US20210083881A1 - Dynamically analyzing third-party application website certificates across users to detect malicious activity - Google Patents
Dynamically analyzing third-party application website certificates across users to detect malicious activity Download PDFInfo
- Publication number
- US20210083881A1 US20210083881A1 US17/103,963 US202017103963A US2021083881A1 US 20210083881 A1 US20210083881 A1 US 20210083881A1 US 202017103963 A US202017103963 A US 202017103963A US 2021083881 A1 US2021083881 A1 US 2021083881A1
- Authority
- US
- United States
- Prior art keywords
- party application
- certificate
- server
- receiving
- representation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 230000000694 effects Effects 0.000 title description 3
- 230000009471 action Effects 0.000 claims abstract description 9
- 238000000034 method Methods 0.000 claims description 19
- 238000004891 communication Methods 0.000 claims description 7
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000012790 confirmation Methods 0.000 claims 1
- 238000012795 verification Methods 0.000 abstract description 50
- 230000004044 response Effects 0.000 abstract description 6
- 230000008520 organization Effects 0.000 description 27
- 230000015654 memory Effects 0.000 description 9
- 230000000875 corresponding effect Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2115—Third party
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2119—Authenticating web pages, e.g. with suspicious links
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
Definitions
- the present disclosure generally relates to the field of software applications, and more specifically, to verification of third-party application websites.
- a malicious party can clandestinely provide a user with a modified version of a third-party application login page
- the malicious party may be able to obtain the user's username/password or other credentials, thereby obtaining access to the user's account on the third-party application.
- This problem is compounded if the user re-uses credentials on different services, so that the malicious third-party can (for example) also obtain access to a “master” service such as a single-sign on service that provides access to the user's account on numerous other applications, as well.
- FIG. 1 illustrates one embodiment of a computing environment in which users use web-based third-party applications, and in which a server provides a verification service to ensure that third-party applications accessed by the user are legitimate.
- FIG. 2A illustrates a sequence of interactions between client devices of users, verifier components on the client devices, third-party application sites, and the server, during a preliminary process of learning legitimate third-party application certificates, according to one embodiment.
- FIG. 2B illustrates a sequence of interactions between a user's client device, a verifier component on the client device, a third-party application site being accessed by the user, and the server, when authenticating the third-party application site, according to one embodiment.
- FIG. 3 is a high-level block diagram illustrating physical components of a computer used as part or all of the verification server, client device, or system providing the third-party application site, according to one embodiment.
- FIG. 1 illustrates one embodiment of a computing environment in which users use web-based third-party applications available to that organization, and in which a server provides a verification service to ensure that third-party applications accessed by the user are legitimate.
- client devices 120 e.g., desktops, laptops, tablet computers, smartphones, or the like
- client devices 120 e.g., desktops, laptops, tablet computers, smartphones, or the like
- third-party application sites 110 e.g., SALESFORCETM, GOOGLE APPSTM, or the like
- pages of the application such as for login to the application, for using functionality of the application, etc.
- the client devices 120 have a verifier component 125 that verifies the third-party application sites 110 , determining whether the certificates of the sites have been modified, and taking responses based on the verification (e.g., permitting submission of user credentials via the web pages of the third-party applications).
- the verifier component 125 is authored by the organization responsible for the verification server 100 .
- the verifier component 125 is implemented as a browser plugin; in other embodiments in which the client device 120 has access to internet security data (e.g., TLS (Transport Layer Security) data), the verifier component is implemented as a security application that communicates with other applications.
- internet security data e.g., TLS (Transport Layer Security) data
- the verification server 100 performs verification of third-party applications on behalf of client devices using the third-party applications, as described below.
- the verification server 100 includes a certificate store 103 that stores representations of verified third-party application site certificates (e.g., X.509 or equivalent certificates) in association with an identifier of the third-party applications (e.g., their internet domains, such as www.salesforce.com).
- the certificate representations may differ in different embodiments.
- the certificate representations are hash values of the certificates of the third-party application sites 110 , as computed by a hash function such as SHA (Secure Hash Algorithm).
- the certificate representations are the original certificates themselves.
- the certificate store 103 may include multiple verified certificates for a given third-party application; this allows for the use of proxy servers,
- a certificate learning module 107 of the verification server 100 populates the certificate store 103 based on certificate representations received from the verifier components 125 of multiple client devices 120 .
- Obtaining the certificate representations from multiple client devices 120 allows the certificate learning module to identify genuine certificates and screen out tampered-with or otherwise spurious certificates, given that in most instances at most only a small minority of certificates provided to client devices 120 are spurious.
- the certificate learning module 107 may employ different learning techniques in different embodiments.
- the learning is rules-based, applying a predetermined rule, such as selecting (as the verified certificate representation for a given application) the certificate representation that is provided in at least some given percentage of instances (e.g., 95%), or at least some given number of times (e.g., 300 times), or the like.
- the certificate learning module 107 may be continuously run so as to keep knowledge of the certificates up-to-date, thereby accounting for changes in certificates over time.
- the verification server 100 further includes a verifier component 104 that verifies that a given third-party application 110 is legitimate, using the certificate store 103 .
- the verifier component 104 receives, from the verifier component 125 on the client device 120 , an identifier of the third-party application and a representation of the certificate that stores representations of verified third-party application site certificates (e.g., X.509 or equivalent certificates) in association with an identifier of the third-party applications (e.g., their internet domains, such as www.salesforce.com).
- third-party application site certificates e.g., X.509 or equivalent certificates
- the verifier component 104 determines, for a given site certificate, whether a representation of the site certificate matches one of the verified cite certificate representations already stored in the certificate store in association with the third-party application corresponding to the site certificate. In some embodiments, if there is no match, then the verifier component 104 determines that the third-party application is not verified.
- the verifier component 104 considers a given certificate to be verified if no verified certificate representations have yet been associated with the third-party application site 110 .
- the verification server 100 stores a set of trusted certificates (e.g., one set for each organization that uses the services of the verification server 100 , or one set for each user), and upon a request to verify the certificate of a third-party application site 110 , the verification server first checks whether the certificate is within the set of trusted certificates (e.g., for the current user, or the organization to which the current user belongs), and if so considers the certificate to be verified, only proceeding to check the certificates in the certificate store 103 if the certificate is not in the appropriate set of trusted certificates.
- a set of trusted certificates e.g., one set for each organization that uses the services of the verification server 100 , or one set for each user
- the verification server first checks whether the certificate is within the set of trusted certificates (e.g., for the current user, or the organization to which the current user belongs), and if so considers the certificate to be verified, only proceeding to check the certificates in the certificate store 103 if the certificate is not in the appropriate set of trusted certificates.
