SI24434A - A system of granting web trust seals with the detection of attacks by redirecting of ip address - Google Patents
A system of granting web trust seals with the detection of attacks by redirecting of ip address Download PDFInfo
- Publication number
- SI24434A SI24434A SI201300194A SI201300194A SI24434A SI 24434 A SI24434 A SI 24434A SI 201300194 A SI201300194 A SI 201300194A SI 201300194 A SI201300194 A SI 201300194A SI 24434 A SI24434 A SI 24434A
- Authority
- SI
- Slovenia
- Prior art keywords
- certificate
- address
- token
- server
- recipient
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2119—Authenticating web pages, e.g. with suspicious links
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
Sistem podeljevanja spletnih pečatov zaupanja z detekcijo napadov s preusmeritvijo IP naslova omogoča pridobitev dodatne varnosti obiskovalcem spletnih strani. Spletni pečati z detekcijo, napadov z preusmeritvijo IP naslova (pharming) rešujejo problem odkrivanja napada na spletno mesto s tehnikami pharming, IP spoofing , DNS spoofing, ki v bistvu potvarjajo IP naslov spletnega mesta na določeni spletni domeni npr. 'www.moja domena.si'. Napadalec v takem primeru postavi kopijo spletnega mesta na drugem IP naslovu in z preusmeritvijo doseže, da zahteve za prikaz spletnih strani prispejo na lažni steznik. Izum omogoča, da je obiskovalec takšne spletne strani takoj obveščen o nepravilnosti/napadu in sicer tako, da je spletni pečat prikazan kot nepreverjen, ali pa v celoti izgine, ker ga je napadalec odstranil.The system of granting web seals of trust by detecting attacks by redirecting the IP address makes it possible to gain additional security for website visitors. Web-based seals with detection, phishing attacks redress the problem of detecting an attack on the site with pharming, IP spoofing, DNS spoofing, which essentially spit out the IP address of a site on a particular web domain, e.g. 'www.moja domena.si'. In such a case, the attacker will place a copy of the site on another IP address, and with the redirection, the requests for the display of web pages arrive at the false corset. The invention allows the visitor of such a website to be immediately informed of an irregularity / attack by means of an online seal being displayed as unverified, or completely disappears because the attacker has removed it.
Description
SISTEM PODELJEVANJA SPLETNIH PEČATOV ZAUPANJA Z DETEKCIJO NAPADOV S PREUSMERITVIJO IP NASLOVACONFIDENTIAL WEB DISTRIBUTION SYSTEM WITH IP DETECTION
Izum posega na področje varnosti uporabe interneta z vidika končnega uporabnika - obiskovalca spletnih strani.The invention encroaches on the security of Internet usage from the perspective of the end user - the visitor of the web pages.
Predemet zaupanj a zaupanj a izkazujejo izuma je sistem podeljevanja spletnih in postopek preverjanja verodostojnosti na spletnih straneh, s katerimi se podeljeni certifikati zaupanja.The object of the trust trusts of the invention is the online awarding system and the process of verifying the credibility of the websites that grant the trust certificates.
pečatov pečatov običajnoseals seals usually
Obiskovalci spletnih strani A so vse pogosteje žrtve spletnih prevar. Velik del spletnih prevar uporablja lažne spletne strani, ki so kopija originalnih strani kakšnega ponudnika. Za zaščito in ugotavljanje avtentičnosti spletnih strani je na voljo več ponudnikov t.i. izdajateljev certifikatov zaupanja B, ki s podelitvijo certifikata jamčijo verodostojnost strani oz. spletnega mesta v celoti. Prejemnik takšnega certifikata C na svojih straneh objavi pečat, najpogosteje v obliki sličice E. Ker je sličice pečatov zelo enostavno kopirati, se pri tehnološko naprednejših izdajateljih le-te servirajo iz strežnika izdajatelja in vsebujejo povezavo nazaj na strežnik izdajatelja. Preko takšne povezave lahko obiskovalec s klikom na pečat preveri avtentičnost pečata in strani v celoti.Visitors to Website A are increasingly becoming victims of online fraud. A large proportion of online scams use fake websites that are a copy of the original pages of some provider. Several providers are available to protect and authenticate websites. the issuers of trust certificates B, which by granting the certificate guarantee the authenticity of the site or. of the site as a whole. The recipient of such a C certificate places a stamp on its pages, most often in the form of a thumbnail E. Since the thumbnails of the seals are very easy to copy, they are served by technologically advanced publishers from the publisher's server and include a link back to the publisher's server. Through such a link, the visitor can click on the seal to verify the authenticity of the seal and the page as a whole.
