requires users to use a different certificate for each network they wish to communicate with. So, if a company is part of seven webs of trust, it should have seven keys, one for each network.

Why Are There Few Very Web of Trust Users Compared to PKI Users?

Most organizations prefer to use PKI due to problems, such as:

  • Loss of private keys: Users who lose their private keys can no longer decrypt messages sent to them that were encrypted using the matching public keys indicated in their OpenPGP certificate. Also, older PGP certificates don’t have expiration dates. You can’t cancel a lost private key, and should it land in attackers’ hands, they can use it to decrypt confidential messages.
  • Public key authenticity check: A web of trust doesn’t have a central controller. Instead, it depends on other users for trust. As such, users with new certificates may not readily be trusted by others, disallowing them from sending or receiving messages until the ones who need to grant them their trust meet them in person. For two companies, for example, that operate thousands of miles away from each other, that may not be feasible or too time-consuming.

Is Zimmermann’s Web of Trust the Same as WOT Service’s WOT?

The quick answer is no. And you can find out more about WOT in the following sections.

What Is the Web of Trust (WOT)?

WOT Service’s Web of Trust, also known as MyWOT or simply WOT, is a browser application that allows users to secure their browsing history and activity and keep their privacy.

MyWOT or WOT keeps users safe from scams, malware, phishing, and identity theft while browsing online. It performs website security checks by looking at community ratings, reviews, and machine learning (ML) algorithms for evidence of malicious activity. It also gives out alerts when the presence of malware is sensed on sites.

Why Are People Saying WOT Shouldn’t Be Trusted?

But experience and news reports would tell you that not all browser extensions can be trusted. An investigation by German TV channel NDR revealed that WOT, for one, is committing a severe breach of privacy. Specifically, users of WOT are subjected to extensive data collection in the background. And that information is not only recorded on a per-user basis. It is also analyzed and sold to third parties.

As you’ve seen here, while technologies are developed for their users’ good, some end up doing the opposite.