Learning Home Safe Online Communication Make Your Website Trusted How to Store Private Keys

Make Your Website Trusted Using Authenticable Testimonials

Authentication Protocol for Website Testimonials

This page presents the solution for properly providing website testimonial. It is well structured, free and an all-win scheme:

• Win for the website visitor as they can confirm the quality of the website, product and/or service which they are considering.
• Win for the website owner as the visitor can confirm the authenticity of the testimonials on their website.
• Win for the testimonial-giver as they receive a back-link to their website, thus increasing their traffic and search engine ranking.

How to Make Your Website Trusted with Testimonials Protocol

Suppose that an individual or organization which will be attested, lets call them A, has a website offering products and services. Suppose that another individual or organization which will provide the testimony, lets call them T, has used the products/services of A and wishes to testify about them.

Typically T will give A the text of the testimonial and A will simply post it on their website. The visitors to the website of A will see the testimonial but have little reason to trust it.

In order to make the testimonial authenticable T has to make digital signature of the testimonial and provide it also to A. A publishes the testimonial and its signature on their website, as well as a link to the public key of T found on T's website. The visitors to the website of A then can use the signature of the testimonial and the public key to authenticate the testimonial, which can be done automatically with 2 mouse clicks using the Authenticate-Testimonial.org service or manually using Act On File or other capable software. In detail this procedure is as follows:

Create and Provide an Authenticable Testimonial - T (testifying) person actions

1. T writes the testimonial as a file directly embeddable in a webpage, such as text, html, pdf, image, etc.
2. T uses their own private signing key to sign the testimonial file using Act On File or other capable software.
3. T provides the testimonial file and its signature to A, as well as the URLs of the public key and preferred landing page on their website.

Publish an Authenticable Testimonial - A (attested) person actions

1. A embeds the testimonial file in the testimonials page on their website. The testimonial must be readable and download-able "AS IS".
2. A places a download link of the signature of the testimonial suitably.
3. A places a link to the T website landing page, where T has published its public authentication key.
4. A optionally places an automatic authentication link to enable the visitors to automatically authenticate the testimonial with 2 mouse clicks.

Authenticate Authenticable Testimonial - visitor actions

Automatic Authentication

1. Visitor clicks on the automatic authentication link.
2. When transferred to Authenticate-Testimonial.org the visitor verifies that the automatically populated controls contain URLs as expected.
3. Visitor clicks the "Authenticate Testimonial Now" button to authenticate the testimonial.

Manual Authentication

1. Visitor downloads the embedded testimonial file and its signature from the A website.
2. Visitor follows the link to the T website and downloads the public authentication key.
3. Visitor uses Act On File or other capable software to authenticate the testimonial using the downloaded files.

Comments and Conclusion

This simple protocol allows the visitors of the attested website to verify that the posted testimonials are genuine. The testifier does not necessarily need to have a website. It is sufficient for them to have authentic online presence where they can post their public authentication keys, for example: a blog, a Twitter or any other social media account where they could make their public authentication key(s) available for downloading.

Testifying websites receive back links to them. The more prominent the attested website is, the higher PR back link the testifier gets, as well as more traffic coming from the attested website. The protocol is not false testimonials proof. However, usually with not too much browsing the trustworthiness of a testifying website can become apparent, especially if it is a well-established site. For genuine testifying websites new visitors coming from attested websites are especially valued as in fact they are genuinely interested in finding out about the trustworthiness of the testifying website, and thus learn about it, and the services/products it provides.

Note: to generate public-private keys, digitally sign and authenticate files one can use the Act On File al-in-one software suite.

Note: Authenticate-Testimonial.org has is currently down.

---

Best Practices for Website Visitors when Authenticating a Testimonial

1. Use automatic authentication as it is simple, robust and fast. Be sure to verify that the auto-embedded URLs are as they should be.
2. If in doubt, use the semi-automatic authentication using the URLs of the testimonial.
3. If necessary, download the testimonial, its signature and the public key and use manual authentication.