- the verification server 100 (e.g., the user login module 108 described below), or verifier component 125 of the client device 120 , takes additional security measures, in addition to (or possibly instead of) the certificate verification of the verification performed by the verifier components 104 and 125 .
- the verifier component 104 populates a threats database 109 based on prior certificate verification failures, identifying and storing a set of geolocations of client devices 120 for which certification verification failed (e.g., within a particular recent timeframe, such as the past day) on some client devices.
- the verifier component 104 consults the threats database 109 , comparing the geolocation of the client device 120 requesting certificate verification with those geolocations in the threats database; if the geolocation is found in the threats database 109 (e.g., within a given recent timeframe), then the verification server 100 enforces more stringent security measures, such as requiring multifactor authentication (MFA) before permitting the user of the client device 120 to be logged into the third-party application site 120 from which the certificate came.
- MFA multifactor authentication
- the verification server 100 stores, for each organization or user, a configurable security policy based on which the verifier component 125 may modify its behavior. For example, if the security policy for an organization mandates certificates of at least a certain security level (e.g., those with sufficiently long keylengths, certain issuers, or certain cryptographic algorithms), then the verifier component 125 will not permit the user of the client device 120 to logged into the third-party application site 110 associated with a certificate not meeting the given security level, regardless of whether the certificate would otherwise be successfully verified by the verifier component 104 .
- a configurable security policy based on which the verifier component 125 may modify its behavior. For example, if the security policy for an organization mandates certificates of at least a certain security level (e.g., those with sufficiently long keylengths, certain issuers, or certain cryptographic algorithms), then the verifier component 125 will not permit the user of the client device 120 to logged into the third-party application site 110 associated with a certificate not meeting the given security level, regardless of whether the certificate
- the verifier component 125 of the client device 120 takes actions in response to receiving a determination from the verifier component 104 of the server 100 of whether or not a given certificate is verified. For example, in some embodiments the verifier component 125 permits the client device 120 (e.g., a browser thereof) to submit credentials of the user to the third-party application site providing the certificate only if the certificate is determined to be verified; otherwise, the verifier component 125 does not permit the submission of such credentials, thereby protecting the credentials from possible theft or other misuse.
- the client device 120 e.g., a browser thereof
- Prevention of submission of credentials is accomplished in various ways in different embodiments, such as by modifying the document object model (DOM) of the login page of the third-party application site 110 , e.g., by adding an overlay to the elements of the page to prevent page interaction, or changing the textual inputs of the login page to be read-only and the login or other credential submission button to be disabled, and/or by intercepting any outgoing web requests corresponding to the pages of the site 110 .
- the actions upon failure to verify a certificate include initiating the use of a virtual private network (VPN) connection in order to mitigate risk.
- VPN virtual private network
- the verifier component 125 upon failure to verify a certificate the verifier component 125 initiates a VPN connection for its client 120 with a trusted server (e.g., the verification server 100 , or a server of the organization to which the user of the client device 120 belongs) and uses the VPN connection for communication with the third-party application sites 110 .
- a trusted server e.g., the verification server 100 , or a server of the organization to which the user of the client device 120 belongs
- the verifier component 125 may, upon failure to verify an application certificate, request establishment of a VPN connection and ensure that the VPN connection is active, communicate with the third-party application site 110 again, and if the certificate presented by the third-party application site 110 is verified, cease using the VPN connection for subsequent communications with the site 110 during that session.
- the actions of the verifier component 125 are determined using additional contextual data.
- the contextual data includes a location of the client device 120 at time of verification, such as a geolocation obtained from the client device itself (e.g., GPS coordinates) or derived from an IP address of the client device.
- the verifier component 125 identifies one or more location(s) associated with an organization to which the client device belongs (e.g., by consulting the organization-user database 101 ) and compares those locations to the location of the client device.
- the verification server 100 associates locations with organizations by monitoring locations from which client devices 120 associated with the various organizations have accessed the verification server 100 in the past.
- the contextual data includes a security level of the third-party application site 110 to which the client device 120 is logging in.
- the verification server 100 may store, for different third-party application sites 110 , an associated security level of that site, e.g., with each organization being able to specify its own security level for the sites 110 .
- the actions that the verifier component 125 takes are based upon the security level for the site 110 .
- failure could lead the verifier component 125 to prevent the client device 120 from providing user credentials to the site 110 ; for a site with a low security level, the verifier component could allow user credentials to be provided to the site 110 , but just log associated data (e.g., certificate data, IP address, etc.) and/or notify an administrator of the organization of the verification failure.
- just log associated data e.g., certificate data, IP address, etc.
- the contextual data includes the login successes of others within the organization of the client device 120 .
- the verification server 100 stores data about the verification attempts of various users and their organizations.
- the verifier component 125 determines (e.g., by consulting the verification server 100 ) whether other users of the same organization have had the certificate of the that third-party application site 110 successfully verified by the verification server, e.g., within some recent past time window. If so, then the verifier component 125 notifies the user of the client device 120 that others within the same organization are having successful logins (which is a possible indication that user is at a location encountering a man-in-the-middle attack).
- the verification server 100 includes a statistics generator 105 that logs data on the certificates provided for third-party application sites 110 , and whether those certificates were determined by the verifier component 104 to be verified, and generates associated statistics. For example, in some embodiments the verification server 100 logs features corresponding to each certificate provided by the verifier component 125 to the server 100 , such as an identifier of the third-party application site (e.g., the domain name of its URL), the internet protocol (IP) address of the client device 120 , the location of the client device (e.g., a geolocation such as GPS coordinates, or a location derived from the IP address), and/or the current time, as well as whether the verifier component 104 determined that the certificate was verified. These logged features can then be used for purposes such as identifying factors correlated to inauthentic certificates, such as particular geolocations.
- IP internet protocol
- the statistics generator 105 additionally stores information on the certificates that can be used to generate reports, e.g., on industry security trends.
- the statistics generator 105 can log certificate data such as cryptographic algorithms used, keylengths, root certificate authorities (CAs) used, the frequencies at which certificates change, and the like.
- CAs root certificate authorities
- verification server 100 although depicted as a single logical system in FIG. 1 , may be implemented using a number of distinct physical systems and the connections between them, such as application servers, database servers, load-balancing servers, routers, and the like.
- the third-party applications 110 may be created by different application developers.
