WO2003044641A1 - Improvements in and relating to web site authentication - Google Patents

Improvements in and relating to web site authentication Download PDF

Info

Publication number
WO2003044641A1
WO2003044641A1 PCT/GB2002/005138 GB0205138W WO03044641A1 WO 2003044641 A1 WO2003044641 A1 WO 2003044641A1 GB 0205138 W GB0205138 W GB 0205138W WO 03044641 A1 WO03044641 A1 WO 03044641A1
Authority
WO
WIPO (PCT)
Prior art keywords
web site
entity
password
verifying
incorporated
Prior art date
Application number
PCT/GB2002/005138
Other languages
French (fr)
Inventor
Melih Abdulhayoglu
Original Assignee
Comodo Research Lab Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Comodo Research Lab Limited filed Critical Comodo Research Lab Limited
Priority to AU2002347303A priority Critical patent/AU2002347303A1/en
Publication of WO2003044641A1 publication Critical patent/WO2003044641A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2119Authenticating web pages, e.g. with suspicious links

Definitions

  • the present invention relates to methods of verifying an entity is associated with a web site and to computer programs therefor.
  • World wide web documents are typically document files coded using HTML (hypertext markup language) to include text and graphics; in some instances additional software may be utilised to include enhanced animation, video, sound and interactivity.
  • HTML hypertext markup language
  • URL uniform resource locator
  • a browser program e.g. Netscape or Microsoft Explorer
  • the majority of web pages contain hypertext links, enabling readers to navigate to related subject areas. Interlinked or nested web pages belonging to a single organisation are known as a web site.
  • Untrustworthy sources can provide the reader with inappropriate information e.g. pornographic material.
  • the web sites of untrustworthy sources may be arranged to request information from readers and to subsequently misuse this information.
  • a large growth area is in e-commerce, in which commercial transactions between individuals and /or companies take place by utilising the web.
  • sensitive information e.g. bank account or credit card details
  • Provision of such information to a web site run by an untrustworthy individual or company is obviously undesirable.
  • Trust authorities also known as certification authorities
  • certification authorities exist, such authorities being able to provide information as to whether or not they consider a web site to be trustworthy.
  • the present invention provides a method of verifying an entity is associated with a web site, the method comprising the steps of : transmitting a password to the entity; and inspecting the web site to determine if the password has been incorporated into the web site.
  • the method further comprises the step of publishing, on a web page or otherwise, an indication that the entity is associated with said web site if said inspection determines that the password has been incorporated into the web site.
  • the method further comprises the step of publishing, on a web page or otherwise, an indication that the entity is not associated with a web site if said inspection determines that the password has not been incorporated into the web site.
  • the method further comprises the steps of: receiving information from said entity that the entity would like to have associated with said web site; and only treating the information as being associated with said web site if said inspection determines that the password has been incorporated into the web site.
  • the information is an alias for said web site.
  • said inspection step occurs a predetermined time after said password is transmitted.
  • said inspection step only occurs if notification has been received from said entity, indicating that said entity has incorporated the password into the web site.
  • the web site is inspected periodically to determine if the password has been incorporated and/or is still incorporated in said web site.
  • the present invention relates to a method of verifying an entity is associated with a web site, the method comprising the steps of: the entity receiving a password from a verifying authority; and the entity incorporating the password into the web site such that it can be inspected by said verifying authority.
  • the password is incorporated into an HTML document.
  • said password is incorporated into a predetermined web page on said web site.
  • the present invention provides a computer program arranged to perform any one of the methods as described above.
  • said computer program is stored on a machine readable medium.
  • Figure 1 shows a flow chart illustrating the method steps according to a preferred embodiment of the present invention.
  • Figure 1 shows the method steps to be performed by an entity A and a verifying authority B.
  • entity A and the verifying authority B can, for instance, be an individual, a company, or indeed automated computer software owned by individuals or companies.
  • entity A is the owner of a web site (www.acompany.com) B runs a web site incorporating a search engine.
  • A would like the web site (www.acompany.com) to be searchable via the search engine and additionally for an alias ("best ever company") to be associated with the web site URL. This would mean that any reader utilising the search engine of B, to search for the term "best ever company” , would be directed towards the web site of A.
  • B Before B will associate the alias with the URL of the web site, B requires verification that A is indeed associated with the web site, and not a troublemaker attempting to associate a misleading alias with the web site URL.
  • A transmits a request for authentication to B (100) .
  • a request includes the web site URL, as well as the alias that A would like associated with the URL.
  • B Once B receives the authentication request (200) , B then transmits a password to A (202) .
  • A Upon receipt of the password (102) , A then inserts the password into a predetermined page on the web site (104) .
  • the predetermined page can either be a page indicated by B, or a page that A has indicated to B that the password has been (or will be) inserted into.
  • the password can appear as a visible word or graphical representation on the web site, or alternatively can be embedded into the HTML document forming a web page such that the password is not visible to a casual reader but would be discoverable if the source HTML document were directly accessed.
  • B checks the web site (www.acompany.com) that it believes to be associated with A (204) , so as to determine whether the password is present (206) .
  • Such a check of the web site (204, 206) can be performed a predetermined interval after step 202, or alternatively a predetermined interval after B received notification from A that the password has been received, or indeed simply subsequent to B having received notification from A that the password has been inserted into the web site (104) .
  • B could periodically check the web site (www.acompany.com), or indeed check the web site at random intervals, to determine whether the password is present (206) .
  • B will subsequently presume that A is indeed associated with the relevant web site (208) . In this particular example, B will thus ensure that the alias
  • B could be arranged to transmit a notification to A that no password was detected.
  • Such a notification could, for instance, either request that A resubmit the request for authentication (100) such that a new password can be transmitted to A (202) , or alternatively request that A insert the password into the web page (104) within a predetermined time such that B can once again check the web site (204) so as to determine whether the password is present (206) .
  • B may assume that A is not associated with the relevant web site. B may decide to publish this information, or to otherwise ensure that it is passed onto third parties.
  • password has been used, it will be understood that this could take any one of a number of forms. For instance, it could be a single character, a word, a phrase, any sequence of characters, including numerals, or one or more graphics. Indeed, it could simply be the alteration of the web site in a predefined manner (preferably as previously agreed by the entity and the verifying authority), e.g. a change in colour or layout of part or the whole of a web page.
  • a predefined manner preferably as previously agreed by the entity and the verifying authority

