Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implementing a Secure and Trustworthy Badge Feature for Website Verification #1

Open
swiiny opened this issue Jul 3, 2024 · 1 comment
Open

Implementing a Secure and Trustworthy Badge Feature for Website Verification #1

swiiny opened this issue Jul 3, 2024 · 1 comment

Comments

@swiiny
Copy link

swiiny commented Jul 3, 2024

Feature description

Implement a new badge feature that can be easily displayed on websites.

The idea is inspired by Website Carbon which integrates a similar badge feature that can be easily embedded anywhere on a web page.

image

This screenshot was taken from the footer of Overthere link

Use cases

  • Allow website owners to showcase their site as legitimate without adding extra steps for users.

Benefits

For website owners

  • Retain users on the platform.
  • Provide a safer and more trustworthy experience for users.

For users

  • Enhance user confidence by confirming the legitimacy of the site.

For UNFraud

  • Increase visibility.
  • Broaden the usage range.

Questions/Discussions

  1. Preventing Badge UI Copying on Impersonated Websites
    • Issue: How can we prevent malicious actors from copying the badge UI onto impersonated websites to deceive users?
    • Discussion Points:
      • Dynamic Badge Generation: Implement a system where each badge is dynamically generated with a unique identifier or cryptographic signature tied to the website's domain.
      • API Authentication: Require authentication via API keys or tokens to fetch and display the badge, ensuring only legitimate websites can access and display it.
      • JS Embed with Domain Verification: Use JavaScript embedding that verifies the domain of the site where it's embedded, ensuring it matches the domain registered for the badge.
      • Evaluation: Despite these approaches, none of them individually may completely mitigate the risk of UI copying on impersonated websites.

Future Implementations

  • Applicability in Finance/Blockchain Industry: Consider potential future implementations in industries like finance and blockchain, leveraging the badge feature to enhance trust and security.
@Khodl
Copy link
Member

Khodl commented Jul 3, 2024

Thank you for your suggestion!

While it is a great idea in theory, I completely agree with the first issue you raised: the badge/widget could be copied, providing a false sense of trust instead of encouraging individuals to verify information themselves in case of doubt.

I would like to add two more issues for consideration:

Issue 2: It is already challenging for large organisations to cooperate with external entities. They would need to vet Unfraud.org, and although it is a tech4good project, it is NOT a registered NGO or non-profit. From their perspective, this may not seem worthwhile. However, a possible alternative could be a widget that organisations can integrate into their websites, with regular audits from our code and database. This might make collaboration more appealing to them.

Issue 3: Many organisations use third-party platforms to recruit, which we can't vet on our side, as it might be used by legit organisations, but also by potential scammers.

Let's keep this ticket open to allow for further input and discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Khodl @swiiny