- the third-party applications 110 are typically hosted entirely or partially on a server(s) located at a remote location from the client devices 120 and made available via a network 140 , such as the Internet.
- the third-party application's user interface is implemented in HTML, or other web-based technology and is rendered within browsers of the client devices of the users, or within a custom application installed on the client devices.
- the term “third-party application” is used herein since for the typical organization the majority of applications that a user uses are authored by different organizations, it is appreciated that the “third-party applications” could also include applications created and/or hosted by organizations employing users of the client devices 120 , or an organization responsible for the verification server 100 .
- the network 140 may be any suitable communications network for data transmission.
- the network 140 uses standard communications technologies and/or protocols and can include the Internet.
- the entities use custom and/or dedicated data communications technologies.
- the verification server 100 provides services in addition to page verification.
- the verification server 100 provides single sign-on (SSO) services to users of the client devices 120 , recording the third-party application sites 110 that are available to each user and automating user sign-on for each of the user's third-party application sites.
- the server 100 has a user login module 108 that it uses to enable a user to log in to the server 100 (e.g., using username/password or other form of credentials, which may require multi-factor authentication), thereby establishing the identity of the user and (based on the identity of the user) the organization to which the user belongs.
- the server 100 additionally has an organization-user database 101 that describes properties of the different organizations to which the server 100 provides support, as well as properties of the users of those organizations.
- the database 101 stores at least, for each organization, a unique identifier of the organization, a list of unique user identifiers for the users of the organization, and unique identifiers of various third-party application sites 110 to which the organization—or groups within the organization, such as an “Accounting” group—provides access.
- the database 101 stores at least, for each user of the organization, one or more indicators of the third-party application sites 110 to which that user has access.
- the indicators may be direct indicators of the third-party application sites 110 (e.g., a unique identifier of an application), and/or indirect indicators, such as identifiers of organization groups to which the user belongs, where the database 101 further stores identifiers of the third-party applications to which the organization groups have access.
- the server 100 also has an application login database 102 that specifies, for each supported third-party application site 110 , configuration data that specifies the manner in which the application expects login to proceed.
- the application login database 102 specifies, for each supported third-party application 110 , an Assertion Consumer Service (ACS) URL to which a SAML assertion will be sent via HTTP POST, an identifier of an entity issuing the SAML request, and an identification of the audience for which the SAML assertion is intended.
- SAML Security Assertion Markup Language
- ACS Assertion Consumer Service
- the data for a particular login flow might store a client identifier for the application 110 , a client secret indicating how the application can exchange a token via a backchannel flow, metadata (e.g., application name and/or logo), and one or more redirect URLs to which to return after the user has successfully established a session with the server 100 .
- the application login database 102 enables the server 100 to follow the format expected by the federated sign-on protocols employed when logging in a given user to each of the user's third-party applications 110 .
- the third-party application will provide the client identifier, a state, a nonce value, and OIDC arguments to specify the response type, and is returned a code that the application can exchange for a token to identify the user via a backchannel.
- the server 100 further includes a remote login service 106 that uses the application configuration data from the application login database 102 to communicate with third-party application sites 110 in order to facilitate the user login, transparently providing the users with access to the applications, even when the users are not already logged into the applications.
- the remote login service 106 initiates operations that effect the necessary steps for automatic SSO-based login of the user's client device 120 into the desired third-party application 110 .
- the remote login service 106 can specify a series of HTTP redirect operations as needed to obtain and verify session or other security information via cookies, to transfer the request to the third-party application, etc.
- the user's client device 120 contacts the remote login service 106 as part of an attempt to login to a third-party application site 110 .
- FIG. 2A illustrates a sequence of interactions between client devices of users, verifier components on the client devices 120 , third-party application sites, and the server, during a preliminary process of learning legitimate third-party application certificates, according to one embodiment.
- Client devices 120 request 205 pages of third-party application sites 110 by specifying the URLs of those pages. For example, in embodiments in which the server 100 provides SSO services, following successful login of the user to the server the server may provide links to the third-party application sites 110 that a given user is allowed to access, and user selection of those links cause the user's client device 120 to request the corresponding sites' pages.
- the third-party application sites 110 provide 210 the requested pages. If the pages are secure (e.g., for a login page using HTTPS), the sites 110 also provide a certificate.
- the verifier component 125 sends corresponding certificate representations (e.g., the certificates themselves, or a hash such as SHA (Secure Hash Algorithm), or other fingerprint thereof) to the server 100 , and an identifier of the application corresponding to the certificate (which may be part of the certificate itself).
- certificate representations e.g., the certificates themselves, or a hash such as SHA (Secure Hash Algorithm), or other fingerprint thereof
- the certificate learning module 107 selects one or more of the certificate representations as verified certificate representations for the application and stores them in the certificate store 103 .
- FIG. 2B illustrates a sequence of interactions between a user's client device, a monitoring component on the client device, a third-party application site being accessed by the user, and the server, when authenticating the third-party application site, according to one embodiment.
- a client device 120 requests 255 a page of a third-party application site, such as a login page including functionality for the submission of user credentials.
- the third-party application site provides 260 the requested page, and also a corresponding certificate.
- the verifier component 125 of the client device 120 sends 265 a representation of the certificate, and an identifier of the application corresponding to the certificate, to the server 100 .
- the server 100 determines whether the certificate is verified, as described above with respect to the verifier component 104 of FIG. 1 . If the certificate is verified, the server 100 notifies 275 the verifier component 125 of the verification. In turn, the verifier component accordingly permits 280 submission of user credentials to the third-party application site 110 .
- the techniques described above provide a number of advantages over alternate possible approaches.
- the certificate learning module 107 is continuously employed, the result is updating of certificate information in real-time, thereby automatically accounting for changes in application certificates without depending on certificate issuers to provide valid certificates (which could lead to certificates being updated slowly, or not at all).
- the server 100 has a large user base providing certificates—e.g., as in embodiments in which the server 100 provides SSO services to the users of many organizations—the learning of verified certificates tends to be prompt and accurate.
- FIG. 3 is a high-level block diagram illustrating physical components of a computer 300 used as part or all of the verification server 100 , client device 120 , or system providing the third-party application site 110 , according to one embodiment. Illustrated are at least one processor 302 coupled to a chipset 304 . Also coupled to the chipset 304 are a memory 306 , a storage device 308 , a graphics adapter 312 , and a network adapter 316 . A display 318 is coupled to the graphics adapter 312 . In one embodiment, the functionality of the chipset 304 is provided by a memory controller hub 320 and an I/O controller hub 322 . In another embodiment, the memory 306 is coupled directly to the processor 302 instead of the chipset 304 .