Abstract

There is disclosed a method of verifying an entity is associated with a web site, the method comprising the steps of: transmitting a password to the entity; and inspecting the web site to determine if the password has been incorporated into the web site. There is also disclosed a method of verifying an entity is associated with a web site, the method comprising the steps of: the entity receiving a password from a verifying authority; and the entity incorporating the password into the web site such that it can be inspected by said verifying authority. A computer program for carrying them out is also disclosed.

Description

IMPROVEMENTS IN AND RELATING TO WEB SITE AUTHENTICATION
Field of the Invention
The present invention relates to methods of verifying an entity is associated with a web site and to computer programs therefor.
Background of the Invention
In recent years, there has been an explosion in the amount of information available on the World Wide Web, a hypertext system for publishing information on the Internet. World wide web documents (web pages) are typically document files coded using HTML (hypertext markup language) to include text and graphics; in some instances additional software may be utilised to include enhanced animation, video, sound and interactivity.
Associated with every page is a URL (uniform resource locator) , a unique address which tells a browser program (e.g. Netscape or Microsoft Explorer) the web page location. The majority of web pages contain hypertext links, enabling readers to navigate to related subject areas. Interlinked or nested web pages belonging to a single organisation are known as a web site.
The expansion of the World Wide Web has led to a huge increase in the number of web sites that originate from both trustworthy and untrustworthy sources. Untrustworthy sources can provide the reader with inappropriate information e.g. pornographic material. The web sites of untrustworthy sources may be arranged to request information from readers and to subsequently misuse this information. For instance, a large growth area is in e-commerce, in which commercial transactions between individuals and /or companies take place by utilising the web. Typically, for such transactions to occur, sensitive information (e.g. bank account or credit card details) will be provided by an individual or a company to a web site. Provision of such information to a web site run by an untrustworthy individual or company is obviously undesirable.
Trust authorities (also known as certification authorities) exist, such authorities being able to provide information as to whether or not they consider a web site to be trustworthy.
It is an aim of preferred embodiments of the present invention to provide an authentication technique, which such trust authorities or others could utilise to determine whether an entity is indeed associated with a web site that the entity asserts they are associated with.
Statement of the Invention
In a first aspect, the present invention provides a method of verifying an entity is associated with a web site, the method comprising the steps of : transmitting a password to the entity; and inspecting the web site to determine if the password has been incorporated into the web site. Preferably, the method further comprises the step of publishing, on a web page or otherwise, an indication that the entity is associated with said web site if said inspection determines that the password has been incorporated into the web site.
Preferably, the method further comprises the step of publishing, on a web page or otherwise, an indication that the entity is not associated with a web site if said inspection determines that the password has not been incorporated into the web site.
Preferably, the method further comprises the steps of: receiving information from said entity that the entity would like to have associated with said web site; and only treating the information as being associated with said web site if said inspection determines that the password has been incorporated into the web site. Preferably, the information is an alias for said web site.
Preferably, said inspection step occurs a predetermined time after said password is transmitted.
Preferably, said inspection step only occurs if notification has been received from said entity, indicating that said entity has incorporated the password into the web site.
Preferably, the web site is inspected periodically to determine if the password has been incorporated and/or is still incorporated in said web site. In another aspect, the present invention relates to a method of verifying an entity is associated with a web site, the method comprising the steps of: the entity receiving a password from a verifying authority; and the entity incorporating the password into the web site such that it can be inspected by said verifying authority.
Preferably, the password is incorporated into an HTML document.
Preferably, said password is incorporated into a predetermined web page on said web site.
In a further aspect, the present invention provides a computer program arranged to perform any one of the methods as described above. Preferably, said computer program is stored on a machine readable medium.
Brief Description of Drawing
For a better understanding of the present invention, an embodiment will now be described, by way of example only, with reference to the accompanying drawing in which:
