Comments on: IE 7 gives secure Web sites the green light

Microsoft has flipped the switch on an IE7 feature that displays Web sites with new security certification in a green address bar.
Images: In IE7, green means go

[m.meister]

Shafting the little guy

$1000/year is an annoyance to large companies, but represents a
big smack to the head for smaller guys.

The economics seem questionable. If the price increase is do to
extra work, why are subsequent years not cheaper?

No -- this is designed to smack down the little guy, nothing more.

[bayden]

To prevent fraud

To prevent fraud, EV certs are only valid for two years; the full vetting must take place every two years. Many CAs offer discounts for the second year, and many offer EV for under 500$ to begin with.

Smaller vendors are less likely to get phished anyway.

[bayden]

To prevent fraud

To prevent fraud, EV certs are only valid for two years; the full vetting must take place every two years. Many CAs offer discounts for the second year, and many offer EV for under 500$ to begin with.

Smaller vendors are less likely to get phished anyway.

[lwrules]

Yeah but can we trust microsoft!!

Their admins have been abusing their own phishing filter!! Perfect example, please explain how the following ANTI-MICROSOFT page could possibly set off their PHISHING filter!! We have filled out their "this is not a phishing page" form ten times and they have refused to correct it... Use IE7 with phishing filter on and go to this page... http://www.realvegassins.com/why-microsoft-sucks.html

[bayden]

Because it's a spoof

The site you've linked to spoofs Google, and hence it's fraudulent.

[bayden]

Because it's a spoof

The site you've linked to spoofs Google, and hence it's fraudulent.

[timber2005]

Hmm...

But its VERISIGN that sells the certificate... not Microsoft. Therefore its VERISIGN's problem, not Microsofts. I bet you could prove how Microsoft is causing cancer, world hunger, and the redness of Mars. Stop being a microhater.

[lee9372]

Product exists - its' called McAfee Siteadviisor

The product already exists - it's called McAfee site advisor. It's free for personal use or extended service for small fee. It does pretty much thing. It's not perfect, but it does what Microsoft aims to do.

[alexr186]

More Crap

I think they are look at all of this wrong. Never in a phishing attack, did the correct url was shown. I think we just need to education people to use trusted url and not create a process that is not equal for everyone. I think new ssl should be banded in the US because it go against the ethics of the US. Yet again another bogus thing from Microsoft. Big Surprise? Another way to waste our money. I give it 6 months till people don't use it anymore. They should rethink the idea, that can work with all companies, because it is the small companies that make the whole world grow, not the big companies.

[BMR777]

Reminds me a bit of the Netscape / TrustE Scandal

This reminds me a bit of the Netscape 8 TrustE scandal where the new Netscape 8 browser was giving "safe" ratings to sites like hotbar and smileycentral just because they had a "secure" certificate. These sites could then install whatever software they pleased.

I hope M$'s system is at least a little better.
:)

[canadian_cnet_fan]

Cannot Save People From Themselves

I have only been into computers for 16 years and have more than the average user in terms of knowledge but i cannot code or anything. And I have FULLY decided you cannot save people from their own stupidity.

You can tell people DONT type in credit cards. Dont type in Soc Sec number. Or dont click on these links. Or DONT OPEN EMAIL ATTACHMENTS.

They do it anyway.

We have a big retail store up here (not the mighty W lol..) and they ask for your phone number EVERY TIME you buy something. Now they dont NEED IT. For any reason. And these knuckleheads STILL at least 9/10 give it to the cashier.

Let people beware on the net. There are enough tools around to figure out what to do. And if you DONT know what you are doing STAY OFF IT.

That is your ONLY SOLUTION. The hackers dont FORCE you to type anything they think it is a game with BIG dollar payouts. Your own ignorance is not their fault. Although why anyone who is smart enough to be a hacker spends time on that stuff i dunno.

[Woodmon]

The title of article is INCORRECT - EV SSL does not equal security

All sites can get mis-configured and/or hacked and become immediately insecure. (e.g. Super Bowl sites and Dept of Health sites today). If they had EV SSL certificates that would not have changed this.

The point is EV SSL does not equal security, but the article title suggests otherwise.

Maybe change title to "IE7 gives green light to web sites with EV SSL installed the green bar".

Just because a corporation purchased/installed an EV SSL certificate, so their website displays a green-filled address bar in IE 7, does not in any way mean the site is "secure". It just means it has an EV SSL cert installed.

Think of SSL as "extra assurance" and EV SSL as "extra extra assurance", but not "insurance".

SSL in this context refers to the owner of a website has purchased a certificate which, when properly enabled, will support the transmission of encypted info submitted via https, between a browser client and web server. (but this does not mean the site is secure).

And in addition, EV SSL indicates a "corporation" owning the website has purchased a more expensive certificate, indicating the company and it;s connection to the website has gone through a identity "vetting" process ... by specific providers handpicked to do the identity confirmation and to sell a certificate.

(Which cert providers were picked to provide/sell EV SSL certs, and the criteria those cert providers were chosen by (how they were themselves vetted), and who chose them, and the actual identity vetting processes are big questions for another topic and article).