- the storage device 308 is any non-transitory computer-readable storage medium, such as a hard drive, compact disk read-only memory (CD-ROM), DVD, or a solid-state memory device.
- the memory 306 holds instructions and data used by the processor 302 .
- the graphics adapter 312 displays images and other information on the display 318 .
- the network adapter 316 couples the computer 300 to a local or wide area network.
- a computer 300 can have different and/or other components than those shown in FIG. 3 .
- the computer 300 can lack certain illustrated components.
- a computer 300 acting as a server may lack a graphics adapter 312 , and/or display 318 , as well as a keyboard or pointing device.
- the storage device 308 can be local and/or remote from the computer 300 (such as embodied within a storage area network (SAN)).
- SAN storage area network
- the computer 300 is adapted to execute computer program modules for providing functionality described herein.
- module refers to computer program logic utilized to provide the specified functionality.
- a module can be implemented in hardware, firmware, and/or software.
- program modules are stored on the storage device 308 , loaded into the memory 306 , and executed by the processor 302 .
- Embodiments of the entities described herein can include other and/or different modules than the ones described here.
- the functionality attributed to the modules can be performed by other or different modules in other embodiments.
- this description occasionally omits the term “module” for purposes of clarity and convenience.
- Certain aspects of the present invention include process steps and instructions described herein in the form of an algorithm. It should be noted that the process steps and instructions of the present invention could be embodied in software, firmware or hardware, and when embodied in software, could be downloaded to reside on and be operated from different platforms used by real time network operating systems.
- the present invention also relates to an apparatus for performing the operations herein.
- This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored on a computer readable medium that can be accessed by the computer.
- a computer program may be stored in a non-transitory computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, application specific integrated circuits (ASICs), or any type of computer-readable storage medium suitable for storing electronic instructions, and each coupled to a computer system bus.
- the computers referred to in the specification may include a single processor or may be architectures employing multiple processor designs for increased computing capability.
- the present invention is well suited to a wide variety of computer network systems over numerous topologies.
- the configuration and management of large networks comprise storage devices and computers that are communicatively coupled to dissimilar computers and storage devices over a network, such as the Internet.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Power Engineering (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
- This application is a continuation of U.S. patent application Ser. No. 16/039,275, filed on Jul. 18, 2018 and entitled “Dynamically Analyzing Third-Party Application Website Certificates Across users to Detect Malicious Activity,” which in turn claims the benefit of Provisional Application No. 62/689,026, filed on Jun. 22, 2018, both of which are incorporated herein by reference.
- The present disclosure generally relates to the field of software applications, and more specifically, to verification of third-party application websites.
- Many software applications are made available in web-based form, with application functionality being made available via web pages obtained over computer networks. In such cases, there is a risk that the web pages may be tampered with, such as having pages substituted by a malicious party. Even where secure protocols such as HTTPS/TLS/SSL are employed, techniques such as man-in-the-middle attacks can still be used to inject spurious information ultimately leading to compromised user information.
- If, for example, a malicious party can clandestinely provide a user with a modified version of a third-party application login page, the malicious party may be able to obtain the user's username/password or other credentials, thereby obtaining access to the user's account on the third-party application. This problem is compounded if the user re-uses credentials on different services, so that the malicious third-party can (for example) also obtain access to a “master” service such as a single-sign on service that provides access to the user's account on numerous other applications, as well.
-
FIG. 1 illustrates one embodiment of a computing environment in which users use web-based third-party applications, and in which a server provides a verification service to ensure that third-party applications accessed by the user are legitimate. -
FIG. 2A illustrates a sequence of interactions between client devices of users, verifier components on the client devices, third-party application sites, and the server, during a preliminary process of learning legitimate third-party application certificates, according to one embodiment. -
FIG. 2B illustrates a sequence of interactions between a user's client device, a verifier component on the client device, a third-party application site being accessed by the user, and the server, when authenticating the third-party application site, according to one embodiment. -
FIG. 3 is a high-level block diagram illustrating physical components of a computer used as part or all of the verification server, client device, or system providing the third-party application site, according to one embodiment. - The figures depict embodiments of the present invention for purposes of illustration only. One skilled in the art will readily recognize from the following description that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein.
-
FIG. 1 illustrates one embodiment of a computing environment in which users use web-based third-party applications available to that organization, and in which a server provides a verification service to ensure that third-party applications accessed by the user are legitimate. - Users use their client devices 120 (e.g., desktops, laptops, tablet computers, smartphones, or the like) to communicate directly or indirectly with third-party application sites 110 (e.g., SALESFORCE™, GOOGLE APPS™, or the like) to obtain pages of the application, such as for login to the application, for using functionality of the application, etc.
