Solved

Checking authenticity of opened webpage

Posted on 2008-10-19
12
197 Views
Last Modified: 2012-05-05
I am developing a web-based personal information manager. The home page is very simple, no images. Just a banner on top and Login box. I am wondering if someone hacks it and a fake page opens, how will I be able to differentiate whether the page opened is from my site or a fake one.
0
Comment
Question by:rpkhare
  • 6
  • 5
12 Comments
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22755410
You can't because your server isn't contacted.  Phishing schemes involve building a site that looks exactly the same but it's on a different server.
0
 
LVL 8

Author Comment

by:rpkhare
ID: 22755752
What's the solution?

I am planning to keep a public key on the server database. It will create a time stamp string and encrypt using my public key. When the home page will open, I'll display this encrypted string on the page. I will copy the encrypted string from the page and decrypt using a private key that I have in my personal computer. If the time stamp comes out to be different than that of current date, it means it is a fake page.
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22760632
If the hacker duplicates your page what is preventing them from simply displaying the current date using JavaScript?
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 8

Author Comment

by:rpkhare
ID: 22761003
Even if they duplicates, the secret text that is prepared along with time stamp of login will be tested when I'll decrypt that string with my private key.

What exactly will happen is this:

(1) As the home page will load, my application will create a secret text that will be stored in the database. This will be refreshed every time.

(2) This secret text, that is residing in my database, and time stamp of opening the page, will be encrypted with my public key that too is lying in the database.

(3) The Base 64 string that is prepared will be shown on the home page immediately after load.

(4) I will copy the text and decrypt on my machine using my private key.

(5) I will get that secret text when decrypted.

(6) I will enter this secret text again. If it matches with the secret text lying in the database, it means it is genuine. After successful authentication, login form will appear

0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22810215
You're missing the point of phishing.  If they create a page that looks exactly like your log in page the page POST would go to the hacker's site NOT your's.  From your point of view it would look valid but the hacker would have your username password.

Nothing you are proposing is preventing that.
0
 
LVL 8

Author Comment

by:rpkhare
ID: 22810229
So what are standard authentication ways to prevent phishing.
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22810282
One technique many banks use is the following:

- User multiple sign in screens that use the following

- Store a catalog of many security questions and answers.  Each time the user signs in randomly ask different security question.

- Let the user select or upload a personalized image icon that is shown during the log in process that only the user knows

- Let the user input a phrase that is unique that only the user knows and is shown during the sign in process

However, there are far more dangerous aspects to web applications than phishing.  Read this article on clickjacking.
http://www.webmonkey.com/blog/A_Look_at_the__Clickjacking__Web_Attack_and_Why_You_Should_Worry
0
 
LVL 8

Author Comment

by:rpkhare
ID: 22811548
Any other standard authentication techniques like Certification etc.? Do I need to include VeriSign or Thwate or McAfee site security?
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 22814512
Not for Phishing or ClickHijacking.  Certificate techniques will help with ensuring that only valid users can access your site or prevent session highjacking.

I hate to be the bearer of bad news, but HTTP wasn't designed for security.  The original design was to share text based hyperlinked pages.  People have done very ingenious work arounds to get it to do far more than it was originally intended, however, that means that at it's core it's not secure.

0
 
LVL 8

Author Comment

by:rpkhare
ID: 22815430
Ok, the other way round.

There will be a TextBox on the HomePage. I will paste an encrypted text on it. This encrypted text will be prepared on my machine using my private key. this encrypted text will get decrypted using my public key lying in the database on the server.

Please let me know your views.
0
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 125 total points
ID: 22815735
Once, again, if the phishing site or a packet sniffer captures your username and password (encrypted or not) it can resubmit them later to your server.  The same is true with ClickJacking.

I'd suggest you begin reading materials on http://www.antiphishing.org/ to realize how difficult this problem is.  If you truly want to protect your site and users you will need to purchase a 3rd party product.

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

One of the pain points with developing AJAX, JavaScript, JQuery, and other client-side behaviors is that JavaScript doesn’t allow for cross domain request for pulling content. For example, JavaScript code on www.johnchapman.name could not pull conte…
ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question