Naprednejši sistemi zmorejo preveriti ime spletnega mesta (domene) iz katere prihaja zahteva za prikaz pečata. Na ta način lahko sistem certificiranj a v precej primerih zazna kopiranje spletnih mest s pečatom, ker se pečat pač zahteva iz napačnega strežnika.More advanced systems can verify the name of the site (domain) from which the request to display the seal comes from. In this way, the certification system can, in many cases, detect the copying of websites with a seal, because the seal is required from the wrong server.
Bolj napredne vrste napadov pa ohranijo ime strežnika na kopiji in potvorijo IP naslov strežnika tako, da kaže na lažno • · · spletno stran. V takem primeru osnovna detekcija imena strežnika odpove. Tovrstne napade na spletna mesta zasledimo pod imeni 'pharming', 'DNS spoofing', 'IP spoofing'.More advanced attack types, however, keep the server name on the copy and fake the server IP address by pointing to a false • · · web page. In this case, the basic detection of the server name fails. These kinds of attacks on the websites are called 'pharming', 'DNS spoofing', 'IP spoofing'.
Patenti ki obravnavajo področje detekcije 'pharming', 'DNS spoofing', 'IP spoofing' napadov je kar precej, vendar nobeden ne posega na področje detekcije preko storitve izdajanja certifikatov na spletu.There are quite a few patents covering the field of detection of 'pharming', 'DNS spoofing', 'IP spoofing' attacks, but none interfere with detection through the online certification service.
Patent US 2008/0060054 Al obravnava detekcijo pharming napada na osnovi poizvedbe preko dveh različnih infrastruktur izhajajoč iz delovne postaje odjemalca. Predlagani patent ugotavljanje pravilnosti IP naslova začne z zahtevo iz strežnika, ki je potencialno napaden, s čimer je metoda bistveno drugačna.US Patent 2008/0060054 Al addresses query-based pharming attack detection across two different infrastructures based on a client workstation. The proposed patent determines the correctness of the IP address with a request from a potentially attacked server, making the method significantly different.
Patent US 2008/0055928 Al obravnava detekcij na osnovi t.i. 'belega seznama' (white pripadajočih veljavnih IP naslovov. Tudi uporablja t.i. 'beli seznam', vendar je nekoliko drugačna.US Patent 2008/0055928 Al deals with detections based on i.i. 'whitelist' (the white of the applicable IP addresses. It also uses the so-called 'whitelist', but is slightly different.
o pharming napada list) domen in pričujoči sistem uporaba le tegaabout pharming attack list) domains and this system use it
Patent US 2009/0208020 Al obravnava detekcijo pharming napada preko programske opreme na strani odjemalca - t.i. password managerj a.US Patent 2009/0208020 Al deals with detection of pharming attack via client-side software - i.e. password managerj a.
S sistemom in postopkom po izumu, lahko sistem certificiranj a zazna tudi tovrstne napade in ustrezno ukrepa, npr. obvesti obiskovalca o nepreverjenem pečatu zaupanja z ustrezno spremembo pečata.With the system and process of the invention, the certification system can also detect such attacks and take appropriate action, e.g. informs the visitor of the unverified seal of trust by changing the seal accordingly.
Obiskovalec spletne strani s tem pridobi dodatno varnost. Tako zaščitena spletna stran bo vedno izkazovala stanje 'nepreverjeno', tudi v primerih, ko je bil obiskovalčev računalnik 'okužen' z virusom, ki preusmerja IP naslov določene domene.This gives the website visitor additional security. A secure site like this will always show an 'unverified' status, even in cases where the visitor's computer has been 'infected' with a virus that redirects the IP address of a particular domain.
Podobne rešitve prijavitelju niso poznane.Similar solutions to the applicant are unknown.