Best Practices when Giving an Authenticable Testimonial

1. Testimonial writing and content:
   1. Give accurate and meaningful information about the product and/or service. Sign (position & name) and date the testimonial.
   2. Display the name, web address and/or other identity information of the attested entity. This prevents the testimonial from stealing.
   3. Display the testifying website web address. This helps to establish the trustworthiness of the testifier.
   4. Display the name of the public key. Name the public key to allow finding it on the webpage for downloading of public keys.
   5. Display the hash code of the public key, and the hash algorithm that was used to produce it. This helps to prevent errors.
   6. Display the address of the webpage on the testifying website where are listed its public keys for download. Do not use links.
   7. Display the address of the public key on the testifier website. Do not use links.
   8. Display the settings/parameters used to produce the signature. Including when using the Act On File standard/default settings.
   9. HTML (text) files are most suitable for testimonials as they are easy to embed, can be formatted, and are index-able by the search engines.
   10. Avoid using links as they may be deceptive.
   11. Content of an example testimonial file:
       
       This is an example of an authenticable testimonial. The purpose of this testimonial is to suggest an appropriate layout for testimonial files. Other layouts may be also suitable.

       Notes:

       • The top section in this layout design contains the testimonial message, date and signature. The reference data and the signature properties follow them.
       • Using links in the testimonial message is fine, but links in the reference data is not recommended as links can be deceptive.
       • Formatting the testimonial may be a good idea. However testimonials listed on the same page which are formatted differently may not be aesthetical.
       • Since testimonial files are embedded in the webpage displaying them, it usually is a good idea to set the width and height of the container such that less important information is viewable via scrolling as in.

       4-th April 2016
       MBBSoftware
       
       Attested:

       Name:

       Example Art Gallery

       Website:

       example-art-gallery.com

       
       
       Testifier:
       

       Website:

       mbbsoftware.com

       Public keys page:

       mbbsoftware.com/__public-keys/default.aspx

       Public key name:

       Example Art Gallery Key 1

       Public key hash:

       SHA1 = E7702064633FACEF0D207B8F9DBC3CF23B20E368

       Public key:

       mbbsoftware.com/__public-keys/example-art-gallery.com.example-art-gallery-1.public-key-auth-verify

       
       
       Signature properties:
       

       Hash:

       SHA1

       Flags:

       PKCS1

       Byte order:

       Big endian

       
       
2. Testimonial signing:
   1. Generate and use a new public-private key pair for each authenticable testimonial you sign and give. This allows you to revoke testimonials by removing the public key used to authenticate them from your website, without this affecting other testimonials. Note: use the same private key to sign a testimonial which has multiple versions, e.g. translations, as this is one and the same testimonial.
   2. Irrecoverably destroy the private key used to sign the testimonial immediately after signing it. This prevents from misusing the private key in the future. Use the Eraser module of Act On File to irreversibly destroy any file.
   3. Use the standard/default Act On File settings to produce the testimonial signature. This minimizes the possibility for errors.
3. Publish the public key on your website:
   1. Place the public key in a folder dedicated for public keys. Keeping tidy server helps the site maintenance.
   2. Include the attested website domain name and the title of the testimonial in the filename of the public key. Helps for easier maintenance.
   3. The public key must always be available for download for as long as the authenticable testimonial which requires it is online.
   4. Add a landing webpage for visitors coming from attested websites, listing your public keys from which they can be downloaded.
   5. Do not change the URLs of the public keys and the page listing them as they are referenced by the testimonials and attested websites.
   6. An example testimonial public key URL might look like this: http://www.website.com/public-keys/www.website.com.key1.public-key-auth-verify.

Best Practices when Publishing an Authenticable Testimonial - FOR WEB DEVELOPERS

1. Upload the testimonial file and its signature on the attested website.
   • It is recommended to use a dedicated folder for the testimonials and their signatures.
   • The following naming convention might be found helpful by some visitors and is recommended but not necessary:
     - testimonial filename format:

     [filename].[document type].[ext]
     

     - signature filename format:

     [filename].[document type].[ext].signature
     where [document type] is the type of the document, e.g. testimonial, review, document, etc.
   • Upload the testimonial on the website they testify for. Reminder: testimonials should contain the name and address of the attested website in order to prevent their unauthorized use by third parties on other websites.
2. Publish the testimonial ready for both automatic and manual authentication.
   • Automatic Authentication - use Authenticate-Testimonial.org and provide automatic authentication link to allow the visitors of your website to make a two click authentication of the testimonial. The Authenticate-Testimonial.org website can authenticate testimonials automatically based on parameters provided through the web-request query string. The parameters provide information such as the URLs of the testimonial which will be authenticated and other required files, and properties. For avoidance of confusions and best user (visitor) experience all parameters are mandatory.

