[RndTbl] anti-spoofing geoloc in HTML5
Trevor Cordes
trevor at tecnopolis.ca
Sun Feb 28 17:38:34 CST 2016
I'd like to have a web page / form that gets the geo-location (via HTML5
and js) of the user (expected to be on a GPS phone) in such a way that I
can be pretty sure they are at the coordinates I'm expecting. In other
words, I want them to only access my page when they are at a certain
place.
I want to minimize hackers capturing / spoofing this page so that they
can't do replay attacks, reverse engineering, etc. I don't want them to
trick the site into thinking they are at the place the next day when they
are not.
The main page will be a form which requests geoloc and fills in a hidden
form field with coords, and the user fills in some user text fields. The
results get posted to my server.
Since this is just a web page (not a native app), I understand I probably
(almost assuredly!) can't lock this down 100%. But maybe I could stop the
average (smart-ish) joe from spoofing it?
I've thought of a few ways to make the spoof harder: tokens, timestamps,
js obfuscation of post data and code, etc. I just thought I'd pick the
brains of the MUUG geniuses for some ideas.
More information about the Roundtable
mailing list