- The
client devices 120 have averifier component 125 that verifies the third-party application sites 110, determining whether the certificates of the sites have been modified, and taking responses based on the verification (e.g., permitting submission of user credentials via the web pages of the third-party applications). In some embodiments, theverifier component 125 is authored by the organization responsible for theverification server 100. In some embodiments, theverifier component 125 is implemented as a browser plugin; in other embodiments in which theclient device 120 has access to internet security data (e.g., TLS (Transport Layer Security) data), the verifier component is implemented as a security application that communicates with other applications. - The
verification server 100 performs verification of third-party applications on behalf of client devices using the third-party applications, as described below. - The
verification server 100 includes acertificate store 103 that stores representations of verified third-party application site certificates (e.g., X.509 or equivalent certificates) in association with an identifier of the third-party applications (e.g., their internet domains, such as www.salesforce.com). The certificate representations may differ in different embodiments. For example, in some embodiments, the certificate representations are hash values of the certificates of the third-party application sites 110, as computed by a hash function such as SHA (Secure Hash Algorithm). In other embodiments, the certificate representations are the original certificates themselves. In some embodiments, thecertificate store 103 may include multiple verified certificates for a given third-party application; this allows for the use of proxy servers, - A
certificate learning module 107 of theverification server 100 populates thecertificate store 103 based on certificate representations received from theverifier components 125 ofmultiple client devices 120. Obtaining the certificate representations from multiple client devices 120 (which are typically located in different locations, operating at different times, etc.) allows the certificate learning module to identify genuine certificates and screen out tampered-with or otherwise spurious certificates, given that in most instances at most only a small minority of certificates provided toclient devices 120 are spurious. Thecertificate learning module 107 may employ different learning techniques in different embodiments. For example, in some embodiments the learning is rules-based, applying a predetermined rule, such as selecting (as the verified certificate representation for a given application) the certificate representation that is provided in at least some given percentage of instances (e.g., 95%), or at least some given number of times (e.g., 300 times), or the like. Thecertificate learning module 107 may be continuously run so as to keep knowledge of the certificates up-to-date, thereby accounting for changes in certificates over time. - The
verification server 100 further includes averifier component 104 that verifies that a given third-party application 110 is legitimate, using thecertificate store 103. Theverifier component 104 receives, from theverifier component 125 on theclient device 120, an identifier of the third-party application and a representation of the certificate that stores representations of verified third-party application site certificates (e.g., X.509 or equivalent certificates) in association with an identifier of the third-party applications (e.g., their internet domains, such as www.salesforce.com). (The identifier of the third-party application may be included within the certificate itself, such as an X.509 subject name field, or it may be separate, such as the domain name portion of a URL of the third-party application site 110.) Theverifier component 104 determines, for a given site certificate, whether a representation of the site certificate matches one of the verified cite certificate representations already stored in the certificate store in association with the third-party application corresponding to the site certificate. In some embodiments, if there is no match, then theverifier component 104 determines that the third-party application is not verified. In other embodiments, to accommodate situations in which thecertificate learning module 107 has obtained too few certificates for the particular third-party application site 110 to be able to learn a verified certificate for that third-party application site, theverifier component 104 considers a given certificate to be verified if no verified certificate representations have yet been associated with the third-party application site 110. In some embodiments, theverification server 100 stores a set of trusted certificates (e.g., one set for each organization that uses the services of theverification server 100, or one set for each user), and upon a request to verify the certificate of a third-party application site 110, the verification server first checks whether the certificate is within the set of trusted certificates (e.g., for the current user, or the organization to which the current user belongs), and if so considers the certificate to be verified, only proceeding to check the certificates in thecertificate store 103 if the certificate is not in the appropriate set of trusted certificates. - In some embodiments, the verification server 100 (e.g., the
user login module 108 described below), orverifier component 125 of theclient device 120, takes additional security measures, in addition to (or possibly instead of) the certificate verification of the verification performed by theverifier components verifier component 104 populates athreats database 109 based on prior certificate verification failures, identifying and storing a set of geolocations ofclient devices 120 for which certification verification failed (e.g., within a particular recent timeframe, such as the past day) on some client devices. Theverifier component 104 consults thethreats database 109, comparing the geolocation of theclient device 120 requesting certificate verification with those geolocations in the threats database; if the geolocation is found in the threats database 109 (e.g., within a given recent timeframe), then theverification server 100 enforces more stringent security measures, such as requiring multifactor authentication (MFA) before permitting the user of theclient device 120 to be logged into the third-party application site 120 from which the certificate came. - As a second example, in some embodiments the
verification server 100 stores, for each organization or user, a configurable security policy based on which theverifier component 125 may modify its behavior. For example, if the security policy for an organization mandates certificates of at least a certain security level (e.g., those with sufficiently long keylengths, certain issuers, or certain cryptographic algorithms), then theverifier component 125 will not permit the user of theclient device 120 to logged into the third-party application site 110 associated with a certificate not meeting the given security level, regardless of whether the certificate would otherwise be successfully verified by theverifier component 104. - The
verifier component 125 of theclient device 120 takes actions in response to receiving a determination from theverifier component 104 of theserver 100 of whether or not a given certificate is verified. For example, in some embodiments theverifier component 125 permits the client device 120 (e.g., a browser thereof) to submit credentials of the user to the third-party application site providing the certificate only if the certificate is determined to be verified; otherwise, theverifier component 125 does not permit the submission of such credentials, thereby protecting the credentials from possible theft or other misuse. Prevention of submission of credentials is accomplished in various ways in different embodiments, such as by modifying the document object model (DOM) of the login page of the third-party application site 110, e.g., by adding an overlay to the elements of the page to prevent page interaction, or changing the textual inputs of the login page to be read-only and the login or other credential submission button to be disabled, and/or by intercepting any outgoing web requests corresponding to the pages of thesite 110. In some embodiments, the actions upon failure to verify a certificate include initiating the use of a virtual private network (VPN) connection in order to mitigate risk. More specifically, upon failure to verify a certificate theverifier component 125 initiates a VPN connection for itsclient 120 with a trusted server (e.g., theverification server 100, or a server of the organization to which the user of theclient device 120 belongs) and uses the VPN connection for communication with the third-party application sites 110. To do so, theverifier component 125 may, upon failure to verify an application certificate, request establishment of a VPN connection and ensure that the VPN connection is active, communicate with the third-party application site 110 again, and if the certificate presented by the third-party application site 110 is verified, cease using the VPN connection for subsequent communications with thesite 110 during that session. - In some embodiments, the actions of the
verifier component 125 are determined using additional contextual data. As one example, in some embodiments the contextual data includes a location of theclient device 120 at time of verification, such as a geolocation obtained from the client device itself (e.g., GPS coordinates) or derived from an IP address of the client device. Upon failure to verify a certificate of a third-party application site 120, theverifier component 125 identifies one or more location(s) associated with an organization to which the client device belongs (e.g., by consulting the organization-user database 101) and compares those locations to the location of the client device. If the location of theclient device 120 corresponds to any of the identified locations of the associated organization, then the client device is presumably within the network of the organization, in which a man-in-the-middle proxy may be being legitimately used; accordingly, in such cases the actions of theverifier component 125 upon verification failure can be, for example, to provide a warning to a user of the client device about the verification failure but to nonetheless permit the client device to submit user credentials to the third-party application 110. In some embodiments, theverification server 100 associates locations with organizations by monitoring locations from whichclient devices 120 associated with the various organizations have accessed theverification server 100 in the past. - As another example, in some embodiments the contextual data includes a security level of the third-
party application site 110 to which theclient device 120 is logging in. For example, theverification server 100 may store, for different third-party application sites 110, an associated security level of that site, e.g., with each organization being able to specify its own security level for thesites 110. Upon failure to verify the certificate of anapplication site 110, the actions that theverifier component 125 takes are based upon the security level for thesite 110. For example, for a site with a high security level, failure could lead theverifier component 125 to prevent theclient device 120 from providing user credentials to thesite 110; for a site with a low security level, the verifier component could allow user credentials to be provided to thesite 110, but just log associated data (e.g., certificate data, IP address, etc.) and/or notify an administrator of the organization of the verification failure. - As another example, in some embodiments the contextual data includes the login successes of others within the organization of the