Figure 1 shows a flow chart illustrating the method steps according to a preferred embodiment of the present invention.
Detailed Description of Preferred Embodiment
Figure 1 shows the method steps to be performed by an entity A and a verifying authority B. The entity A and the verifying authority B can, for instance, be an individual, a company, or indeed automated computer software owned by individuals or companies.
In this particular embodiment, entity A is the owner of a web site (www.acompany.com) B runs a web site incorporating a search engine. A would like the web site (www.acompany.com) to be searchable via the search engine and additionally for an alias ("best ever company") to be associated with the web site URL. This would mean that any reader utilising the search engine of B, to search for the term "best ever company" , would be directed towards the web site of A.
Before B will associate the alias with the URL of the web site, B requires verification that A is indeed associated with the web site, and not a troublemaker attempting to associate a misleading alias with the web site URL.
As shown in figure 1, A transmits a request for authentication to B (100) . Such a request includes the web site URL, as well as the alias that A would like associated with the URL.
Once B receives the authentication request (200) , B then transmits a password to A (202) .
Upon receipt of the password (102) , A then inserts the password into a predetermined page on the web site (104) . The predetermined page can either be a page indicated by B, or a page that A has indicated to B that the password has been (or will be) inserted into. The password can appear as a visible word or graphical representation on the web site, or alternatively can be embedded into the HTML document forming a web page such that the password is not visible to a casual reader but would be discoverable if the source HTML document were directly accessed.
Subsequent to transmitting the password to A (202) , B checks the web site (www.acompany.com) that it believes to be associated with A (204) , so as to determine whether the password is present (206) .
Such a check of the web site (204, 206) can be performed a predetermined interval after step 202, or alternatively a predetermined interval after B received notification from A that the password has been received, or indeed simply subsequent to B having received notification from A that the password has been inserted into the web site (104) . Alternatively, B could periodically check the web site (www.acompany.com), or indeed check the web site at random intervals, to determine whether the password is present (206) .
If the password is determined to be present on the web site, then B will subsequently presume that A is indeed associated with the relevant web site (208) . In this particular example, B will thus ensure that the alias
(best ever company) is associated with the web site
(www.acompany.com) on B's search engine.
If it is determined (206) that the password is not present, then one or more other actions could be arranged to occur (212) . For instance, B could be arranged to transmit a notification to A that no password was detected. Such a notification could, for instance, either request that A resubmit the request for authentication (100) such that a new password can be transmitted to A (202) , or alternatively request that A insert the password into the web page (104) within a predetermined time such that B can once again check the web site (204) so as to determine whether the password is present (206) .
Alternatively, if after either a first check, or a predetermined number of subsequent checks, it is determined that the password is still not present on the web site, then B may assume that A is not associated with the relevant web site. B may decide to publish this information, or to otherwise ensure that it is passed onto third parties.
It will be appreciated that the above embodiment is provided by way of example only, and that various alternatives will be understood by the skilled person to fall within the scope of the present invention. Whilst the term password has been used, it will be understood that this could take any one of a number of forms. For instance, it could be a single character, a word, a phrase, any sequence of characters, including numerals, or one or more graphics. Indeed, it could simply be the alteration of the web site in a predefined manner (preferably as previously agreed by the entity and the verifying authority), e.g. a change in colour or layout of part or the whole of a web page. The reader's attention is directed to all papers and documents which are filed concurrently with or previous to this specification in connection with this application and which are open to public inspection with this specification, and the contents of all such papers and documents are incorporated herein by reference.
All of the features disclosed in this specification (including any accompanying claims, abstract and drawings) , and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive.
Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature disclosed is one example only of a generic series of equivalent or similar features.
The invention is not restricted to the details of the foregoing embodiment (s) . The invention extend to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings) , or to any novel one, or any novel combination, of the steps of any method or process so disclosed.

