1. Technical Field
The discussion below relates generally to online data processing and, more particularly, to systems and methods for determining trust when interacting with online resources.
2. Related Background
An online party establishes trust using a certificate. For example, when a browser accesses a website using the Hypertext Transfer Protocol Secure (HTTPS) protocol or the Secure Sockets Layer (SSL) protocol, the website establishes trust by sending a certificate signed by a trusted certificate authority (CA or “root CA”). The certificate is based on “domain name binding,” which means that the certificate is issued only for a specific domain name and is only valid for that specific domain name, which can be identified using a universal resource locator (URL). This may be referred to as “domain-based trust.”
Domain-based trust, however, may not be user-friendly. For example, different domain names can be confusingly similar (e.g., usersalliance.com, useralliance.com, and usersaliance.com). When a user unintentionally accesses a website created to deceive the user (e.g., useralliance.com), that website may present a valid certificate issued to and possibly stolen from another website (e.g., usersalliance.com) that the user may have intended to access. The user's browser may detect that “useralliance.com” is not the same as “usersalliance.com,” and ask the user whether he or she would like to continue accessing useralliance.com (the unintentionally accessed website).
Since useralliance.com was created with a confusingly similar name in a manner that may have been intended to deceive the user, the user may not realize that an “s” is missing, and thus may incorrectly respond (e.g., “Yes, continue accessing.”). The deceiving website useralliance.com may then present or mimic the web pages that the user is led to believe he or she is accessing (e.g., legitimate web pages) to improperly induce the user to provide personal information, financial information, or other valuable information.
Another problem with domain-based trust is that the certificate issued for one domain name is not valid for another domain name owned by the same entity. For example, a financial institution (e.g., Best FI) may own BestFlcards.com, BestFlbank.com, and onlineBestFlaccount.com. The financial institution “Best FI” would require separate certificates for each of those domain names to use them in online financial transactions with its customers. If Best FI decides to change the name of one of the three domain names or add another domain (e.g., for website access, email signing, code signing, or other function), the financial institution “Best FI” would need to obtain a new certificate.