Website fingerprinting

Website Fingerprinting is a technology that captures identity parameters of a website to develop a unique fingerprint. This fingerprint is unique to every website and can be used to define its identity.
Introduction
A web user today has a trillion web pages asking for his attention every time he is online with thousands of websites being added each day. Owing to the decentralized nature of issuance of domain names and the low cost of web hosting, it has become extremely simple for anyone to buy a domain name and host a website on his own. This has also meant that anyone can use the web to create a fraudulent website with content and URL’s stolen from existing genuine websites.
Most web users look to the site domain name and the look and feel of the content to establish the identity of the website. There is no central authority that validates the content before giving out the domain name. Therefore www.indiangovernment.com could easily be used to host malicious content.
By the time authorities catch such a website and take action, customers and businesses would have already lost enormous sums of money. It therefore becomes critical for every website to have a unique digital identity on the web.
Server Side Digital certificates - are they effective?
Digital certificates use a public private key pair to track the identity of domain names (not websites). They have been the standard security feature used by banking websites. There are however several issues with the process and have been a subject of much debate.
The foremost issue with digital certificates is that a web user is clueless about what needs to be checked in the certificate. All he can see is that the website uses a digital certificate. But rarely does he check if the certificate indeed belongs to the entity, because the entity never ever communicates what certificate they are using! It is quite possible to duplicate the content of an existing website and get a valid digital certificate issued.
Secondly there are multiple Certificate Authorities offering certificates and several of them are resellers who do not have the requisite processes to check the identity of the site. In fact some of the certificate authorities hand out free certificates. It is impossible to regulate certificate authorities and resellers to conduct checks on the domain and content before handing out certificates.
Lastly, what is the accountability of the Certificate Authority towards web users? Moreover, the browsers do not recognize any of the certification authorities as approved by the Government of India. Can a victim of identity theft take a certificate authority to task in case of error in issuance? Certificate authorities are mostly private enterprises based in the US and bear no liability towards online identity theft.
Counterfeiting digital identities
The URL, content and certificate are weak identifiers since all these can be spoofed to create duplicate websites. Let’s look at how fraudsters create a counterfeit website.
1.They buy a domain name (if required an obfuscated one - that is, one that is very similar to the original domain name).
2.Copy the content from the ORIGINAL website (and change it if required) and, if required,
3.They buy a certificate from say VERISIGN (!) with some domain name, host it at some server,
You now have a fake website whose URL can be distributed over emails (which is the least secure communication medium). If the end-users have NO means to authenticate these three fundamental identifiers only luck can save them! The above discussion undisputedly proves that the three primary identifiers - WEBSITE URL, CONTENT and (optionally) PKI based CERTIFICATE are incomplete as identifiers, as the user has NO a priori knowledge about them. There is no central authority where they can go and check this out. And lastly, these can be easily duplicated - leaving the user at the mercy of the fraudsters who use this knowledge to their benefits, by sending fraudulent emails with links of similar looking websites.
Identity necessarily needs a priori knowledge (identity data) with the verifier. In the absence of such a priori knowledge how can the verifier authenticate the identity is any body's guess. For example - login password or fingerprints etc have to be set first in order to be used as an identity. In case of websites, what do they set with (provide) the user which the user can use to identify the website? Also, any such data that is provided to the user a apriori, should be unique and difficult to duplicate.
In case of server side digital certificates, the user visiting the website is never informed about the certificate by the entity (say a bank) that has bought this certificate. Without any such a apriori knowledge about the certificate, how can server side certicates be used to define the identity of the website? Just because the browser is able to check the validity of the certificate? That it was issued by a valid certification authority, has not expired, and the domain name is the same that the browser is trying to connect to? What if the domain name itself is wrong? What if the certificate has been bought by the fraudster? Unless the user is provided with the apriori knowledge about the public key of the certificate, and the user is able to match it against the one the browser has extracted during the SSL handshake - how can the user identify the website? Server side digital certificates at best provide an encrypted channel, however, one could have an encrypted channel with the fraudster as well, based on a very legitimate server side digital certificate!
Website fingerprints
Website Fingerprinting works this way,
1. Generate website fingerprints: The identity parameters of a website are used to generate a unique fingerprint for each website. The fingerprint for each website is unique and cannot be copied by a third party.

2. Creation of a website fingerprint database: The site fingerprints are stored in a central database. this database is used by legal website owners to prove its identity to its customers.
3. Customer tool for matching fingerprints: The customers are given a browser plug-in which allows them to verify the fingerprint for a trusted website and alerts them if they are on a fake website.
The process of authenticating the fingerprints is based on a secure protocol that mutually authenticates the website without transfer of data.
Benefits

Website owners
•Better monitoring: Incase www.xyz.com notices that content from his website has been duplicated on another website and his brand is being utilized for commercial purposes or otherwise, he can report the incident and use his registration with the NWIR to prove his case.
•Reducing loss of traffic: He/She can ask his customers to watch for the green band to make sure they are on the correct website, thus preventing loss of traffic.
•Lower cost of monitoring: The website owner can also be alerted whenever the user does not see a green band indicating that he may be on a phishing website, who can then report it to NWIR. The time to track down a phishing website and ban the same can be dramatically reduced with this technology.
•Better trust: Customers would feel more secure in transacting online if the web environment is secure. This would eventually benefit the website in terms of more business.
Web users
•Better web security: Web users can now add websites they trust to their safe list and watch for a green band every time they are on a trusted website. This practice can effectively eliminate all forms of phishing which essentially rely on an unsuspecting user giving up his login and passwords.
•Legal recourse: In case a victim falls to an online identity theft, he can rely on a history of no green bands with the website signatures captured and stored locally to figure out the phishing websites he/she may have visited. This history can be used as a legal document to prove that he was indeed a victim of online identity theft - which is currently almost impossible.
The role of the government
Ideally governments should have initiated such a project before allowing companies to set-up websites especially those involved in financial transaction. If there already is a shop act to start a shop or a company act to start a company, there must have been some legal framework to ensure that the companies comply with registering the identity of their websites with the government agency before going online. A central agency would have the authority to give legal sanction to websites, capture and store their identity, thus making it easier for the customers to differentiate between authentic and fake (duplicate) websites.
<references/>http://trusite.rel-id.com/research.php<references/>
 
< Prev   Next >