Claims

Claims
1. A method of verifying an entity is associated with a web site, the method comprising the steps of: transmitting a password to the entity; and inspecting the web site to determine if the password has been incorporated into the web site.
2. A method of verifying an entity according to claim 1, in which the method further comprises the step of publishing, on a web page or otherwise, an indication that the entity is associated with said web site if said inspection determines that the password has been incorporated into the web site.
3. A method of verifying an entity according to claim 1, in which the method further comprises the step of publishing, on a web page or otherwise, an indication that the entity is not associated with a web site if said inspection determines that the password has not been incorporated into the web site.
4. A method of verifying an entity according to any preceding claim, in which the method further comprises the steps of: receiving information from said entity that the entity would like to have associated with said web site; and only treating the information as being associated with said web site if said inspection determines that the password has been incorporated into the web site.
5. A method of verifying an entity according to claim 4, in which the information is an alias for said web site .
6. A method of verifying an entity according to any preceding claim, in which said inspection step occurs a predetermined time after said password is transmitted.
7. A method of verifying an entity according to any preceding claim, in which said inspection step only occurs if notification has been received from said entity, indicating that said entity has incorporated the password into the web site.
8. A method of verifying an entity according to any preceding claim, in which the web site is inspected periodically to determine if the password has been incorporated and/or is still incorporated in said web site.
9. A method of verifying an entity is associated with a web site, the method comprising the steps of: the entity receiving a password from a verifying authority; and the entity incorporating the password into the web site such that it can be inspected by said verifying authority.
10. A method of verifying an entity according to claim 9, in which the password is incorporated into an HTML document .
11. A method of verifying an entity according to claim 9 or claim 10, in which said password is incorporated into a predetermined web page on said web site.
12. A computer program arranged to perform a method according to any preceding claim.
13. A computer program according to claim 12, in which said computer program is stored on a machine readable medium.
PCT/GB2002/005138 2001-11-16 2002-11-14 Improvements in and relating to web site authentication WO2003044641A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2002347303A AU2002347303A1 (en) 2001-11-16 2002-11-14 Improvements in and relating to web site authentication

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0127509A GB0127509D0 (en) 2001-11-16 2001-11-16 Improvements in and relating to web site authentication
GB0127509.8 2001-11-16

Publications (1)

Publication Number Publication Date
WO2003044641A1 true WO2003044641A1 (en) 2003-05-30

Family

ID=9925892

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2002/005138 WO2003044641A1 (en) 2001-11-16 2002-11-14 Improvements in and relating to web site authentication