client device 120. For example, in some embodiments theverification server 100 stores data about the verification attempts of various users and their organizations. Upon failure to verify the certificate of a particular third-party application site 110 for a particular user of a particular organization, theverifier component 125 determines (e.g., by consulting the verification server 100) whether other users of the same organization have had the certificate of the that third-party application site 110 successfully verified by the verification server, e.g., within some recent past time window. If so, then theverifier component 125 notifies the user of theclient device 120 that others within the same organization are having successful logins (which is a possible indication that user is at a location encountering a man-in-the-middle attack). - In some embodiments, the
verification server 100 includes astatistics generator 105 that logs data on the certificates provided for third-party application sites 110, and whether those certificates were determined by theverifier component 104 to be verified, and generates associated statistics. For example, in some embodiments theverification server 100 logs features corresponding to each certificate provided by theverifier component 125 to theserver 100, such as an identifier of the third-party application site (e.g., the domain name of its URL), the internet protocol (IP) address of theclient device 120, the location of the client device (e.g., a geolocation such as GPS coordinates, or a location derived from the IP address), and/or the current time, as well as whether theverifier component 104 determined that the certificate was verified. These logged features can then be used for purposes such as identifying factors correlated to inauthentic certificates, such as particular geolocations. - In some embodiments, the
statistics generator 105 additionally stores information on the certificates that can be used to generate reports, e.g., on industry security trends. For example, thestatistics generator 105 can log certificate data such as cryptographic algorithms used, keylengths, root certificate authorities (CAs) used, the frequencies at which certificates change, and the like. - Note that the
verification server 100, although depicted as a single logical system inFIG. 1 , may be implemented using a number of distinct physical systems and the connections between them, such as application servers, database servers, load-balancing servers, routers, and the like. - The third-
party applications 110 may be created by different application developers. The third-party applications 110 are typically hosted entirely or partially on a server(s) located at a remote location from theclient devices 120 and made available via anetwork 140, such as the Internet. In one embodiment, the third-party application's user interface is implemented in HTML, or other web-based technology and is rendered within browsers of the client devices of the users, or within a custom application installed on the client devices. Although the term “third-party application” is used herein since for the typical organization the majority of applications that a user uses are authored by different organizations, it is appreciated that the “third-party applications” could also include applications created and/or hosted by organizations employing users of theclient devices 120, or an organization responsible for theverification server 100. - The
network 140 may be any suitable communications network for data transmission. In an embodiment such as that illustrated inFIG. 1 , thenetwork 140 uses standard communications technologies and/or protocols and can include the Internet. In another embodiment, the entities use custom and/or dedicated data communications technologies. - In some embodiments, the
verification server 100 provides services in addition to page verification. For example, in one embodiment theverification server 100 provides single sign-on (SSO) services to users of theclient devices 120, recording the third-party application sites 110 that are available to each user and automating user sign-on for each of the user's third-party application sites. In such embodiments, theserver 100 has auser login module 108 that it uses to enable a user to log in to the server 100 (e.g., using username/password or other form of credentials, which may require multi-factor authentication), thereby establishing the identity of the user and (based on the identity of the user) the organization to which the user belongs. - In embodiments in which the
server 100 provides SSO services, theserver 100 additionally has an organization-user database 101 that describes properties of the different organizations to which theserver 100 provides support, as well as properties of the users of those organizations. For example, in one embodiment, thedatabase 101 stores at least, for each organization, a unique identifier of the organization, a list of unique user identifiers for the users of the organization, and unique identifiers of various third-party application sites 110 to which the organization—or groups within the organization, such as an “Accounting” group—provides access. Similarly, thedatabase 101 stores at least, for each user of the organization, one or more indicators of the third-party application sites 110 to which that user has access. The indicators may be direct indicators of the third-party application sites 110 (e.g., a unique identifier of an application), and/or indirect indicators, such as identifiers of organization groups to which the user belongs, where thedatabase 101 further stores identifiers of the third-party applications to which the organization groups have access. - In embodiments in which the
server 100 provides SSO services, theserver 100 also has anapplication login database 102 that specifies, for each supported third-party application site 110, configuration data that specifies the manner in which the application expects login to proceed. For example, in one embodiment in which the Security Assertion Markup Language (SAML) is used, theapplication login database 102 specifies, for each supported third-party application 110, an Assertion Consumer Service (ACS) URL to which a SAML assertion will be sent via HTTP POST, an identifier of an entity issuing the SAML request, and an identification of the audience for which the SAML assertion is intended. As another example, in an embodiment in which Open ID Connect (OIDC) is employed, the data for a particular login flow might store a client identifier for theapplication 110, a client secret indicating how the application can exchange a token via a backchannel flow, metadata (e.g., application name and/or logo), and one or more redirect URLs to which to return after the user has successfully established a session with theserver 100. Theapplication login database 102 enables theserver 100 to follow the format expected by the federated sign-on protocols employed when logging in a given user to each of the user's third-party applications 110. For example, in the case of OIDC, during the flow the third-party application will provide the client identifier, a state, a nonce value, and OIDC arguments to specify the response type, and is returned a code that the application can exchange for a token to identify the user via a backchannel. - In embodiments in which the
server 100 provides SSO services, theserver 100 further includes aremote login service 106 that uses the application configuration data from theapplication login database 102 to communicate with third-party application sites 110 in order to facilitate the user login, transparently providing the users with access to the applications, even when the users are not already logged into the applications. Theremote login service 106 initiates operations that effect the necessary steps for automatic SSO-based login of the user'sclient device 120 into the desired third-party application 110. For example, theremote login service 106 can specify a series of HTTP redirect operations as needed to obtain and verify session or other security information via cookies, to transfer the request to the third-party application, etc. - The user's
client device 120 contacts theremote login service 106 as part of an attempt to login to a third-party application site 110. For example, a browser of the user'sclient device 120 may display a web-based user interface produced by theserver 100 as a result of the user logging into the server and showing icons or other visual indications of the third-party applications 110 to which the user's organization has granted the user access; when the user clicks on or otherwise selects one of the visual indications, the browser of theclient device 120 requests content for a URL of the remote login service 106 (e.g., http://login.server.com/login?app=myapp.com/login, where login.server.com is a domain of theserver 100, and myapp.com/login corresponds to the third-party application 110). -
FIG. 2A illustrates a sequence of interactions between client devices of users, verifier components on theclient devices 120, third-party application sites, and the server, during a preliminary process of learning legitimate third-party application certificates, according to one embodiment. -
Client devices 120request 205 pages of third-party application sites 110 by specifying the URLs of those pages. For example, in embodiments in which theserver 100 provides SSO services, following successful login of the user to the server the server may provide links to the third-party application sites 110 that a given user is allowed to access, and user selection of those links cause the user'sclient device 120 to request the corresponding sites' pages. - In response to the requests, the third-
party application sites 110 provide 210 the requested pages. If the pages are secure (e.g., for a login page using HTTPS), thesites 110 also provide a certificate. - The
verifier component 125 sends corresponding certificate representations (e.g., the certificates themselves, or a hash such as SHA (Secure Hash Algorithm), or other fingerprint thereof) to theserver 100, and an identifier of the application corresponding to the certificate (which may be part of the certificate itself). - After a sufficient number of certificate representations have been received for a given application, the
certificate learning module 107 selects one or more of the certificate representations as verified certificate representations for the application and stores them in thecertificate store 103. -
FIG. 2B illustrates a sequence of interactions between a user's client device, a monitoring component on the client device, a third-party application site being accessed by the user, and the server, when authenticating the third-party application site, according to one embodiment. - A
client device 120 requests 255 a page of a third-party application site, such as a login page including functionality for the submission of user credentials. - In response, the third-party application site provides 260 the requested page, and also a corresponding certificate.
