Security system for websites
The invention to which this application relates is a system for improved security on websites.
Although the following description refers almost exclusively to use of an improved security system for social networking websites such as Facebook (RTM) it will be appreciated by persons skilled in the art that the present invention can be used with other websites and applications
Social networking websites are a recent cultural phenomenon, typically comprising a website in which a user can enter and share information in the form of text, pictures, and the like.
Facebook (RTM) is a popular recent example of such a website, and further allows users to develop and share their own programs via application programming interfaces (APIs) . For example, a user could create a quiz API, then invite their listed friends on Facebook to play the quiz by installing the API, the results data being visible to listed friends who had also installed the API.
Normally, if a user does not wish to make such details available, they can mark the data as being private. Thus, if an unauthorised third party tries to view such data, the data will not render on the third party's browser. However, the data would still have been sent to the third party, and the privacy limitation is thus not a particularly secure way of hiding such data as it could still potentially be captured and processed by other means.
An aim of the present invention is to provide a system for improving the security on websites.
In addition, it is not easily possible to see where a third party- has come from in terms of the previous web page viewed. There are tracker programs available which store log files but these tend to be text based, and not immediately accessible.
A further aim of the invention is to provide an indication as to the origination of web page visitors.
Social networking websites are often supported by advertising. Conventionally, adverts are loaded along with the websites in real-time, and if the advert is clicked upon this fact is recorded and often a new web page is opened in connection with the advert on such action.
However if the advert server is offline, it can slow down the download of the initially requested website, as requests to the offline advert fail.
A further aim of the invention is to provide a means of viewing adverts when the advert servers are offline.
In one aspect of the invention, there is provided a security system in which at least a portion of user data is stored in an encrypted form on a public server and can be selectively identified as being in a private or shared format, wherein when in a shared format the data can be decrypted by an authorised server to allow an authorised third party to view the same.
As such, all user data is stored in an encrypted form on a public server and therefore unauthorised third parties cannot extract any useful information.
In one embodiment the security system is for a website, and decryption is initiated from a web browser when viewing of the data is required.
In one embodiment the authorised server is one which has previously been checked and identified as a trusted server and is provided with decryption means to decrypt encrypted data.
Typically the trusted server is physically separate from the public server.
In one embodiment the third party uses a web browser on a client to send a request to view the shared data on the public server, which data is decrypted by a separate trusted server to allow the data to be viewed via the browser.
Typically, an AJAX call back is made from the web page in the browser to the trusted server to decrypt the encrypted data and dynamically update the web page with decrypted content.
In one embodiment the user can choose the third parties that are authorised to view the shared data.
In one embodiment the data includes Emails.
In one embodiment the data includes a list of third parties allowed to view the data. Preferably the list includes the identity of the user.
Typically the shared data is only decrypted if the user of the browser matches the user identity stored in the list. Typically the server sends a decryption error message if the browser user does not match the user identity in the list.
In one embodiment the user can change how selected portions of the data is marked between shared and private formats.
Thus the security system can store data such as Emails in a secure fashion on a public server, ensuring that the user can view their Emails but third parties cannot. If a user decides to share an Email, they can change this to a shared format and the trusted server allows decryption of only that Email for authorised third parties which the user can specify.
In one embodiment one or more graphical elements are associated with the third party's details and displayed to the user when the user views data to identify the status and/or origin of that third party.
Typically the user views data via a web browser, and the graphical elements are in the form of icons associated with the names of the third parties .
In one embodiment the graphical element representing status can indicate that the third party is online or offline.
In one embodiment the graphical element representing status the origin of the third party is a FAV icon associated with the website previously viewed by that third party, or equivalent thereto.
In one embodiment the web page includes adverts which can be downloaded and cached for display such that if the advert server is offline the advert can still be viewed from the cache.
Typically viewing of the advert can be recorded and reported back to the advert server when next online.
Advantageously the cached adverts can be utilised according to the web page being displayed. For example, if the web page is about a racing car game, it may be more appropriate to display a car relating to the game or cars than what would normally be displayed.
In a further aspect of the invention there is provided a method of providing security to access to a users data, at least a portion of said user data stored in an encrypted form on a public server and which data can be accessed by said user, and said user is able to identify said data as being in private or shared formats and wherein when in a shared format the data can be decrypted by an authorised server to allow a third party who is authorised to view the same.
In one embodiment the private format data is only accessible by the user.
Typically the method includes a means of identifying the state and/or origin of a third party visitor to a user's webpage wherein one1 or more graphical elements are associated and displayed with the third party's identification details. In on embodiment the graphical elements represent the third party's status and/or the previous page that they have viewed.
Typically the method is operated within a social networking website. .
Typically the user is able to compile a list of third parties who are authorised to access the shared format data.
In one embodiment the method is operated within a social networking website such as Facebook (RTM) . Thus when a user visits their web page, they can see the status of their friends
(online or offline) and where they came from (last web page viewed) via the graphical icons next to their names,
Typically different icons are provided to indicate different statuses. For example a green circle next to the user's name could indicate that the user is online at the time, whereas a red circle indicates that the user is offline.
In one embodiment the graphical elements to indicate the previous page viewed are FAV icons associated with the website from that previous page, or are equivalent thereto. If for example the website does not include a FAV icon, the user may be able to create one or choose an appropriate predefined one from the social networking website.
FAV icons are small graphical files which are typically placed in the root level of a website such that when a page is bookmarked, the browser stores the image alongside the text of that bookmark to make the bookmark easier to identify by a user in the future when searching for the same.
Specific embodiments of the invention are now described wherein:-
Figure 1 schematically illustrates a security system according to an embodiment of the present invention.
Figure 2 schematically illustrates a web page according to an embodiment of the present invention.
With reference to Figure 1 , there is illustrated a client computer 2 with a monitor 4 on which there is displayed a web page 6 in a web browser 8.
The web page in this example may be a social networking site such as Facebook (RTM), which allows users to develop and share their own programs via application programming interfaces.
Facebook (RTM) includes an Email function wherein users can send and receive messages to one another. Conventionally users cannot selectively share their Emails with each other on Facebook (RTM) i.e. Emails cannot be chosen to be made visible to other users .
Data relating to users is stored on a public server 10 and is typically marked as private to prevent unauthorised third parties from viewing the data. In a conventional system, the client web browser 8 sends a request 12 to view the shared data on the public server 10, which data is sent back 14 to the browser but cannot be viewed if the third party is not authorised.
However, although such data is not visible by a conventional browser, it is still sent by the public server in an unencrypted form and thus presents a security risk as it could be intercepted.
The present invention solves this problem by providing a trusted server 16 which decrypts data stored on the public server 10 in an encrypted form.
Facebook (RTM) allows execution of JavaScript (RTM) within a web browser to view a private web page. However, Facebook (RTM) does not allow the page contents to be updated directly from JavaScript (RTM) for security reasons. Page content can only be updated with the result of an AJAX callback to a back end server.
AJAX (Asynchronous JavaScript and XML), is a web development technique used for creating interactive web applications. Web pages that use AJAX are more responsive as only small amounts of data are exchanged with the server so that the entire web page does not have to be reloaded each time the user requests a change.
Thus in order to decrypt the encrypted content on the public server 10, an AJAX callback 18 is made to the trusted server 16, which decrypts the data which has been identified, typically by the user as being in a shared format and sends 20 the decrypted content to the Facebook (RTM) web page 6, thereby dynamically updating the same.
An encrypted list of third party users is also stored on the public server 10 so that only those authorised third party users can view the shared format data. The list also contains the data owner's Facebook identifier. Thus when the AJAX callback is made to the trusted server 16, the trusted server first decrypts the encrypted user list and checks to see if the Facebook identifier of the person currently viewing the web page, supplied separately by Facebook in the callback, is contained in the list. If it matches then the trusted server decrypts the encrypted data and sends the content to the browser of the third party user, otherwise it sends a decryption failure error. The user can typically compile and change the list of third party uses from time to time.
When the user wishes to mark the data as shared format and therefore viewable by specified third parties, an AJAX callback is made to the trusted server as before. The trusted server then performs the same check process as hereinabove described to see if the Facebook identifier of the third party user currently viewing the web page is the same as that of the user data owner.
If this check succeeds, the server updates the encrypted list ' of third parties allowed to view the data.
Thus the security system allows data such as Emails to be stored in a secure fashion on a public server, ensuring that the user can view their Emails but unauthorised third parties cannot.
Advantageously, unencrypted private data is not sent to the web browser. If a user decides to share an Email, the trusted server allows decryption of only that Email for third parties which the user can specify and authorise.
With reference to Figure 2 there is illustrated a Facebook (RTM) web page 22, showing details of friends 28 in the right frame 24, and an advert 30 in the left frame 26. Three friends are visible, and associated with each are graphical icons to indicate their online status 32, and the previous website visited.
Clicking on the previous website icon brings up the corresponding web page.
It will be appreciated by persons skilled in the art that the present invention may also include further additional modifications made to the device which does not affect the overall functioning of the device.