Search

EP-4456484-B1 - ENCRYPTED INTERSTITIAL TECHNIQUES FOR WEB SECURITY

EP4456484B1EP 4456484 B1EP4456484 B1EP 4456484B1EP-4456484-B1

Inventors

  • GIBBONS, KEVIN
  • KEDLAYA, MADHUKAR NAGARAJA
  • SCHLENKER, CLAIRE MADISON
  • DISNEY, TIMOTHY
  • KHADKE, NITISH KISHORE

Dates

Publication Date
20260513
Application Date
20240429

Claims (8)

  1. A method, implemented by a security server system (140), for using an encrypted interstitial page, the method comprising: intercepting (202) a request for a webpage comprising a protected resource, wherein the request is sent from a client device to a server device; generating (204) one or more link tags or other mechanisms for referencing a corresponding one or more sub-resources included in the webpage; encrypting (206) the webpage, thereby generating an encrypted webpage; serving (208) an interstitial page to the client device, the interstitial page comprising: an encrypted portion comprising the encrypted webpage; an unencrypted portion comprising the one or more link tags or other mechanisms; and instrumentation code that, when executed at the client device, collects telemetry data; receiving (210) the telemetry data from the client device; performing (212) a threat analysis on the telemetry data collected in association with the request; and responsive (214) to determining, based on the performed threat analysis, that the request is allowed, transmitting a decryption key to the client device, wherein the decryption key is configured to allow the client device to decrypt the encrypted webpage.
  2. The method of claim 1, wherein the generating of one or more link tags or other mechanisms for referencing a corresponding one or more sub-resources included in the webpage comprises: scanning HTML code of the webpage to identify one or more sub-resource tags; and for each identified sub-resource tag, generating a link tag that is associated with a preload attribute.
  3. The method of claim 2, wherein the unencrypted portion comprising the one or more link tags or other mechanisms is configured to allow the client device to download the corresponding one or more sub-resources to a cache of the client device while the telemetry data is being collected and the threat analysis is being performed.
  4. The method of claim 1, further comprising: responsive to determining, based on the performed threat analysis, that the request is denied, performing a mitigating action with respect to the request.
  5. The method of claim 1, wherein the encrypting of the webpage is performed using symmetric key encryption.
  6. A security server system (140) comprising: a memory comprising programmed instructions stored thereon; and one or more processors coupled to the memory and configured to execute the stored programmed instructions to perform the steps of the method according to one or more of claims 1 to 5.
  7. A non-transitory computer readable medium having stored thereon instructions comprising executable code that, when executed by one or more processors, causes the one or more processors to perform the steps of the method according to one or more of claims 1 to 5.
  8. A security system comprising one or more security server systems (140) according to claim 6 and one or more client devices with memory comprising programmed instructions stored thereon and one or more processors coupled to the memory and configured to execute the stored programmed instructions to perform the steps of the method according to one or more of claims 1 to 5.

Description

CROSS-REFERENCE TO RELATED APPLICATION(S) This application claims priority to U.S. Provisional Application No. 63/462,903, filed on April 28, 2023. FIELD This technology generally relates to security techniques applicable to client and server systems and, more specifically, to encrypted interstitial techniques for web security. BACKGROUND Web and mobile applications and application programming interface (API) endpoints are being subjected to a growing number of sophisticated automation attacks resulting in large scale instances of fraud. This unwanted or malicious automation traffic to web and mobile applications can be perpetrated, by way of example, by: a) criminals looking to steal money or other value; or b) by businesses who want to appropriate another company's data to drive their own businesses. In particular, businesses misappropriating a company's website data are often labeled "scrapers" because they "scrape" inventory, pricing and catalog data off of public websites. By doing this, scrapers can disrupt user experiences for legitimate human traffic and dramatically increase a website's operating costs. Website owners generally lack visibility into the scale of their scraping problem as well as the tools to manage and, when necessary, prevent or limit scraping. However, the size and scale of the problem with criminals and scrapers is breathtaking. Between about 50% and 90% of traffic to websites is malicious or unwanted automation traffic. Unfortunately, blocking fraudulent or unwanted automation traffic, while permitting legitimate human sessions to proceed without user friction is very challenging. To websites and mobile applications, attackers may appear virtually identical to genuine users by, for example, hijacking their devices, simulating human behavior, and leveraging stolen identities. Additionally, these attackers are rapidly evolving tools and methods to perpetrate this fraud, making it harder for applications or even humans to tell the difference between real and fake users. One approach may be to place all sensitive resources behind an authentication flow by, for example, requiring a user to login to a website with a username and password corresponding to their user account before being able to access the resource, but this approach does not work for applications that do not involve the user of user accounts. Historically, the industry's typical approach to managing scraping attacks has been to serve a challenge to deter scraper bots from obtaining access to valuable resources. CAPTCHA is one example challenge that is often presented to stop unwanted scraping. CAPTCHA worked for a time, but scrapers have now learned how to technically bypass it, resulting in it being ineffective at limiting unwanted or aggressive scraping. In other words, the industry response to managing scraper traffic is both ineffective (e.g., scrapers can easily bypass challenges such as CAPTCHA), and it introduces painful friction for legitimate human traffic such as trying to solve challenges provided by CAPTCHAs. One technique for addressing these problems is use of an interstitial page, which loads a substantially blank page while a script gathers information about the browser environment that is used to make a determination regarding whether the browser should be allowed to access the requested resource (e.g., by determining whether the browser is being operated by an automated web scraper or a human user), and then loading the requested resource upon determining that access should be granted. However, while use of an interstitial page can be effective at preventing unwanted web scraper attacks, this technique may also create an undesirable delay with the loading of the requested resource because the user must wait for multiple additional network requests to complete before being able to access the resource. Patent document US2016/142438 discloses an example of method of identifying and counteracting Internet attacks, of Man-in-the-Browser and/or Man-in-the-Middle and/or Bot attack types; patent document US2020/177592 discloses examples of techniques for delayed serving of protected content adapted to determine that the client computing device is not bot-controlled. Accordingly, there are ongoing attempts to address these issues, but these attempts have had limited degrees of success and often cause undue friction or delay for end users resulting in undesirable decreases in usage and/or incomplete transactions for web content providers. SUMMARY A method implemented by a security server system (including, for example, one or more security server apparatuses, server devices, or client devices) includes intercepting a request for a webpage including a protected resource. The request may be sent from a client device to a server device. One or more link tags or other mechanisms corresponding to one or more sub-resources included in the webpage are generated. The webpage is encrypted. An interstitial page is served