- The
verifier component 125 of theclient device 120 sends 265 a representation of the certificate, and an identifier of the application corresponding to the certificate, to theserver 100. Theserver 100 determines whether the certificate is verified, as described above with respect to theverifier component 104 ofFIG. 1 . If the certificate is verified, theserver 100 notifies 275 theverifier component 125 of the verification. In turn, the verifier component accordingly permits 280 submission of user credentials to the third-party application site 110. - The techniques described above provide a number of advantages over alternate possible approaches. When the
certificate learning module 107 is continuously employed, the result is updating of certificate information in real-time, thereby automatically accounting for changes in application certificates without depending on certificate issuers to provide valid certificates (which could lead to certificates being updated slowly, or not at all). When theserver 100 has a large user base providing certificates—e.g., as in embodiments in which theserver 100 provides SSO services to the users of many organizations—the learning of verified certificates tends to be prompt and accurate. -
FIG. 3 is a high-level block diagram illustrating physical components of acomputer 300 used as part or all of theverification server 100,client device 120, or system providing the third-party application site 110, according to one embodiment. Illustrated are at least oneprocessor 302 coupled to achipset 304. Also coupled to thechipset 304 are amemory 306, astorage device 308, agraphics adapter 312, and anetwork adapter 316. Adisplay 318 is coupled to thegraphics adapter 312. In one embodiment, the functionality of thechipset 304 is provided by amemory controller hub 320 and an I/O controller hub 322. In another embodiment, thememory 306 is coupled directly to theprocessor 302 instead of thechipset 304. - The
storage device 308 is any non-transitory computer-readable storage medium, such as a hard drive, compact disk read-only memory (CD-ROM), DVD, or a solid-state memory device. Thememory 306 holds instructions and data used by theprocessor 302. Thegraphics adapter 312 displays images and other information on thedisplay 318. Thenetwork adapter 316 couples thecomputer 300 to a local or wide area network. - As is known in the art, a
computer 300 can have different and/or other components than those shown inFIG. 3 . In addition, thecomputer 300 can lack certain illustrated components. In one embodiment, acomputer 300 acting as a server may lack agraphics adapter 312, and/ordisplay 318, as well as a keyboard or pointing device. Moreover, thestorage device 308 can be local and/or remote from the computer 300 (such as embodied within a storage area network (SAN)). - As is known in the art, the
computer 300 is adapted to execute computer program modules for providing functionality described herein. As used herein, the term “module” refers to computer program logic utilized to provide the specified functionality. Thus, a module can be implemented in hardware, firmware, and/or software. In one embodiment, program modules are stored on thestorage device 308, loaded into thememory 306, and executed by theprocessor 302. - Embodiments of the entities described herein can include other and/or different modules than the ones described here. In addition, the functionality attributed to the modules can be performed by other or different modules in other embodiments. Moreover, this description occasionally omits the term “module” for purposes of clarity and convenience.
- The present invention has been described in particular detail with respect to one possible embodiment. Those of skill in the art will appreciate that the invention may be practiced in other embodiments. First, the particular naming of the components and variables, capitalization of terms, the attributes, data structures, or any other programming or structural aspect is not mandatory or significant, and the mechanisms that implement the invention or its features may have different names, formats, or protocols. Also, the particular division of functionality between the various system components described herein is merely for purposes of example, and is not mandatory; functions performed by a single system component may instead be performed by multiple components, and functions performed by multiple components may instead performed by a single component.
- Some portions of the above description present the features of the present invention in terms of algorithms and symbolic representations of operations on information. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. These operations, while described functionally or logically, are understood to be implemented by computer programs. Furthermore, it has also proven convenient at times, to refer to these arrangements of operations as modules or by functional names, without loss of generality.
- Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as “determining” or “displaying” or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system memories or registers or other such information storage, transmission or display devices.
- Certain aspects of the present invention include process steps and instructions described herein in the form of an algorithm. It should be noted that the process steps and instructions of the present invention could be embodied in software, firmware or hardware, and when embodied in software, could be downloaded to reside on and be operated from different platforms used by real time network operating systems.
- The present invention also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored on a computer readable medium that can be accessed by the computer. Such a computer program may be stored in a non-transitory computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, application specific integrated circuits (ASICs), or any type of computer-readable storage medium suitable for storing electronic instructions, and each coupled to a computer system bus. Furthermore, the computers referred to in the specification may include a single processor or may be architectures employing multiple processor designs for increased computing capability.
- The algorithms and operations presented herein are not inherently related to any particular computer or other apparatus. Various general-purpose systems may also be used with programs in accordance with the teachings herein, or it may prove convenient to construct more specialized apparatus to perform the required method steps. The required structure for a variety of these systems will be apparent to those of skill in the art, along with equivalent variations. In addition, the present invention is not described with reference to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any references to specific languages are provided for invention of enablement and best mode of the present invention.
- The present invention is well suited to a wide variety of computer network systems over numerous topologies. Within this field, the configuration and management of large networks comprise storage devices and computers that are communicatively coupled to dissimilar computers and storage devices over a network, such as the Internet.
- Finally, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, the disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the claims.
