Professional Documents
Culture Documents
EXPERIMENT-9
Aim: Write a program to identify website’s identity
Pseudo code/Algorithms/Flowchart/Steps:
website has an extended validation certificate, indicating that the website’s identity has been
verified. EV certificates don’t provide any additional encryption strength – instead, an EV
certificate indicates that extensive verification of the website’s identity has taken place. Standard
SSL certificates provide very little verification of a website’s identity. How Browsers Display
Extended Validation Certificates On anencrypted website that doesn’t use an extended validation
certificate, Firefox says that the website is “run by (unknown).” Chrome doesn’t display anything
differentlyand says that the website’s identity was verified by the certificate authority that issued
the website’s certificate. When you’re connected to a website that uses an extended validation
certificate, Firefox tells you it’s run by a specific organization. According to this dialog, VeriSign
has verified that we’re connected to the real PayPal website, which is run by PayPal, Inc. When
you’re connected to a site that uses an EV certificate in Chrome, the organization’s name appears
in your address bar. The information dialog tells us that PayPal’s identity has been verified by
VeriSign using an extended validation certificate.
IMPLEMENTATION:
An EV certificate indicates that a certificate authority has verified that the website is run by a
specificorganization. For example, if a phisher tried to get an EV certificate for paypall.com, the
request wouldbe turned down.
In contrast, a domain-only certificate verification might only involve a glance at the domains who is records
to verify that the registrant is using the same information. The issuing of certificates for
domains like “localhost” implies that some certificate authorities aren’t even doing that much
verification. EV certificates are, fundamentally, an attempt to restore public trust in certificate
authorities and restore their role as gatekeepers against impose
Years ago, certificate authorities used to verify a website’s identity before issuing a certificate. The
certificate authority would check that the business requesting the certificate was registered, call the phone
number, and verify that the business was a legitimate operation that matched the website.
Eventually, certificate authorities began offering “domain-only” certificates. These were cheaper, as itwas
less work for the certificate authority to quickly check that the requester owned a specific domain(website).
Phishers eventually began taking advantage of this. A phisher could register the domain paypall.comand
purchase a domain-only certificate. When a user connected to paypall.com, the user’s browser would
display the standard lock icon, providing a false sense of security. Browsers didn’t display the difference
between a domain-only certificate and a certificate that involved more extensive verificationof the website’s
identity.
Public trust in certificate authorities to verify websites has fallen – this is just one example of certificate
authorities failing to do their due diligence. In 2011, the Electronic Frontier Foundation found that
certificate authorities had issued over 2000 certificates for “localhost” – a name that always refers toyour
current computer. In the wrong hands, such a certificate could make man-in-the-middle attackseasier.