December 12, 2005 4:00 AM PST

Browsers to get sturdier padlocks

(continued from previous page)

"The certification authorities and browser vendors are coming together to identify what a high-assurance certificate should do," said Spiros Theodossiou, a product manager at VeriSign in Mountain View, Calif., the largest certificate authority. "We're trying to define a standard so that consumers can know that the Web site that they are on actually belongs to that organization."

Such a standard is lacking right now, and certificate vendors each have varying rules. For example, to get a certificate that carries the VeriSign name, an applicant must prove it is a registered business and that it has a right to use a specific Internet domain. VeriSign also verifies if the employee buying the certificate is allowed to do so. GeoTrust, a digital certificate provider in Needham, Mass., uses an automated verification system, and VeriSign's Thawte unit offers certificates that only require a confirmation via e-mail.

browser padlock
The padlock in IE's current status bar indicates the Web site has been certified, but not the level of verification.

The high-assurance certificates will go beyond what certificates do today, said Chris Bailey, the chief technology officer at GeoTrust. "They strongly bind the domain name of a Web site to an organization. They also strongly confirm the authority of a requestor to act on behalf of an organization, and they confirm that the business is real," he said.

The certificate authorities are working to make the vetting process for the new high-assurance certificates objective and consistent across the industry. The companies have involved the American Bar Association as an independent affiliate to help with the guidelines, representatives from several certification authorities said.

"We have come far and think that by midyear we will actually have a working product," Bailey said. VeriSign and Comodo also expect to have the new type of certificate available next year.

Round the corner
WebPay, provider of the Click&Buy an online payment service that works with Internet phone company Skype and Apple Computer's European version of iTunes, is waiting for the certificate change, said Fabian Siegel, chief technology officer of the Zurich, Switzerland-based company.

"This is the right step to make this SSL functionality consumer friendly. Those new SSL certificates will definitely help consumers secure themselves against phishing sites," he said. "The biggest problem in the industry today is that consumers don't understand much about the usage of SSL certificates in browsers."

Banks are also likely to adopt the high-assurance certificates, Corillian's Maloney said.

Makers of major Web browsers--Microsoft's Internet Explorer, the Mozilla Foundation's Firefox browser, Opera Software's browser and the open-source Konqueror browser--have called for the new certificates. Most browsers are expected to support those in their applications, with special user interfaces that go beyond simply displaying the padlock.

In the forthcoming IE 7, Microsoft plans to display a green-filled address bar for sites that meet the future guidelines and have been awarded the new certificate.

"We think this will help consumers identify sites that they know and want to do business with. It stands in contrast to the experience that they have when they visit a phishing site or the average everyday Web site," Microsoft's Franco said. IE 7 is currently in testing. A final version is scheduled for release by the end of 2006.

Developers for Firefox, Opera and Konqueror are also considering adding new display mechanisms to the padlock to call out the strongly encrypted and strongly validated certificates.

"If the certificate authorities can come to some agreement, implementing those certificates will become a priority," said Thomas Ford, an Opera spokesman.

Firefox developers are also looking at possible changes, said Chris Beard, vice president of products at Mozilla. While they have not yet settled upon a final design, they are performing a comprehensive review of potential SSL security enhancements, he said.

The biggest hurdle to overcome in creating the new type of certificate is bridging differences between certificate authorities, VeriSign's Theodossiou said. "If we can agree, it will definitely enhance the trustworthiness for consumers in dealing with Web sites," he said.

Previous page
Page 1 | 2

14 comments

Join the conversation!
Add your comment
It's the users
You should put padlocks on users since no matter what you do 99% of the time it's the user who clicks on attachments that are clearly a virus


<a class="jive-link-external" href="http://otherthingsnow.blogspot.com/" target="_newWindow">http://otherthingsnow.blogspot.com/</a>
Posted by SqlserverCode (165 comments )
Reply Link Flag
What an inane comment
Thanks for trying to redirect this issue somewhere else and not at all lend any idea to the problem at hand
Posted by volterwd (466 comments )
Link Flag
Ditto the inane comment
Even if this article had anything to do with viruses, which it doesn't, attachments that contain viruses are seldom, if ever, 'obvious'. The only time you can generally recognize them is when you've been warned beforehand.
Posted by Michael Grogan (308 comments )
Link Flag
RE
From your comment I am entirely sure you understand the purpose of the padlock, the technology behind it, and what they're trying to do. Viruses are different issue, this is concerned with making it harder for phishers etc to spoof a website. Instead of the current system of issuing SSL certificates which are basicly issued on little more the persons or companies word they won't do anything ethically suspect. The new process will make it harder to get certificate because companies who want them will have to prove they deserve one.

