Implementing a Secure and Trustworthy Badge Feature for Website Verification

[swiiny]

Feature description

Implement a new badge feature that can be easily displayed on websites.

The idea is inspired by Website Carbon which integrates a similar badge feature that can be easily embedded anywhere on a web page.

This screenshot was taken from the footer of Overthere link

Use cases

• Allow website owners to showcase their site as legitimate without adding extra steps for users.

Benefits

For website owners

• Retain users on the platform.
• Provide a safer and more trustworthy experience for users.

For users

• Enhance user confidence by confirming the legitimacy of the site.

For UNFraud

• Increase visibility.
• Broaden the usage range.

Questions/Discussions

1. Preventing Badge UI Copying on Impersonated Websites
   • Issue: How can we prevent malicious actors from copying the badge UI onto impersonated websites to deceive users?
   • Discussion Points:
     • Dynamic Badge Generation: Implement a system where each badge is dynamically generated with a unique identifier or cryptographic signature tied to the website's domain.
     • API Authentication: Require authentication via API keys or tokens to fetch and display the badge, ensuring only legitimate websites can access and display it.
     • JS Embed with Domain Verification: Use JavaScript embedding that verifies the domain of the site where it's embedded, ensuring it matches the domain registered for the badge.
     • Evaluation: Despite these approaches, none of them individually may completely mitigate the risk of UI copying on impersonated websites.

Future Implementations

• Applicability in Finance/Blockchain Industry: Consider potential future implementations in industries like finance and blockchain, leveraging the badge feature to enhance trust and security.

[Khodl]

Thank you for your suggestion!

While it is a great idea in theory, I completely agree with the first issue you raised: the badge/widget could be copied, providing a false sense of trust instead of encouraging individuals to verify information themselves in case of doubt.

I would like to add two more issues for consideration:

Issue 2: It is already challenging for large organisations to cooperate with external entities. They would need to vet Unfraud.org, and although it is a tech4good project, it is NOT a registered NGO or non-profit. From their perspective, this may not seem worthwhile. However, a possible alternative could be a widget that organisations can integrate into their websites, with regular audits from our code and database. This might make collaboration more appealing to them.

Issue 3: Many organisations use third-party platforms to recruit, which we can't vet on our side, as it might be used by legit organisations, but also by potential scammers.

Let's keep this ticket open to allow for further input and discussion.