Izum je možno aplicirati v kateremkoli sistemu certificiranj a spletnih mest, ki izpolnjuje naslednje pogoje;The invention can be applied to any site certification system that meets the following conditions;
- v sistemu nastopajo tri entitete: izdajatelj certifikata B, prejemnik certifikata C in obiskovalec A spletne strani prejemnika certifikata C;- there are three entities in the system: the issuer of the certificate B, the recipient of the certificate C and the visitor A of the website of the recipient of the C certificate;
- izdajatelj certifikata B razpolaga s tehnologijo (spletni strežnik in spletna aplikacija), ki preverja zahtevke spletnega brskalnika obiskovalca A za prikaz pečata D. Pri tem ni nujno, da je pečat ravno slika, kar je najpogostejša oblika. Pečat je lahko tudi zvočni ali drugačen zapis, ki ga lahko človek zazna in prepozna;- Certificate B has technology (web server and web application) that verifies visitor A's web browser requests to display seal D. In this case, the seal does not have to be a straight image, which is the most common form. A seal can also be an audio or other record that can be detected and recognized by a person;
- prejemnik certifikata C ima spletno mesto na katerem je objavil pečat po navodilih la izdajatelja certifikata B;- the recipient of Certificate C has a website on which he has posted the seal following the instructions of the issuer of Certificate B;
- prikaz pečata se zahteva s strežnika izdajatelja certifikata B, ki tudi preverja upravičenost zahteve za prikaz.- the display of the seal is requested from the server of the issuer of certificate B, which also checks the eligibility of the request for display.
Izum ponazarjajo naslednje slike:The invention is illustrated by the following figures:
Slika 1: shematski prikaz sistema certificiranj a spletnih mest s certifikati zaupanja, ki vključuje nastopajoče entitete in podatkovne transakcije.Figure 1: Schematic illustration of a certification system for trusted sites that includes emerging entities and data transactions.
Slika 2: diagram poteka preverjanja verodostojnosti pečata zaupanja z vključeno detekcijo pravilnosti IP naslova spletnega mesta prejemnika certifikata C.Figure 2: Diagram of the authentication seal of a trust seal with the IP address authentication of the C certificate recipient website included.
Slika 3: simbolični prikaz pečata zaupanja.Figure 3: A symbolic representation of the trust seal.
Ogled internetnih strani se začne z zahtevo za ogled strani 2a, ki jo sproži obiskovalec A na svoji delovni postaji s pomočjo spletnega brskalnika.Web browsing begins with a request to view Page 2a initiated by visitor A on his workstation using a web browser.
Strežnik zahtevane strani odgovori z vsebino spletne strani 2b. V kolikor je zahtevana stran v lasti prejemnika certifikata C in opremljena s pečatom po navodilih la izdajatelja certifikata B, brskalnik obiskovalca A nadaljuje z zahtevo za prikaz pečata 2c na strežnik izdajatelja certifikata B. Strežnik izdajatelja certifikata B odgovori z vsebino pečata 2d, ki jo brskalnik obiskovalca A nato prikaže oziroma predvaja.The server of the requested page responds with the content of website 2b. To the extent that the requested page is owned by the C certificate recipient and is stamped as instructed by the certificate issuer B, visitor A's browser proceeds to request that the certificate 2c be displayed on the certificate issuer's server B. Visitor A then shows or plays.
Neodvisno od zgornjega postopka mora, v skladu z izumom, prejemnik certfikata zaupanja C na spletno mesto namestiti tudi programsko kodo, ki od strežnika izdajatelja certifikata B periodično zahteva lb podatkovni žeton T. Izdajatelj certifikata B na to zahtevo pošlje odgovor lc z veljavnim podatkovnim žetonom T, ki se shrani lokalno na strežnikuNotwithstanding the above procedure, in accordance with the invention, the recipient of a C Certificate of Trust must also install a code on the website that periodically requests the lb data token from the server of the certificate B. The certificate issuer B sends a response lc with a valid data token T to this request. , which is stored locally on the server
uporabi za pošiljanje obiskovalcem, ki zahtevajo ogled spletne strani 2a. Podatkovni žeton T se skupaj z zahtevano vsebino spletne strani 2b pošlje npr.v obliki t.i. 'piškotka' (cookie) ali na drug ustrezen način.used to send to visitors requesting to view website 2a. The T data token, together with the required content of webpage 2b, is sent, e.g. 'cookie' or other appropriate means.