Claims (13)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/103,963 US20210083881A1 (en) | 2018-06-22 | 2020-11-25 | Dynamically analyzing third-party application website certificates across users to detect malicious activity |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201862689026P | 2018-06-22 | 2018-06-22 | |
US16/039,275 US10999080B2 (en) | 2018-06-22 | 2018-07-18 | Dynamically analyzing third-party application website certificates across users to detect malicious activity |
US17/103,963 US20210083881A1 (en) | 2018-06-22 | 2020-11-25 | Dynamically analyzing third-party application website certificates across users to detect malicious activity |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/039,275 Continuation US10999080B2 (en) | 2018-06-22 | 2018-07-18 | Dynamically analyzing third-party application website certificates across users to detect malicious activity |
Publications (1)
Publication Number | Publication Date |
---|---|
US20210083881A1 true US20210083881A1 (en) | 2021-03-18 |
Family
ID=68980862
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/039,275 Active 2039-01-21 US10999080B2 (en) | 2018-06-22 | 2018-07-18 | Dynamically analyzing third-party application website certificates across users to detect malicious activity |
US17/103,963 Abandoned US20210083881A1 (en) | 2018-06-22 | 2020-11-25 | Dynamically analyzing third-party application website certificates across users to detect malicious activity |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/039,275 Active 2039-01-21 US10999080B2 (en) | 2018-06-22 | 2018-07-18 | Dynamically analyzing third-party application website certificates across users to detect malicious activity |
Country Status (4)
Country | Link |
---|---|
US (2) | US10999080B2 (en) |
EP (1) | EP3811256A4 (en) |
AU (1) | AU2019289064A1 (en) |
WO (1) | WO2019245734A1 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10834131B2 (en) * | 2017-11-28 | 2020-11-10 | Forcepoint Llc | Proactive transport layer security identity verification |
US20220247748A1 (en) * | 2019-09-24 | 2022-08-04 | Pribit Technology, Inc. | System For Remote Execution Code-Based Node Control Flow Management, And Method Therefor |
WO2021060859A1 (en) * | 2019-09-24 | 2021-04-01 | 프라이빗테크놀로지 주식회사 | System for authenticating and controlling network access of terminal, and method therefor |
CN115001765B (en) * | 2022-05-24 | 2024-08-06 | 北京得间科技有限公司 | Page resource loading and verifying method and computing device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090037997A1 (en) * | 2007-07-31 | 2009-02-05 | Paul Agbabian | Method for detecting dns redirects or fraudulent local certificates for ssl sites in pharming/phishing schemes by remote validation and using a credential manager and recorded certificate attributes |
US20100275024A1 (en) * | 2008-04-07 | 2010-10-28 | Melih Abdulhayoglu | Method and system for displaying verification information indicators on a non-secure website |
US20150180908A1 (en) * | 2011-10-17 | 2015-06-25 | Mcafee, Inc. | System and method for whitelisting applications in a mobile network environment |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090240936A1 (en) | 2008-03-20 | 2009-09-24 | Mark Lambiase | System and method for storing client-side certificate credentials |
US8875285B2 (en) | 2010-03-24 | 2014-10-28 | Microsoft Corporation | Executable code validation in a web browser |
US9087187B1 (en) | 2012-10-08 | 2015-07-21 | Amazon Technologies, Inc. | Unique credentials verification |
US9077546B1 (en) * | 2012-11-27 | 2015-07-07 | Symnatec Corporation | Two factor validation and security response of SSL certificates |
US9736154B2 (en) | 2014-09-16 | 2017-08-15 | Nok Nok Labs, Inc. | System and method for integrating an authentication service within a network architecture |
US9686081B2 (en) * | 2015-07-01 | 2017-06-20 | Cisco Technology, Inc. | Detecting compromised certificate authority |
US10536449B2 (en) * | 2015-09-15 | 2020-01-14 | Mimecast Services Ltd. | User login credential warning system |
-
2018
- 2018-07-18 US US16/039,275 patent/US10999080B2/en active Active
-
2019
- 2019-06-05 AU AU2019289064A patent/AU2019289064A1/en active Pending
- 2019-06-05 EP EP19822375.2A patent/EP3811256A4/en not_active Withdrawn
- 2019-06-05 WO PCT/US2019/035471 patent/WO2019245734A1/en unknown
-
2020
- 2020-11-25 US US17/103,963 patent/US20210083881A1/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090037997A1 (en) * | 2007-07-31 | 2009-02-05 | Paul Agbabian | Method for detecting dns redirects or fraudulent local certificates for ssl sites in pharming/phishing schemes by remote validation and using a credential manager and recorded certificate attributes |
US20100275024A1 (en) * | 2008-04-07 | 2010-10-28 | Melih Abdulhayoglu | Method and system for displaying verification information indicators on a non-secure website |
US20150180908A1 (en) * | 2011-10-17 | 2015-06-25 | Mcafee, Inc. | System and method for whitelisting applications in a mobile network environment |
Also Published As
Publication number | Publication date |
---|---|
EP3811256A4 (en) | 2022-03-16 |
WO2019245734A1 (en) | 2019-12-26 |
US10999080B2 (en) | 2021-05-04 |
EP3811256A1 (en) | 2021-04-28 |
US20190394049A1 (en) | 2019-12-26 |
AU2019289064A1 (en) | 2021-02-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10979398B2 (en) | Systems and methods for protecting network devices by a firewall | |
US20210083881A1 (en) | Dynamically analyzing third-party application website certificates across users to detect malicious activity | |
US9548976B2 (en) | Facilitating single sign-on to software applications | |
US20190173865A1 (en) | Systems and methods for location-based authentication | |
AU2016318602B2 (en) | Secured user credential management | |
US20150188779A1 (en) | Split-application infrastructure | |
US20220217133A1 (en) | Browser Extension for Validating Communications | |
US10470040B2 (en) | Secure single sign-on to software applications | |
EP3488589B1 (en) | Login proxy for third-party applications | |
CN113341798A (en) | Method, system, device, equipment and storage medium for remotely accessing application | |
US20200059466A1 (en) | Phishing attack prevention for oauth applications | |
US20230177132A1 (en) | Flexibly obtaining device posture signals in multi-tenant authentication system | |
US20220247578A1 (en) | Attestation of device management within authentication flow |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED |
|
AS | Assignment |
Owner name: OKTA, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HARTWIG, MARCUS;FANEK, SAMER;BELOTE, THOMAS;SIGNING DATES FROM 20180904 TO 20180924;REEL/FRAME:057099/0195 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |