FR2895817A1 - Public website`s html page analyzing method for detecting change in e.g. page address, involves comparing result of authentic page before displaying of page with result of page to determine safety risk of page before displaying page - Google Patents

Abstract

The method involves applying a function e.g. hashing function (6), to an authentic html page (1) in a time, and storing an obtained result. The function is applied to an authentic page before displaying the authentic page by a web browser for obtaining another result in another time. The result of authentic page before displaying of the authentic page is compared with the obtained result of authentic page to determine safety risk of the authentic page before displaying the authentic page. An independent claim is also included for a system for analyzing a page.

Description

The present invention relates to the field of data protection

  and more particularly a page scanning method and a system for providing the user of a browser with information on the security risks presented by said pages.

  At present, when a user browses the Internet, he can be deceived in different ways. Some security attacks jeopardize the integrity of the pages accessed. The first type of attack of this kind is the disfiguration of pages. In this case, the attacker replaces the content he wants with the legitimate content of a page. This type of attack can have a very serious negative impact on the image of a company when the pages attacked are those of its public website. Another type of attack is called web-phishing. In this case, the user receives a false e-mail referring to the attacked website but which actually points to another site. This other site, very similar to the attacked website, is a pirate site that belongs to the attacker. The user, who can not always be aware of the deception, can be brought in good faith to provide the requested information on this pirate site. It may be confidential information such as credit card codes for example. The hacker then has the opportunity to use this information as he wishes, for example a bank code provided by the user to make purchases on his account. The user can then suffer significant financial losses. A third type of attack is called spoofing URL. In this case, the attack consists of modifying the URL, ie the Internet address of the website that appears in the user's browser. This attack is intended to make the user believe that he is actually on the site indicated in the URL. These attacks can sometimes be detected when the sites include a security system that uses SSL (Secure Socket Layers).

  In this case, the user must then rely on the name of the owner displayed in the certificate that is linked to the web page accessed. However, checking a certificate is not easy - it requires the user to navigate through various menus before accessing the certificate - which is why users rarely do it.

  In addition, the name used in the certificate is not always an evocative name. Indeed, it may be a machine name, a domain name, the name of the group or holding company to which the company belongs, etc. For example, it is not obvious for the user who surfs on the site www.bonchocolat.com that this site is hosted by the company Nestlé.

  In addition, most users do not maintain the certificate revocation list. This list can be made available by their browser but users very often disable this option. As a result, an attacker will be able to use a properly signed but revoked SSL certificate. The user will not detect it if he gives full confidence to the SSL certificate and may end up on a pirate site when he thinks he is on a legitimate site. The user may then be the victim of misinformation or provide in good faith information requested on this site pirate. So, despite the presence of an SSL certificate, an attack is still possible and remains undetectable even for a relatively sophisticated user. The SSL certificate does not protect the Internet page effectively.

  Regarding these three types of attack, no tool is suitable to explicitly prevent the user that the site he is consulting may have been attacked.

  An object of the present invention is to remedy these drawbacks by proposing a method and a page analysis system for detecting a change of at least one parameter of said page concerning security risks such as the disfigurement of pages, the web phising, the spoofing URL for example. The method is characterized in that it comprises the following steps: at first, the application of a function to the authentic pages and the memorization of the first results thus obtained; 4 - in a second step, the application of said function to a supposed authentic page before it is displayed by the browser to obtain a second result; - the comparison of the second result of the supposedly authentic page with the first result of the corresponding authentic page to confirm the security risks of the supposed authentic page before its display.

  According to a particular embodiment, said function comprises a function of filtering the address of the pages to extract certain information from the address of the pages.

  Advantageously, said address filtering function of the pages extracts the fixed portions of the page addresses.

  Advantageously, said function comprises a function for processing the certificate of the pages.

  Advantageously, the warning signal to the user is a visual signal appearing on the display screen of said pages. Advantageously, the comparison and the warning signal only apply to certain pages marked as sensitive.

