I was listening to the Pauldotcom Security Weekly podcast (http://pauldotcom.com/security_weekly/) the other week (episode 101), when Paul and Larry talked about an “Evil Twin” experiment they conducted on social networking. The solution provided the the problem of getting in first and registering yourself on social websites is not really that elegant, and doesn’t solve the problem. The real problem is about identity verification, and how can the average person verify that a social webpage belongs to who they expect. This got my brain ticking over, as it does on occasion, about possible solutions. Given that I was toying with the idea of starting a blog I figured this was a good first post topic as anything. So here we go.
When considering potentially solutions to the issue, one of the first things to come to mind was an identity verification service. This service is more geared towards the problem of allowing the average person to be sure of a web identity, than stopping the “Evil Twin” websites being created. Most people have numerous entities online, whether that be email accounts, social websites, or even auction logins. Therefore, if there was a way to automatically verify a social website as being owned by the same person with an identity you already know, you could have greater confidence in the source of the webpage.
So how might this work. Ideally, a common set of protocols would be agreed so that you could log into your various web identities and submit a linkage back to an identity verification service. This would remove the need for the identity verification service from having to gain access to your various logins to test the validity of your identity. Having web sites sign up to such a protocol would always be a problem without a benefit (unless they get alot of public demand for it). The value for social websites would be if there was a common way that the average person knowns if a site is an evil twin or not (through some sort of common visual key that lists the web sites owners other known web identities), then the high profile sites hosted on a particular social site becomes more valulable from a marketing point of view (i.e. we host the official website for Celebritory X).
The next problem is how do we get people to use the service and do the work required to link their web identities back to the verification service. The build it and they will come, will only succeed with the population who are aware of the problem and look for ways to mitigate the risk to themselves. Unfortunately, it wont hit critical mass this way because those who don’t know better, wont want to do the work to link their identities. One possible solution is to try link the verification service to some other cross website service like federated authentication (e.g. OpenID). So now we have potentially two beneficial services, strong authentication and strong web identity verification, in one place.
There are quite a few issues with the suggestions above (e.g. how to protect from identity theft if you are presenting all the idendities of an individual to verify the owner of a website). But in the interest of not turning this into some sort of novel, I will leave it to the community to suggest improvements, pull the idea apart, and finally shoot it down in flames in the hope it may get others thinking about alternative solutions to the problem.