Course Name: Web Services Security Lab Course code: CSB-422

EXPERIMENT-9
Aim: Write a program to identify website’s identity

Tools/Software Required: Netbeans IDE

Pseudo code/Algorithms/Flowchart/Steps:
website has an extended validation certificate, indicating that the website’s identity has been
verified. EV certificates don’t provide any additional encryption strength – instead, an EV
certificate indicates that extensive verification of the website’s identity has taken place. Standard
SSL certificates provide very little verification of a website’s identity. How Browsers Display
Extended Validation Certificates On anencrypted website that doesn’t use an extended validation
certificate, Firefox says that the website is “run by (unknown).” Chrome doesn’t display anything
differentlyand says that the website’s identity was verified by the certificate authority that issued
the website’s certificate. When you’re connected to a website that uses an extended validation
certificate, Firefox tells you it’s run by a specific organization. According to this dialog, VeriSign
has verified that we’re connected to the real PayPal website, which is run by PayPal, Inc. When
you’re connected to a site that uses an EV certificate in Chrome, the organization’s name appears
in your address bar. The information dialog tells us that PayPal’s identity has been verified by
VeriSign using an extended validation certificate.

IMPLEMENTATION:
An EV certificate indicates that a certificate authority has verified that the website is run by a
specificorganization. For example, if a phisher tried to get an EV certificate for paypall.com, the
request wouldbe turned down.

NAME: Prajwal Rai UID: 19BCS1010

Unlike standard SSL certificates, only certificate authorities that pass an independent audit are allowedto
issue EV certificates. The Certification Authority/Browser Forum (CA/Browser Forum), a voluntary
organization of certification authorities and browser vendors such as Mozilla, Google, Apple, and Microsoft
issues that all certificate authorities issuing extended validation certificates must follow. Thisideally prevents
the certificate authorities from engaging in another “race to the bottom,” where theyuse lax verification
practices to offer cheaper certificates.
In short, the guidelines demand that certificate authorities verify the organization requesting the certificate
is officially registered, that it owns the domain in question, and that the person requestingthe certificate is
acting on behalf of the organization. This involves checking government records, contacting the domain’s
owner, and contacting the organization to verify that the person requesting the certificate works for the
organization.

In contrast, a domain-only certificate verification might only involve a glance at the domains who is records
to verify that the registrant is using the same information. The issuing of certificates for
domains like “localhost” implies that some certificate authorities aren’t even doing that much
verification. EV certificates are, fundamentally, an attempt to restore public trust in certificate
authorities and restore their role as gatekeepers against impose

Years ago, certificate authorities used to verify a website’s identity before issuing a certificate. The
certificate authority would check that the business requesting the certificate was registered, call the phone
number, and verify that the business was a legitimate operation that matched the website.
Eventually, certificate authorities began offering “domain-only” certificates. These were cheaper, as itwas
less work for the certificate authority to quickly check that the requester owned a specific domain(website).
Phishers eventually began taking advantage of this. A phisher could register the domain paypall.comand
purchase a domain-only certificate. When a user connected to paypall.com, the user’s browser would
display the standard lock icon, providing a false sense of security. Browsers didn’t display the difference
between a domain-only certificate and a certificate that involved more extensive verificationof the website’s
identity.
Public trust in certificate authorities to verify websites has fallen – this is just one example of certificate
authorities failing to do their due diligence. In 2011, the Electronic Frontier Foundation found that
certificate authorities had issued over 2000 certificates for “localhost” – a name that always refers toyour
current computer. In the wrong hands, such a certificate could make man-in-the-middle attackseasier.

NAME: Prajwal Rai UID: 19BCS1010

OUTPUT:

NAME: Prajwal Rai UID: 19BCS1010