Solved

Checking authenticity of opened webpage

Posted on 2008-10-19
12
193 Views
Last Modified: 2012-05-05
I am developing a web-based personal information manager. The home page is very simple, no images. Just a banner on top and Login box. I am wondering if someone hacks it and a fake page opens, how will I be able to differentiate whether the page opened is from my site or a fake one.
0
Comment
Question by:rpkhare
  • 6
  • 5
12 Comments
 
LVL 51

Expert Comment

by:tedbilly
ID: 22755410
You can't because your server isn't contacted.  Phishing schemes involve building a site that looks exactly the same but it's on a different server.
0
 
LVL 8

Author Comment

by:rpkhare
ID: 22755752
What's the solution?

I am planning to keep a public key on the server database. It will create a time stamp string and encrypt using my public key. When the home page will open, I'll display this encrypted string on the page. I will copy the encrypted string from the page and decrypt using a private key that I have in my personal computer. If the time stamp comes out to be different than that of current date, it means it is a fake page.
0
 
LVL 51

Expert Comment

by:tedbilly
ID: 22760632
If the hacker duplicates your page what is preventing them from simply displaying the current date using JavaScript?
0
 
LVL 8

Author Comment

by:rpkhare
ID: 22761003
Even if they duplicates, the secret text that is prepared along with time stamp of login will be tested when I'll decrypt that string with my private key.

What exactly will happen is this:

(1) As the home page will load, my application will create a secret text that will be stored in the database. This will be refreshed every time.

(2) This secret text, that is residing in my database, and time stamp of opening the page, will be encrypted with my public key that too is lying in the database.

(3) The Base 64 string that is prepared will be shown on the home page immediately after load.

(4) I will copy the text and decrypt on my machine using my private key.

(5) I will get that secret text when decrypted.

(6) I will enter this secret text again. If it matches with the secret text lying in the database, it means it is genuine. After successful authentication, login form will appear

0
 
LVL 51

Expert Comment

by:tedbilly
ID: 22810215
You're missing the point of phishing.  If they create a page that looks exactly like your log in page the page POST would go to the hacker's site NOT your's.  From your point of view it would look valid but the hacker would have your username password.

Nothing you are proposing is preventing that.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 8

Author Comment

by:rpkhare
ID: 22810229
So what are standard authentication ways to prevent phishing.
0
 
LVL 51

Expert Comment

by:tedbilly
ID: 22810282
One technique many banks use is the following:

- User multiple sign in screens that use the following

- Store a catalog of many security questions and answers.  Each time the user signs in randomly ask different security question.

- Let the user select or upload a personalized image icon that is shown during the log in process that only the user knows

- Let the user input a phrase that is unique that only the user knows and is shown during the sign in process

However, there are far more dangerous aspects to web applications than phishing.  Read this article on clickjacking.
http://www.webmonkey.com/blog/A_Look_at_the__Clickjacking__Web_Attack_and_Why_You_Should_Worry
0
 
LVL 8

Author Comment

by:rpkhare
ID: 22811548
Any other standard authentication techniques like Certification etc.? Do I need to include VeriSign or Thwate or McAfee site security?
0
 
LVL 51

Expert Comment

by:tedbilly
ID: 22814512
Not for Phishing or ClickHijacking.  Certificate techniques will help with ensuring that only valid users can access your site or prevent session highjacking.

I hate to be the bearer of bad news, but HTTP wasn't designed for security.  The original design was to share text based hyperlinked pages.  People have done very ingenious work arounds to get it to do far more than it was originally intended, however, that means that at it's core it's not secure.

0
 
LVL 8

Author Comment

by:rpkhare
ID: 22815430
Ok, the other way round.

There will be a TextBox on the HomePage. I will paste an encrypted text on it. This encrypted text will be prepared on my machine using my private key. this encrypted text will get decrypted using my public key lying in the database on the server.

Please let me know your views.
0
 
LVL 51

Accepted Solution

by:
tedbilly earned 125 total points
ID: 22815735
Once, again, if the phishing site or a packet sniffer captures your username and password (encrypted or not) it can resubmit them later to your server.  The same is true with ClickJacking.

I'd suggest you begin reading materials on http://www.antiphishing.org/ to realize how difficult this problem is.  If you truly want to protect your site and users you will need to purchase a 3rd party product.

0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

I have developed many web applications with asp & asp.net and to add and use a dropdownlist was always a very simple task, but with the new asp.net, setting the value is a bit tricky and its not similar to the old traditional method. So in this a…
Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now