Security of Hash Verified Websites

SilentCiceroSilentCicero Toronto, CAMember Posts: 159 ✭✭✭
A nice use of the blockchain is to verify website ownership. This is somewhat easy to accomplish via a hash generation mapped to an address and website URL on the blockchain, and then a front-end check for that hash (via JS) of the websites source code meta data. Some simple JS could look for this hash and confirm, at least on a DApp front-end, that a certain address owns the website they are claiming to own. My question is, what is the security limitations of doing this hash verify check through JS? Is there a way to spoof the system? I don't see many, unless the DApp JS code was compromised itself, then perhaps someone could make sites verified when they are not. But if the DApp is open source, and JS code monitored, I don't see too many issues with this. As a potentially more secure alternative, the hash verifier could be a file, google does something similar to verify websites, and then to verify, the JS code looks for website_url/hash_verifier.html, and reads through the file to verify the website. This way only the owner could really make that addition, with that hash.

Anyways, Cheers!

Comments

  • BitcoinzieBitcoinzie Member Posts: 73 ✭✭
    edited February 2015
    Maybe this idea, the owner just displays a badge of the hash and then the users are free to look that up, or that badge could be linked to whatever company/dapp is handling the process to verify. Then it really can't be spoofed as long as the company/dapp is kept honest. Then you just have to track that they actually came from the site the badge is hosted on.
  • BitcoinzieBitcoinzie Member Posts: 73 ✭✭
    The idea I was trying to convey is that, you can have all the script and images for the badge hosted wherever, without the site owner or anyone else being able to access it. So you provide them with a link, just like they do with adds today, that the site owner posts on their site/dapp. But it get's all it's information from you. The link back to your dapp/the verification service is just there to enable the end user to verify if they want to. You can also read the incoming link to verify they came from the site the badge is on.
  • SilentCiceroSilentCicero Toronto, CAMember Posts: 159 ✭✭✭
    edited February 2015
    A badge Idea is cool. I was thinking I could write some general JS code that could look for a specific address or hash, then any DApp developer that has a registration like aspect (with a website URL involved) could have a Verified By Hash on their DApp. It's just that little extra bit of trust for a service and the end users. So in a way, its similar to the badge Idea. (i.e. [Checkmark] Hash Verified).
  • BitcoinzieBitcoinzie Member Posts: 73 ✭✭
    I was more referring to solving your spoofing problem, much like google webmaster tools verifies websites. https://support.google.com/webmasters/answer/35659?hl=en
Sign In or Register to comment.