     Testimonial File Parameters

     testimonial

     The URL of the testimonial file on the attested website.
     testimonial_hash_type

     The type of the hash used to produce hash code of the testimonial file in standard byte order. Recognized hash types are SHA1, MD5, SHA256, SHA384 and SHA512.
     testimonial_hash_value

     The hash code of the testimonial file in standard byte order, expressed as a string of hexadecimal values, e.g. 446CE282BE959832BC36866F8E. The hash type and value parameters help to prevent errors due to accidental replacement of the testimonial file and other similar. Use Act On File or other capable software to generate hash code when building an automatic authentication link manually, or the Generate Automatic Link service to directly create links.

     Signature File Parameters

     signature

     The URL of the signature of the testimonial file on the attested website.
     signature_hash_type

     Same as the testimonial_hash_type parameter but for the signature file.
     signature_hash_value

     Same as the testimonial_hash_value parameter but for the signature file.

     Public Key Parameters

     public_key

     The URL of the public key on the testifying website required to authenticate the testimonial.
     public_key_hash_type

     Same as the testimonial_hash_type parameter but for the public key file.
     public_key_hash_value

     Same as the testimonial_hash_value parameter but for the public key file.

     Authentication Process Parameters

     hash

     Hash algorithm used to create the signature. Recognized hash types are SHA1, MD5, SHA256, SHA384 and SHA512.
     flags

     Flags used to create the signature of the testimonial. PKCS1 is the only supported flag at the moment.
     byte_order

     Byte order used to create the signature of the testimonial. Available values are big_endian and little_endian.

     Administrative parameters

     referrer_page

     The URL of the webpage on which is placed the automatic authentication link. The webpage must be the same domain as the testimonial. The webpage existence on the same domain and the automatic authentication link on it are used as a test for the legitimacy of the request.
     error_notify_email

     Email address to which to send error notifications if testimonials authentications fail or cannot be performed. In order to avoid misuse of this service the provided email address must be on the same domain as the testimonial.
     language

     Selected language of the Authenticate-Testimonial.org website when reached following the automatic authentication link. Currently available languages are Bulgarian and English. Recognized values are BG and EN.
     Note 1: In order to use automatic authentication all parameters must be provided.
     Note 2: Remember to URL-encode the values of all parameters.
     
     
   • Manual Authentication - provide the data necessary for the testimonial authentication.
     • Place download links for the testimonial, signature and public key files as full, readable URLs so that the visitor can use them for semi-automatic authentication, or download the files for manual authentication.
     • Place links pointing to the testifying website and their public keys listing webpage.
     • Provide the signature properties required for the testimonial authentication.
     • Provide links to the Authenticate-Testimonial.org online service, and desktop authentication capable software e.g. Act On File or other.
3. Provide explanations of how to authenticate testimonials automatically and manually.
4. Be sure that all published authenticable testimonials can be authenticated.
   • Always verify that newly published testimonials can be authenticated properly.
   • Periodically verify that testimonials published on static pages are still authenticable (e.g. there is no missing file or other reason for testimonial authentication to fail).
   • Use scripts to verify that testimonials published on active pages are authenticable before showing them to the visitor, and if not hide them and send an error message to the web master. A simple but sufficient check is to verify that all related files are in place and their hashes match some expected values. Such measures will prevent from failures to authenticate testimonials due to accidentally overwritten or moved/deleted files, and at the same time will notify the web master about the issue.
5. Keep copies of the public keys for all testimonials. Should a testifying website lose the public key for the testimonial they gave you, e.g. due a server crash and lack of backup, then you could provide them with your copy of the original public key, instead of asking them for a new testimonial and/or signature.

Community Content (To enter your comments you must be signed in. Log in or create FREE account.)

Member Comments Be the first to comment.