Country Status (3)

Country Link
AU (1) AU2002347303A1 (en)
GB (1) GB0127509D0 (en)
WO (1) WO2003044641A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7100049B2 (en) * 2002-05-10 2006-08-29 Rsa Security Inc. Method and apparatus for authentication of users and web sites

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5841970A (en) * 1995-09-08 1998-11-24 Cadix, Inc. Authentication method for networks
EP0936531A2 (en) * 1998-02-12 1999-08-18 Hitachi, Ltd. Information search method and system therefor
US6018801A (en) * 1998-02-23 2000-01-25 Palage; Michael D. Method for authenticating electronic documents on a computer network
WO2001018636A1 (en) * 1999-09-09 2001-03-15 American Express Travel Related Services Company, Inc. System and method for authenticating a web page
EP1128628A1 (en) * 2000-02-23 2001-08-29 Tradesafely.com Limited Method and apparatus for Internet web site authentication
WO2001063878A1 (en) * 2000-02-23 2001-08-30 Tradesafely.Com Limited Method and apparatus for internet web site accreditation

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5841970A (en) * 1995-09-08 1998-11-24 Cadix, Inc. Authentication method for networks
EP0936531A2 (en) * 1998-02-12 1999-08-18 Hitachi, Ltd. Information search method and system therefor
US6018801A (en) * 1998-02-23 2000-01-25 Palage; Michael D. Method for authenticating electronic documents on a computer network
WO2001018636A1 (en) * 1999-09-09 2001-03-15 American Express Travel Related Services Company, Inc. System and method for authenticating a web page
EP1128628A1 (en) * 2000-02-23 2001-08-29 Tradesafely.com Limited Method and apparatus for Internet web site authentication
WO2001063878A1 (en) * 2000-02-23 2001-08-30 Tradesafely.Com Limited Method and apparatus for internet web site accreditation

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7100049B2 (en) * 2002-05-10 2006-08-29 Rsa Security Inc. Method and apparatus for authentication of users and web sites
US7346775B2 (en) * 2002-05-10 2008-03-18 Rsa Security Inc. System and method for authentication of users and web sites

Also Published As

Publication number Publication date
GB0127509D0 (en) 2002-01-09
AU2002347303A1 (en) 2003-06-10

Similar Documents

Publication Publication Date Title
CN101341717B (en) Method for evaluating and accessing a network address
US7757088B2 (en) Methods of accessing and using web-pages
US9111090B2 (en) Detection of phishing attempts
US20010027450A1 (en) Method of detecting changed contents
CN103970855B (en) Device and method for processing data
CN102375952B (en) Method for displaying whether website is credibly checked in search engine result
US7953753B2 (en) Newsmaker verification and commenting method and system
US20070130327A1 (en) Browser system and method for warning users of potentially fraudulent websites
US20080189263A1 (en) System and method for improving integrity of internet search
CN102355469A (en) Method for displaying credibility certification for website in address bar of browser
CA2468852A1 (en) Electronic gift linking
Wogalter et al. Trusting the internet: Cues affecting perceived credibility
CN102833212A (en) Webpage visitor identity identification method and system
Lapham et al. The position of site-directed cleavage of RNA using RNase H and 2'-O-methyl oligonucleotides is dependent on the enzyme source.
US7058810B2 (en) Data terminal equipment
US7085397B2 (en) Unfair contents appropriation detection system, computer program and storage medium
WO2003044641A1 (en) Improvements in and relating to web site authentication
JP3573718B2 (en) Homepage server device and program with unauthorized use prevention function
JP6291441B2 (en) Web system, web client device, and falsification inspection device
JP2002312284A (en) Device and program for detecting dishonest alteration of homepage
WO2007016868A2 (en) System and method for verifying links and electronic addresses in web pages and messages
JP4855589B2 (en) Data terminal equipment
Liang et al. Online fake drug detection system in heterogeneous platforms using big data analysis
CN106657024A (en) Method and device for preventing cookie from being tampered
Suresh et al. Detailed investigation: stratification of phishing websites assisted by user ranking mechanism

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP