From @GrahamLee's comment over on this question, this is a very good point:
How do I choose whether to trust a particular website when the only information I have relevant to my trust decision is the web?
Do I trust it because of history? It has always appeared right so probably is now? Do I count the number of other sites that trust it? The web of trust concept?
or what else?
I believe in cross-fertilizing between sources of information. Most of them start on the internet, but we have more and more ways to link virtual resources (e.g. websites) with the physical world. Following are a few ways I use to see if I can trust a website. I hope it helps :)
A bit more advanced:
There was been some interesting research on trust metrics: Attack Resistant Trust Metrics, A Model for Trust Metrics Analysis, How to incorporate revocation status information into the trust metrics for public-key certification
The basic concept is building a set of links from you to your target. Unfortunatly web sites dont embody trust. People are the appropriate trust originators. This is a concept easily lost in the modern era where technology is portrayed as sterile and disconnected from its creators and manufacturers.
However all web sites are made by people, at least as far as I know. The problem on some sites is that the content creater is not always recognized. Links are not vouched for.
One principal I apply when trying to gain confidence in a piece of data is diversity of source. If I am seeking an evaluation on a tool I try to get opinions from experts, amature enthusiasits, and from publications.
For example If I was interested in buying a new camera, I would look on user forums, professional blogs, and magazines that cover photography. Of course each group could potentially give wrong or misleeding opinions, but the likeliness of at least two being wrong or misleading is smaller than the likelyness of any one group being wrong or misleading.
Notice that this does not guarantee me good results. It only gains you a higher level of assurance that the evaluation is correct.
Second I devote more resources to collecting evaluation on high value data. Not all questions deserve thorough vetting. The opinions on which web comic will make you laugh don't require more checking because you can trivially confirm the claim. Likewise purchases under $20 US rarely require much though unless they may have an impact on my health or safety. i.e. is the generic pain killer as safe as taking a generic brand? or Should I buy the USB flash drive from vender A or vender B?
I trust sites that many people trust. Consequences of attacks are all the more lessened if there are many victims. In a business context, this translates to the following: it is not a problem (for me !) to be attacked as long as most of (or all of) my competitors are similarly attacked. To some extent, not being attacked when the competitors are, could be a tactical failure and rise suspicion.
This is a generic trend. This advocates using Windows on servers, instead of, say, NetBSD: any security hole intrinsic to Windows will be present on millions of other servers, which severely dilutes any potential blame. Similarly, you should keep in your browser the standard set of root certificates, because "that's what everybody does": if a rogue CA allows a wide scale fraud, there would be so many victims that banks would be forced to take a reasonable, amiable stance.
In a world of wolves and sheep, the sheep salvation lies in big numbers: stick to the herd. Don't try to be a wolf if you cannot afford it.
The question isn't quite right: Trust isn't binary. I think you really want to know "How can I decide how much to trust a particular website?"
In the end I think it comes down to how much I must trust each particular site.
The sites that I have to trust the most (bank, brokerage, etc) I have a physical offline relationship with. The companies that run those websites have a significant offline reputation and presence; they correspond with me on dead trees via snail mail and they have a phone number where you can talk to a human. This is somewhat outside the scope of the question since you have said the only information you have is from the web itself, but even then you can verify the physical presence via multiple avenues. (Google, WHOIS, Wikipedia, online reviews -- e.g. bank comparison websites, etc.) Also, if I have to "fully" trust a site -- for financial info or other sensitive data -- then I am unlikely to do so unless I can have a reason to trust them that is backed up by a trustworthy significant offline presence.
The sites that I trust the least are those that I don't have to trust. JimBob's Game Zone & Happy Fun Time, for example: hmm, you say you've got this really fun game that I've got to enable java to play? Sorry, but no thanks. (The same is true even for somewhat more reputable sites that still have, say, java-based financial calculators that I'd like to use. I can find an alternative that doesn't expose me to a huge attack surface.)
In between there are sites that you have to trust somewhat, but not fully. In other words, you may need to expose yourself to some risk. For example, H&R Block has a calculator that estimates how much tax I owe for last year. I have to enable scripting and flash for their calculator to work, and I have to enter personal data (e.g. income, family status) -- and it has to be accurate (though not perfectly precise) in order for me to get the answer I want. I don't have to give any identification, so beyond the exposure to scripting and some limited data it's an acceptable risk; I may access via proxy to hide my data from my ISP and hide my location from the site.
Other sites want to collect tons of data from you, they want to identify you personally, etc, and they give you a service in return. Facebook or Google, for example; to a lesser extent, Stack Exchange. I, for one, choose to actively distrust the omnipresent sites: this takes effort since you have to block multiple domains via NoScript or other browser plugins to prevent the company from tracking you around the web. I choose not to use Facebook. I use multiple Google products, but here I've chosen to pay for their service with my data; I still block their tracking domains when I not using their products.
The issue at hand in the linked question is whether to trust an Ubuntu ISO image downloaded from a particular website. Based on what I've written above, I think the answer is that you don't have to trust it much, so you shouldn't. ("Trust, but verify.") Download the image from anywhere reputable enough that you don't waste your time and bandwidth. I'd probably pull the torrent: you don't have to trust any single site. Then verify the hash via multiple channels: check Canonical's website, check other websites, use multiple proxies to check those websites (so you are less likely to be MITM'd), ask on IRC, call a friend, etc.
My approach to trust a website is indeed some kind of web of trust. For example: When I hear about a piece of software that I want to use, but I do not know the URL, I don't trust googles results. Those could be forged, due SEO or paid pagerank.
My web of trust in this case is Wikipedia. Of course a link on Wikipedia can be forged as well, but is more unlikely. Just because fewer people choose this way and more people control the links authenticy.
And of course a page linked from a page that I already trust is likely to be trusted as well.
I think my view is a combination of the above
It depends of course on what you want to do with the site. I mainly consider this kind of thing before I purchase something from them or put personal details into a form on the site.
My personal decisions tend to revolve around whether the site
Another big factor for purchases is whether I actually have to put my Credit card details into the site. I'm a lot less bothered about the site when it takes Paypal or hands me off to a known merchant gateway like Worldpay, so the site doesn't get to see my CC details. Conversely if the site offers to store my CC details for later purchases I would be extremely unlikely to use that facility unless I'm very sure of their likely level of security (in my case there's only one site I've used that on which is Amazon), and in fact a smaller site offering that facility makes me somewhat nervous about the site in general.
I am considering using simple techniques like installing WOT add-one for knowing the reputation of a particular site. If the site has more reputation then its very less chance for security problems.