Anyway...

EV SSL does not EQUAL security, just as SSL does not EQUAL security.

C-Net: Please do not throw around the word "secure" or "security" so lightly, in your article tiles or otherwise.

[everydaypanos]

What the news here?

If i get it correctly, EV SSL does not add anything new or better. It is the same weird technology with the difference that the one that requests the certificate has been "better" checked.

[rcrusoe]

It's just a marketing gimmick

Microsoft adds ev ssl to IE7.

Firefox, Opera, Safari, etc. have to do the same to avoid giving MS more FUD to spread around.

Joe Sixpack never uses the "feature" regardless of the browser he uses.

In a few months someone finds a way to hack the technology rendering it useless.

Cert agencies continue to sell ev ssl certificates to website owners who fear someone may actually use them.

IE remains the least secure browser available.

[rklrkl]

Scam to get more money for secure certs

I think this "EV SSL" is a con-trick to get companies to spend more money on secure certificates than they currently are. For example, Verisgn's already overpriced standard SSL certificate (in the UK, it's 259 pounds [$500] +VAT for just one year!) *already* goes through company validation (e.g. Verisign use WHOIS, Companies House, D&B Numbers and phone up the org contact via the company switchboard) - so what extra is EV SSL going to do?

Answer: Nothing. All it will mean is that a bit will be set in the secure cert to indicate "EV SSL" and IE7 will show a green background instead of a yellow background for the SSL URL. So the question does remain - if the standard Verisign SSL cert already validates the company, will they tell us what extra their EV SSL does? And is that worth more than doubling price?

I think what really happened behind the scenes is that Verisign and their ilk were upset that all their business was going to secure certs that didn't do any validation (e.g. GoDaddy's $20 or the even cheaper www.theplanet.com's $15) and wanted to grab customers back by making it clear in the browser how "expensive" the cert was, thus forcing companies down the route of paying up to 50 times more for their secure cert without actually improving the encryption of said cert one iota.

[technewsjunkie]

Bad, bad, news

Leaving Microsoft to determine who is secure is preposterous, and
a threat to non-Microsoft technologies.

[banderson1962]

Hey stupid

Microsoft is not determining who is secure. The companies issuing the certs are. IE7 is just confirming the cert type. Do your homework before you start bashing.

[rick47591]

IE7

IE7 is badddd news! It is full of security holes and it has more fluff than a herd of sheep. As usual, Microsoft added many features that will never be used by the norm and left out some features from IE6 that many of miss using and due to these features being gone, our work time has increased. Thanks Microsoft for making your latest internet explorer 7 such a joke.

[darix2005]

IE

something new

---
http://mortgage.emigrantas.com - all about mortgages

[rapier1]

Couple of comments

1) Its important to understand that this is to help protect against
phishing by making sure that the user has a distinct visual
reminder that this site has a valid certificate that has *not* been
self generated. Since small businesses are *rarely* the target of
phishing scams this is hardly an attempt to crush them.

2) While MS may have led this effort the story does note that
Firefox is following suit. MS *does* have some good ideas (like
the non standard html tag that lead to the development of AJAX)

[disco-legend-zeke]

Verisign = Evil Ripoff , Wait till a competitor emerges before buying.

While i applaud the emergance of a higher level of website ownership certification, it is sad to see it available only from a company with such a track record of overcharging and other monopolistic abuses of both customers and competitors.

When the first "under $400" certificates came out, Verisign bought up the providers to stifle competition.

In my long experience with Verisign, and parent company Network Solutions they have always attempted to maximize their gain at the expense of customers.

Foe example, if you fell for their new "wholesale" domain name service, you may have failed to notice some fine print that gives them exclusive ownership of your domain name if you fail to reply to a WHOIS confirmation in a few days. OUTRIGHT THEFT.

Now they have used their power to dream up an even more expensive product, and have somehow gotten Microsoft to buy into their scheme.

$700 extra to make a couple phone calls to verify a website ownership.

Let us hope their anti-competitive efforts are unsuccessful.

[wbenton]

The Red light... Green light.

Microsoft's green light will continue showing green even though it should be showing red once hackers spoof IE.

That will hopefully put on the red brake lights over the issue.

It will happen and probably MUCH sooner than Microsoft expects, but they won't come out with an immediate patch which means that one can't trust that little green light any more.

It WILL HAPPEN!!! The writing is on the wall. Microsoft is not security savy enough to prevent it from happening.

IE should be red lighted entirely with the green light going to Mozilla based browsers!!!

Walt

[C++ Genius]

EV SSL is nothing new, it's only patchwork

Quote: "However, the system has been weakened by lax standards and loose supervision."

What makes it certain that the same thing won't happen with EV SSL.

Why is EV SSL not the answer? This is why:
http://cybertopcops.blogspot.com/2006/11/why-ev-ssl-and-new-breed-of-anti.html

[Pepper1887]

I am confused. I have Internet version 7. when I repurchased McAfee (big mistake), I also purchased Secure EI7. Now SECURE has become the browser. I don't understand. Can anyone explain. I tried to get an explanation from McAfee, but no luck.