  Other objects, objects and features of the invention will become more apparent upon reading the following description with reference to the drawing in which: FIG. 1 shows a relational diagram of the various functional modules. According to the invention, a user manipulates a system enabling him to connect to an information system. In the preferred implementation of the invention, the user accesses the Internet network using a software commonly called browser. This software gives access to information pages and allows the user to browse these pages of information. These pages are characterized by parameters. These parameters are for example the content of the page, the address of the page, the security certificate associated with this page. This page is called authentic page when it is a page that comes from the real owner of the page. The page is characterized in part by its content. Thus the content of an Internet page is coded in HTML format. The method according to the invention is not related to the HTML format or to a particular type of network.

  The content of a page can include, in addition to the text, scripts (for example javascript), applications (or applets), tags (or marks). These different elements all have a well-defined function in a web page. The script, whose format can be, for example, of the form <script> ... </ script>, is a list of commands that allows the automation of a task. The applet, whose code is, for example of the form <applet> ... </ applet>, is a small application (for example developed in Java language) integrated into a page. The applet is independent of the operating system on which it runs. It can be useful, among other things, to scroll text in a defined area or display animations.

  JavaScript is a language that allows you to control the browser with functional wealth that does not allow HTML. Comments, whose code is <! - ->, are portions of the source code that are ignored that are not interpreted and are not necessary for program execution.

  The tags, whose code is <meta> ... </ meta>, are used to delimit data sets 20 contained in a web page and to structure them.

  When an Internet page is displayed on the system display screen, this page has a visual indicator to indicate information related to the page. This may be for example a thick line of color that takes the contours of the Internet page on the display screen. It may also be an icon whose color may vary depending on the nature of the information to be transmitted to the user. More generally, the indicator can be completely software (without requiring specific hardware 7) or coupled to a particular hardware (LED, access to a particular area of the screen via the driver of the graphics card etc.). In any case, it is important that this indicator is easily visible to the user.

  Internet pages are also characterized by an Internet address. This address usually starts with http: // www.

  A security system is sometimes associated with these Internet pages. This system comes in the form of an SSL certificate (Secure Socket Layers). This certificate is a unique, digital file that authenticates a website. SSL allows you to encrypt any information circulating on the Internet. In this case, the address of the Internet page is slightly modified and becomes https: // www .. The added s means security.

  FIG. 1 shows a device in which the html page 1, the internet address 2 and the certificate 3 are each connected to different functional modules.

  Typically, the function also called feature function uses information about the content of a page, its address and the certificate that can be associated with them. It also includes filtering modules 4 and 5 that extract only certain information from said content and address.

  In a preferred implementation of the invention: the content filtering module extracts the static portions of the contents of pages, ie it does not take into account the elements that correspond to the dynamic parts of the pages (typically scripts, applets, javascripts, comments and tags); the address filtering module extracts the static portions of the page addresses, ie it does not take into account the elements that correspond to the dynamic parts of the pages (typically the session numbers, the cookie names). in an Internet address, this dynamic part is located after a question mark).

  The page addresses (or the static part extracted by the address filtering module) can be converted into equivalent in ASCII code (American Standard Code for Information Interchange).

  The characteristic function also includes a function 6. This function has three properties. The first property is that the function is without collisions. Thus the application of the function to a pair of parameters makes it possible to obtain a result such that, if two results are identical, then the two pairs of input parameters 9 are also identical. In the same way, if two results are different, then the two pairs of input parameters are different. The second property is that the function is a one-way function.

  So when we have the result, we can not use this function to find the pair of input parameters that was used to get the result.

  Finally the third property is that the function produces a result also called condensed. This digest has a smaller size than the input parameters. This type of function is for example a hash function.

  This hashing function 6 can then be applied to all the information extracted from the pages (possibly filtered by said filtering modules and converted into ASCII code). Applying such a function makes it possible to obtain a digest 7 smaller than the input parameters of the function. Moreover, the hash functions have the advantage of being without collisions (if two results are different, then the input parameters are also). In the mathematical sense of the term, the function without collisions presents, in fact, a very strong resistance to collisions. The set of digests thus stored for different Internet pages constitutes a list which is stored for use when connecting to an Internet page.