Ko je spletna stran v celoti prikazana v brskalniku obiskovalca A, lahko brskalnik začne preverjati avtentičnost pečata in posledično celotne strani, da se obiskovalec A zaščiti pred morebitnimi zlorabami. V ta namen pošlje zahtevo za prikaz pečata 2c izdajatelju certifikata B. Zahtevi za prikaz pečata 2c je dodan tudi podatkovni žeton T, ki je bil sprejet hkrati z vsebino spletne strani 2b od prejemnika certifikata C. Izdajatelj certifikata B na osnovi takšne zahteve lahko preveri, ali je zahteva prišla za pravo domeno, pa tudi ali je ta domena na pravem IP naslovu.Once the website is fully displayed in visitor A's browser, the browser can begin authenticating the seal and, consequently, of the entire page, to protect visitor A from possible misuse. To this end, it sends a request for the display of seal 2c to the issuer of certificate B. The request for the display of seal 2c is also added to the data token T, which was accepted at the same time as the contents of website 2b from the recipient of certificate C. On the basis of such a request, the issuer of the certificate B may verify, whether the request came for the right domain, as well as whether that domain is at the right IP address.
Po preverjanju, ki ga ponazarja Slika 2, izdajatelj certifikata B vrne pečat zaupanja v obliki, ki ustreza rezultatu preverjanja, torej 'preverjeno' D ali 'nepreverjeno' E, kot to v eni različici simbolično prikazuje slika 3.Following the verification illustrated in Figure 2, the certificate issuer B returns the trust seal in the form corresponding to the verification result, ie 'verified' D or 'unverified' E, as shown in Figure 3 in one version.
Preverjanje poteka v treh korakih. Naprej se preveri ali je žeton T sploh prisoten v zahtevi za prikaz pečata 2c. V naslednjem koraku se preveri ali je žeton T veljaven, kar se ugotavlja iz pričakovane oblike zapisa žetona T in vsebine zapisa. Veljavnost žetona T je časovno omejena, kar je zapisano tudi v vsebini žetona.The verification is done in three steps. Next, it is verified that the token T is present at all in the request to display seal 2c. The next step is to verify that the token T is valid, which is determined from the expected format of the token T and the contents of the record. The validity of the token T is limited in time, which is also written in the token content.
V zadnjem koraku se preveri še veljavnost IP naslova strežnika prejemnka certifikata C. Del vsebine žetona T so tudi:The final step is to verify the validity of the IP address of the C certificate server. Part of the contents of the T token are also:
- enoznačna oznaka prejemnka certifikata C,- the unique designation of the recipient of the C certificate,
- enoznačna oznaka domene za katero je certifikat veljaven,- a unique domain code for which the certificate is valid,
- IP naslov strežnika prejemnka certifikata C, s katerega je bila podana zahteva lb za žeton T.- The IP address of the C certificate recipient server from which the lb request for the T token was submitted.
IP naslov iz žetona T se primerja z veljavnimi IP naslovi domene na kateri prejemnik certifikata C prikazuje svoje spletne strani. Seznam veljavnih IP naslovov (white-list) prijavi prejemnik certifikata C.The IP address from the T token is compared to the valid IP addresses of the domain where the C certificate recipient displays their web pages. The list of valid IP addresses (white-list) is reported by the C certificate recipient.
Da bi sistem zaščite deloval mora izdajatelj certifikata B izpolniti nekaj predpogojev:In order for the security system to work, the issuer of Certificate B must meet the following prerequisites:
- izdajatelj certifikatov B zaupanja mora razpolagati z ustreznim strežnikom, programsko opremo in podatkovno bazo 3, ki omogoča opisane transakcije;- the B Certification Authority must have an appropriate server, software and database 3 to facilitate the transactions described;
- izdajatelj certifikatov B mora v podatkovno bazo 3 registrirati/ zapisati prejemnika certifikata C, njegove spletne domene, ki naj bodo zaščitene in seznam veljavnih IP naslovov za posamezno domeno (white-list);- Certificate B must register / record in Database 3 the recipient of the C certificate, its online domains to be protected, and a list of valid IP addresses for each domain (white-list);
- prejemnik certifikata C mora na domeno, ki ji pripada certifikat zaupanja namestiti program pečata in program za osveževanje žetona T, izdajatelja certifikata B.- the recipient of the C certificate must install on the domain to which the trust certificate belongs the seal and refresh program token T issued by the certificate B.
