Identity Principle (web applications)

The identity principle is a way of designing and displaying web applications and Internet pages in such a way that, in the event of a phishing attack, users perceive the fake page and do not provide sensitive data. For this, it must be recognizable from the handling of the website, but also from the entire communication with the Internet presence, that the Internet service provider consistently adheres to certain patterns. If there is conspicuous behavior that does not correspond to the known patterns in the context of a web application , an end user automatically becomes suspicious and behaves more cautiously, making it much more difficult for an attacker to achieve his goal. These conventions should also be explicitly communicated to users in the event of high security requirements (e.g. account login ). Furthermore, instructions should be given in the event of a violation of the conventions (e.g. leave the page immediately, report to an email address ...). The principle on which the corporate identity of a company is based, namely the creation of an unmistakable identity and a recognition effect , is also applied to web applications with this measure.

Starting points

• Avoiding pop-ups to prevent cross-site scripting (XSS) and preventing the possibility of placing a fraudulent window in front of the page of an authentic website in such a way that the window appears to be facing the website heard.
• Avoidance of misleading, different and colorful advertising banners . They keep showing the user surprising things that are not in the context of the website and are in the context of trust of the website: The trust placed in the provider is transferred to the content of the advertising banner.
• Use of fixed and memorable mail sender addresses for newsletters etc, such as B. info@example.com . Noreply should be avoided. Despite the fact that e-mail addresses can easily be forged, an attacker would probably falsify the sender ID. Nevertheless, in the context of this measure it is important to ensure consistency of the conventions.
• An SSL server certificate should never be corrupt. Again and again one comes across the case that the server name, as it is in the IP address , does not exactly match the name entered in the certificate. This leads to a warning message from the browser , which is suitable not only to unsettle the user, but can also lead to something like this being accepted as normal in the future. Exceeding the validity period of a certificate should also be avoided.
• The unexpected and surprising should generally be avoided. This also means that a user is not logged out or requested to log in again for no particular reason (there is still a special reason if the user has remained inactive for too long). An attacker would then have an easier time slipping a fake login page into a user if there is a corresponding security gap, after the login becomes routine for the user.

literature

• Hacking Exposed: Web Applications: Web Application Security Secrets and Solutions by Joel Scambray, Vincent Liu and Caleb Sima at Mcgraw-Hill Professional; 3. Edition. (November 1, 2010); ISBN 978-0071740647
• Secure web applications: The practical book by Mario Heiderich, Christian Matthies, Johannes Dahse and fukami at the publisher Galileo Computing; 1 edition (December 11, 2008); ISBN 978-3836211949

Web links

• Web Application Security - Measures and Best Practices | Published by the Federal Office for Information Security; Version 1, August 2006
• Improving Web Application Security: Threats and Countermeasures

credentials

1. ↑ http://www.securenet.de/ueber-securenet/veroeffnahmungen/was-hat-phishing-mit-web-application-security-zu-tun.html
2. ↑ http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/de//archive/provos-2008a.pdf