• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 203
  • Last Modified:

Checking authenticity of opened webpage

I am developing a web-based personal information manager. The home page is very simple, no images. Just a banner on top and Login box. I am wondering if someone hacks it and a fake page opens, how will I be able to differentiate whether the page opened is from my site or a fake one.
0
rpkhare
Asked:
rpkhare
  • 6
  • 5
1 Solution
 
Ted BouskillSenior Software DeveloperCommented:
You can't because your server isn't contacted.  Phishing schemes involve building a site that looks exactly the same but it's on a different server.
0
 
rpkhareAuthor Commented:
What's the solution?

I am planning to keep a public key on the server database. It will create a time stamp string and encrypt using my public key. When the home page will open, I'll display this encrypted string on the page. I will copy the encrypted string from the page and decrypt using a private key that I have in my personal computer. If the time stamp comes out to be different than that of current date, it means it is a fake page.
0
 
Ted BouskillSenior Software DeveloperCommented:
If the hacker duplicates your page what is preventing them from simply displaying the current date using JavaScript?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
rpkhareAuthor Commented:
Even if they duplicates, the secret text that is prepared along with time stamp of login will be tested when I'll decrypt that string with my private key.

What exactly will happen is this:

(1) As the home page will load, my application will create a secret text that will be stored in the database. This will be refreshed every time.

(2) This secret text, that is residing in my database, and time stamp of opening the page, will be encrypted with my public key that too is lying in the database.

(3) The Base 64 string that is prepared will be shown on the home page immediately after load.

(4) I will copy the text and decrypt on my machine using my private key.

(5) I will get that secret text when decrypted.

(6) I will enter this secret text again. If it matches with the secret text lying in the database, it means it is genuine. After successful authentication, login form will appear

0
 
Ted BouskillSenior Software DeveloperCommented:
You're missing the point of phishing.  If they create a page that looks exactly like your log in page the page POST would go to the hacker's site NOT your's.  From your point of view it would look valid but the hacker would have your username password.

Nothing you are proposing is preventing that.
0
 
rpkhareAuthor Commented:
So what are standard authentication ways to prevent phishing.
0
 
Ted BouskillSenior Software DeveloperCommented:
One technique many banks use is the following:

- User multiple sign in screens that use the following

- Store a catalog of many security questions and answers.  Each time the user signs in randomly ask different security question.

- Let the user select or upload a personalized image icon that is shown during the log in process that only the user knows

- Let the user input a phrase that is unique that only the user knows and is shown during the sign in process

However, there are far more dangerous aspects to web applications than phishing.  Read this article on clickjacking.
http://www.webmonkey.com/blog/A_Look_at_the__Clickjacking__Web_Attack_and_Why_You_Should_Worry
0
 
rpkhareAuthor Commented:
Any other standard authentication techniques like Certification etc.? Do I need to include VeriSign or Thwate or McAfee site security?
0
 
Ted BouskillSenior Software DeveloperCommented:
Not for Phishing or ClickHijacking.  Certificate techniques will help with ensuring that only valid users can access your site or prevent session highjacking.

I hate to be the bearer of bad news, but HTTP wasn't designed for security.  The original design was to share text based hyperlinked pages.  People have done very ingenious work arounds to get it to do far more than it was originally intended, however, that means that at it's core it's not secure.

0
 
rpkhareAuthor Commented:
Ok, the other way round.

There will be a TextBox on the HomePage. I will paste an encrypted text on it. This encrypted text will be prepared on my machine using my private key. this encrypted text will get decrypted using my public key lying in the database on the server.

Please let me know your views.
0
 
Ted BouskillSenior Software DeveloperCommented:
Once, again, if the phishing site or a packet sniffer captures your username and password (encrypted or not) it can resubmit them later to your server.  The same is true with ClickJacking.

I'd suggest you begin reading materials on http://www.antiphishing.org/ to realize how difficult this problem is.  If you truly want to protect your site and users you will need to purchase a 3rd party product.

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now