  When a user is connected to the Internet, when the user views a so-called sensitive Internet page, the state of this page is automatically calculated using said characteristic function. This state is compared with the result corresponding to said page as stored in the list of digests stored on the user's site. If the comparison reveals a difference between the state that has just been calculated and the result stored, a warning signal is sent to the user. This may be for example an icon or an LED taking the color red. If the comparison does not reveal a difference between the state that has just been calculated and the result stored, then the visual indicator typically takes another appearance (eg green color) which means that the integrity of the Internet page is not questioned.

  In another embodiment, one can also introduce marks (or tags in the pages). These tags are indicators that locate the sensitive areas of the page exactly.

  Thus in the HTML language these tags can be realized by the insertion of the class attribute concerning HTML elements such as images, tables for example. The source code of the HTML page is then modified as follows: <table class = sensitive ...> ... </ table>. For example, if the HTML page includes a form that requires the entry of a PIN, then this form will typically be marked as sensitive. In this embodiment, the content filtering module extracts the sensitive portions marked by the tags.

  Regarding the insertion of these tags, the author of the website can realize them. A telecommunication operator can also introduce them. It can then be a service that the operator offers to the owners of the websites. Thus, the user of a mobile terminal can be provided a guarantee of security when browsing the Internet. In practice, the telecommunication operator can also pay for a service using a telephone with a visual indicator. The operator can provide the phone or only an application that installs on the mobile terminal 25 after its purchase by the user, without the latter having to change mobile terminal.

  The telecommunication operator may also propose to the owners of websites 30 to belong to a so-called trusted list. The various websites on this list are then automatically marked as sensitive and 12 therefore automatically benefit from the integrity check with the software installed on the mobile terminal of the user.

  The user of an Internet site obtains an additional guarantee when viewing a page or entering confidential data requested by a remote site.

Claims (3)

  1) A page analysis method for detecting a change of at least one parameter of said page concerning security risks, characterized in that it comprises the following steps: - firstly, the application of a function on the authentic pages and the memorization of the first results thus obtained; - In a second step, the application of said function to a supposed authentic page before it is displayed by the browser to obtain a second result; 15 - comparing the second result of the supposed authentic page with the first result of the corresponding authentic page to determine the security risks of the supposed authentic page before it is displayed. 20   2) A page analysis method according to the preceding claim, characterized in that the parameters of the page include the content of the page, the address of the page, the security certificate of the page.   3) A page analysis method according to claim 1 or 2, characterized in that said function comprises a function of filtering the content of said pages to extract certain information from the content of the pages.) Page analysis method according to the one of the preceding claims, characterized in that the method comprises an information step comprising a signal to warn the user about the security risks associated with the page. 5) A page analysis method according to one of the preceding claims, characterized in that the function comprises a one-way function, without collisions and which produces a condensed. 6) A page analysis method according to one of the preceding claims, characterized in that the function comprises a hash function. 7) A page analysis method according to claim 3 or one of claims 4 to 6 when dependent on claim 3, characterized in that said function for filtering the content of the pages extracts the static portions of the pages. 8) A page analysis method according to one of the preceding claims, characterized in that said function comprises a filtering function of the address of the pages to extract certain information from the address of the pages. 9) A page analysis method according to claim 8, characterized in that said address filtering function of the pages extracts the fixed portions of the page addresses.) The page analysis method according to one of the preceding claims, characterized in that said function includes a function for processing the certificate of the pages. 11) A page analysis method according to one of the preceding claims, characterized in that the method comprises a step of introducing specific mark in the pages and in that said function uses these marks to extract certain information pages. 12) A page analysis method according to one of the preceding claims, characterized in that the warning signal to the user is a visual signal appearing on the display screen of said pages. 13) A page analysis method according to one of the preceding claims, characterized in that the comparison and the warning signal only apply on certain pages marked as sensitive. 14) A page analysis system for providing the user with software for navigating pages of information on the authenticity of the content of said pages, characterized in that the system comprises means for executing the steps of the method according to one of the preceding claims. 5X16 15) System according to claim 14 characterized in that the system runs on a portable device. 16) System according to claim 14 or 15 characterized in that the system is made by an application installed on the portable device after acquisition by the user. 17) The system of claim 14, 15 or 16 characterized in that said pages are encoded in html format.