5

I guess we can all agree that a screenshot of a website proves nothing; one can edit the HTML as much as one likes, take a screenshot and show a website displaying false information.

As far as I know, the way HTTPS works is it uses asymmetric cryptography in order to exchange symmetric keys, for performance reasons. This means that such symmetric key is signed by the host of the website and sent to the user, but the host isn't signing every single piece of content it serves.

The question then is, is there any way one can prove some content came from a website?

user986730
  • 180
  • 4
  • 2
    Archive.org? Google cache? – schroeder Nov 23 '15 at 01:01
  • Archive.org or Google cache would work just as far as you could trust those sites. Though Google's word does have weight, it's not the same as a virtually unfalsifiable mathematical proof. – user986730 Nov 23 '15 at 01:19
  • 5
    Ask a reputable third party to do it (like an attorney) who will swear to its authenticity. – Johnny Nov 23 '15 at 01:28
  • 3
    You want unfalsifiable, mathematical proof that data has not been altered from the original, when you have *no control over the original*? Like Archive.org, Google cache, or a reputable 3rd party, the best you can hope for is a low-collusion scenario. – schroeder Nov 23 '15 at 04:39
  • 2
    Related question: [*Does SSL/TLS provides non-repudiation service?*](https://security.stackexchange.com/questions/103645/does-ssl-tls-provides-non-repudiation-service) – StackzOfZtuff Nov 23 '15 at 07:01
  • @StackzOfZtuff this is not a repudiation question at all... this is a tampering question. Please review stride here: https://en.wikipedia.org/wiki/STRIDE_(security) – d0nut Nov 23 '15 at 15:38
  • 3
    @iismathwizard: On the contrary. This question is all about holding the other party accountable (not allowing them to repudiate) for content they previously generated. – StackzOfZtuff Nov 23 '15 at 16:10

4 Answers4

3

The question then is, is there any way one can prove some content came from a website?

Not using SSL. As you mentioned, the actual content is encrypted using a shared symmetric key. Therefore either you or the other party could have created the cypher-text.

A trustworthy 3rd party such as Google cache or archive.org should be sufficient in most contexts, as mentioned in the comments.

There are plenty of cryptographic techniques which can be used for this purpose, but in this context you'd need the site to cooperate by signing the actual content using their private key (which is contrary to how SSL works).

thexacre
  • 8,444
  • 3
  • 24
  • 35
3

Try http://www.icanprove.de. You can remote control a browser and all screenshots and logs are signed digitally. If more is at stake contact a notary...

Martin Loehnertz
  • 31
  • 1
  • This is a very interesting service, and it's good to know it exists. Still, I wish I could have the content signed (even if indirectly) by the same site that posted the content and not rely on a trusted third party. Probably not possible without the cooperation of the first party itself, though =( – user986730 Jan 02 '19 at 14:54
0

The only really unfalsifiable proof would be making the site sign each chunk of data it emits, then verify them on client. However, this requires parties to either pre-share public keys via some protected channel, or trusting them to a third party to validate their authenticity.

You can see where it's going - it's almost like SSL, but authenticating every piece of data instead of session endpoint. It can be built with virtually any modern asymmetric encryption system, I see more problems with establishing trust between parties.

Eugene
  • 441
  • 3
  • 3
0

You can create a service that pulls the details of the site on a regular basis and archives the result. For example the site NewsDiffs.org captures major news sites state and publishes the details of their articles as they change over time.

Obviously you have to know in advance what you are attempting to study for provenance. In other words, you would have to place the site under surveillance.

Otherwise, no.

zedman9991
  • 3,377
  • 15
  • 22