skladno z navodili laaccording to the instructions of la
Claims (6)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SI201300194A SI24434A (en) | 2013-07-17 | 2013-07-17 | A system of granting web trust seals with the detection of attacks by redirecting of ip address |
PCT/SI2014/000036 WO2015009247A1 (en) | 2013-07-17 | 2014-06-10 | System for granting web trust seals with detection of ip-address redirection attacks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SI201300194A SI24434A (en) | 2013-07-17 | 2013-07-17 | A system of granting web trust seals with the detection of attacks by redirecting of ip address |
Publications (1)
Publication Number | Publication Date |
---|---|
SI24434A true SI24434A (en) | 2015-01-30 |
Family
ID=51492420
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
SI201300194A SI24434A (en) | 2013-07-17 | 2013-07-17 | A system of granting web trust seals with the detection of attacks by redirecting of ip address |
Country Status (2)
Country | Link |
---|---|
SI (1) | SI24434A (en) |
WO (1) | WO2015009247A1 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11295301B1 (en) * | 2017-12-15 | 2022-04-05 | Worldpay, Llc | Systems and methods for electronic certification of e-commerce security badges |
CN110995848B (en) * | 2019-12-10 | 2022-09-06 | 京东科技信息技术有限公司 | Service management method, device, system, electronic equipment and storage medium |
US11032270B1 (en) | 2020-04-07 | 2021-06-08 | Cyberark Software Ltd. | Secure provisioning and validation of access tokens in network environments |
EP3687139B1 (en) * | 2020-04-07 | 2023-09-06 | CyberArk Software Ltd. | Secure provisioning and validation of access tokens in network environments |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090043765A1 (en) * | 2004-08-20 | 2009-02-12 | Rhoderick John Kennedy Pugh | Server authentication |
JP4245014B2 (en) | 2006-08-09 | 2009-03-25 | ソニー株式会社 | Backlight device, light source device, lens, electronic device and light guide plate |
US20080060054A1 (en) | 2006-09-05 | 2008-03-06 | Srivastava Manoj K | Method and system for dns-based anti-pharming |
US8397279B2 (en) * | 2006-09-07 | 2013-03-12 | Fazal Raheman | Method and system of network integrity via digital authorization (NIDA) for enhanced internet security |
US20090208020A1 (en) | 2008-02-15 | 2009-08-20 | Amiram Grynberg | Methods for Protecting from Pharming and Spyware Using an Enhanced Password Manager |
SI23779A (en) * | 2011-06-28 | 2012-12-31 | Connet D.O.O. | Web seals with the signature of the website's visitor |
-
2013
- 2013-07-17 SI SI201300194A patent/SI24434A/en not_active IP Right Cessation
-
2014
- 2014-06-10 WO PCT/SI2014/000036 patent/WO2015009247A1/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
WO2015009247A1 (en) | 2015-01-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Li et al. | Analysing the Security of Google’s implementation of OpenID Connect | |
US8843516B2 (en) | Internet security | |
US9241004B1 (en) | Alteration of web documents for protection against web-injection attacks | |
Johns et al. | RequestRodeo: Client side protection against session riding | |
EP3095225B1 (en) | Redirect to inspection proxy using single-sign-on bootstrapping | |
Richer | Oauth 2.0 token introspection | |
JP5598828B2 (en) | Software signing certificate reputation model | |
US20050268100A1 (en) | System and method for authenticating entities to users | |
Mao et al. | Defeating cross-site request forgery attacks with browser-enforced authenticity protection | |
US8667294B2 (en) | Apparatus and method for preventing falsification of client screen | |
Boniface et al. | Security analysis of subject access request procedures: How to authenticate data subjects safely when they request for their data | |
US8904521B2 (en) | Client-side prevention of cross-site request forgeries | |
JP2022545627A (en) | Decentralized data authentication | |
US9521138B2 (en) | System for domain control validation | |
US9178888B2 (en) | Method for domain control validation | |
US20070061734A1 (en) | Method for establishing trust online | |
CN102355469A (en) | Method for displaying credibility certification for website in address bar of browser | |
SI24434A (en) | A system of granting web trust seals with the detection of attacks by redirecting of ip address | |
CN102255894A (en) | Website information verification method, system and resolution server | |
TWI397297B (en) | Method and system for enabling access to a web service provider through login based badges embedded in a third party site | |
KR100956452B1 (en) | A method for protecting from phishing attack | |
US20090094456A1 (en) | Method for protection against adulteration of web pages | |
JP6444344B2 (en) | Authentication server, mediation server, and advertisement distribution server | |
SI23779A (en) | Web seals with the signature of the website's visitor | |
CN105635322B (en) | A kind of Verification System and authentication method based on image signatures verifying number of website real |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
OO00 | Grant of patent |
Effective date: 20150209 |
|
KO00 | Lapse of patent |
Effective date: 20180320 |