Website fingerprinting
Introduction
editA web user today has a trillion web pages seeking his attention every time he is online with thousands of websites being added each day. Owing to the decentralized and unregulated nature of issuance of domain names and the low cost of web hosting, it has become extremely simple for anyone to buy a domain name and host a website on his own. This strength for the growth of internet, has also meant that anyone can use the web to create a fraudulent website with content and URL’s stolen from existing genuine websites.
What problem does it address?
editThe site domain name, the look and feel of the content, and at times the lock icon (digital certificate) are the ONLY elements used to establish the identity of a website. There are 3 problems with this:
1.Owing to the insecure internet infrastructure the user cannot be certain that the address typed in the browser is taking the user to the intended site every time. An unsuspecting web user can end up at a fraudulent (fake) site, where the user might end up giving the credentials to the fraudster, causing immense damage thereafter.
2.Obfuscated URLs such as http://trustedbank.x.com can cheat the user into believing that he is at the authentic website.
3.Most users do not know what to check in a digital certificate, as the enterprise never communicates the same to the user.
By the time the fake website is blacklisted, victims would have already lost money to fraud.
How does website fingerprinting solve this problem?
editThe root cause of the problem is that there is no hard and fast definition of what constitutes the identity of a website, and which is available to the user to check before he/she can submit critical information. There is a need for a central body that defines website identity, makes it is hard to duplicate and easy to match by the customer on demand.
The solution consists of 3 parts:
1. Create a central SiteFingerprint Vault of websites: This involves a. Selecting websites of critical importance (e.g. online banks, online share trading firms, ecommerce websites, email providers etc). b. Creating unique website fingerprints based on the identity parameters of the website and c. Storing them in a secure facility.
2.Give the customer a tool for the customer to identify websites: This tool is a browser plug-in that matches the SiteFingerprintSM of the website that the browser has connected to with that of the reference SiteFingerprintSM (obtained from the SiteFingerprintSM Vault and stored locally), and provide a visual cue (green band) reassuring them whenever they are on a genuine website
3.Accessing the Central SiteFingerprintSM Vault: The Central SiteFingerPrintSM Vault is accessed by the customer’s browser plug-in tool (mentioned in 2) to update the local SiteFingerPrintsSM stored on his/her computer. This access is available only by using the secure RMAP channel (Rel-ID Mutual Authentication and Encryption Protocol).
Benefits
editWeb users •Protection against internet fraud: Web users can now access the SiteFingerprint vault for a list of trusted websites. This practice can effectively eliminate all forms of online identity theft which essentially rely on users giving up his login and passwords at fake websites. •Legal recourse: In case a victim falls to an online identity theft, he can rely on a history of green bands with the website signatures captured and stored locally to figure out the phishing websites he/she may have visited. This history can be used as a legal document to prove that he was indeed a victim of online identity theft – which is currently almost impossible. •Complement loopholes left by existing security software: Existing anti-virus and anti-phishing solutions do not protect the customer completely, as they do not authenticate the websites. This gap is plugged by SiteFingerprintSM.
Website owners •Protection against identity spoofing: Incase a website identity is spoofed, its customers are protected. Furthermore the original website can report the incident and use his registration with the SiteFingerprint Vault to prove his case. •Reducing loss of traffic: The website can ask its customers to watch for the green band to make sure they are on the correct website, thus preventing loss of traffic. •Complement loopholes left by Anti-pharming and EV-SSL solutions: Anti-Pharming and EV SSL solutions require substantial investment and they do not guarantee customers’ authentication of website identity, as the authentication is not performed at the customer end. Educating customers to use SiteFingerprints does not require any investment and it guarantees customers peace of mind while transacting on the website.