?
Solved

Checking authenticity of opened webpage

Posted on 2008-10-19
12
Medium Priority
?
201 Views
Last Modified: 2012-05-05
I am developing a web-based personal information manager. The home page is very simple, no images. Just a banner on top and Login box. I am wondering if someone hacks it and a fake page opens, how will I be able to differentiate whether the page opened is from my site or a fake one.
0
Comment
Question by:rpkhare
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22755410
You can't because your server isn't contacted.  Phishing schemes involve building a site that looks exactly the same but it's on a different server.
0
 
LVL 8

Author Comment

by:rpkhare
ID: 22755752
What's the solution?

I am planning to keep a public key on the server database. It will create a time stamp string and encrypt using my public key. When the home page will open, I'll display this encrypted string on the page. I will copy the encrypted string from the page and decrypt using a private key that I have in my personal computer. If the time stamp comes out to be different than that of current date, it means it is a fake page.
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22760632
If the hacker duplicates your page what is preventing them from simply displaying the current date using JavaScript?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 8

Author Comment

by:rpkhare
ID: 22761003
Even if they duplicates, the secret text that is prepared along with time stamp of login will be tested when I'll decrypt that string with my private key.

What exactly will happen is this:

(1) As the home page will load, my application will create a secret text that will be stored in the database. This will be refreshed every time.

(2) This secret text, that is residing in my database, and time stamp of opening the page, will be encrypted with my public key that too is lying in the database.

(3) The Base 64 string that is prepared will be shown on the home page immediately after load.

(4) I will copy the text and decrypt on my machine using my private key.

(5) I will get that secret text when decrypted.

(6) I will enter this secret text again. If it matches with the secret text lying in the database, it means it is genuine. After successful authentication, login form will appear

0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22810215
You're missing the point of phishing.  If they create a page that looks exactly like your log in page the page POST would go to the hacker's site NOT your's.  From your point of view it would look valid but the hacker would have your username password.

Nothing you are proposing is preventing that.
0
 
LVL 8

Author Comment

by:rpkhare
ID: 22810229
So what are standard authentication ways to prevent phishing.
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22810282
One technique many banks use is the following:

- User multiple sign in screens that use the following

- Store a catalog of many security questions and answers.  Each time the user signs in randomly ask different security question.

- Let the user select or upload a personalized image icon that is shown during the log in process that only the user knows

- Let the user input a phrase that is unique that only the user knows and is shown during the sign in process

However, there are far more dangerous aspects to web applications than phishing.  Read this article on clickjacking.
http://www.webmonkey.com/blog/A_Look_at_the__Clickjacking__Web_Attack_and_Why_You_Should_Worry
0
 
LVL 8

Author Comment

by:rpkhare
ID: 22811548
Any other standard authentication techniques like Certification etc.? Do I need to include VeriSign or Thwate or McAfee site security?
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22814512
Not for Phishing or ClickHijacking.  Certificate techniques will help with ensuring that only valid users can access your site or prevent session highjacking.

I hate to be the bearer of bad news, but HTTP wasn't designed for security.  The original design was to share text based hyperlinked pages.  People have done very ingenious work arounds to get it to do far more than it was originally intended, however, that means that at it's core it's not secure.

0
 
LVL 8

Author Comment

by:rpkhare
ID: 22815430
Ok, the other way round.

There will be a TextBox on the HomePage. I will paste an encrypted text on it. This encrypted text will be prepared on my machine using my private key. this encrypted text will get decrypted using my public key lying in the database on the server.

Please let me know your views.
0
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 375 total points
ID: 22815735
Once, again, if the phishing site or a packet sniffer captures your username and password (encrypted or not) it can resubmit them later to your server.  The same is true with ClickJacking.

I'd suggest you begin reading materials on http://www.antiphishing.org/ to realize how difficult this problem is.  If you truly want to protect your site and users you will need to purchase a 3rd party product.

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question