It true these certificates can be used to sign downloads, that's not the primary purpose as far as this article goes.
Posted by unknown unknown (1951 comments )
Link Flag
what will be next?
Ultra high assurance certificates?
Posted by Steven N (487 comments )
Reply Link Flag
Wrong impression
Your article called "Browsers to get sturdier padlocks" gives the wrong inpression that IE is leading the way with address bar highlighting. Mozilla Firefox has had this feature for some time. Firefox also displays a dialog that allows the user to view the certificate which IE does not currently do...
Posted by malcolm-d (5 comments )
Reply Link Flag
Incorrect
1&gt; Double-click the lock in IE to see the certificate.
2&gt; Firefox's address bar highlight applies to all SSL certificates, not just enhanced validation certs.
Posted by bayden (7 comments )
Link Flag
Comodo Pushing Antiquated Verification
It comes to me as no surprise that Comodo would be behind such a move. They are kind of like the Entertainment Industry. They refuse to change and modernize their Industry to provide the end user with a higher quality product. Instead they insist everyone should curb their business model to fit the needs of Comodo.

I have no problem with an SSL provider verifying the details of someones identity prior to issuing a certificate. I also understand that with security comes a certain level of inconvenience. However Comodo uses antiquated methodologies that leave the door open to counterfeiting and put the total burden of proof on the end user. Using facsimile copies of Article of Incorporation is antiquated and only keeps the honest people in line. I can print Articles of Incorporation and fax them all day long. They also don't accommodate for larger entities that have multiple locations for Retail, Technical, Administrative, and Sales office. You then have to send a letter on Company letterhead documenting the addresses. Again I can print and fax those all day.

Comodo needs to stop whining and invest in modern verification techniques to offer a quality solution that is well balanced between security and inconvenience. They also need to invest in tech support. 4 day turn around on customer support issues gives you plenty of opportunity to switch to the competition that usually answers the phone and gives the customer what they want.

Comodo is grasping at strings and playing the emotional security card to keep on offering an inferior product plagued with inconveniences instead of keeping up with the competition and offering quality solutions.
Posted by stroletti (2 comments )
Reply Link Flag
VeriSign Employee Attacks Comodo
It is always fascinating to read about someone attacking another
company as using antiquated verification techniques,
particularly when that person works for their largest competitor,
in this instance, VERISIGN. Comodo, whom I DO NOT WORK FOR,
but whose product we use, is clearly far and away the more
technically superior company which is probably why it is the
fastest growing company in SSL field. We did exhaustive
research before choosing Comodo, and Verisign actually was
fourth on our list of preferences for the very reasons that Steve
Troletti posted. I am not surprised at all that he wrote what he
wrote which is an outright unmitigated lie. Shame on him.
Posted by BuckyFuller (3 comments )
Link Flag
VeriSign Employee Attacks Comodo
It is always fascinating to read about someone attacking another
company as using antiquated verification techniques,
particularly when that person works for their largest competitor,
in this instance, VERISIGN. Comodo, whom I DO NOT WORK FOR,
but whose product we use, is clearly far and away the more
technically superior company which is probably why it is the
fastest growing company in SSL field. We did exhaustive
research before choosing Comodo, and Verisign actually was
fourth on our list of preferences for the very reasons that Steve
Troletti posted. I am not surprised at all that he wrote what he
wrote which is an outright unmitigated lie. Shame on him.
Posted by BuckyFuller (3 comments )
Link Flag
VeriSign Employee Attacks Comodo
It is always fascinating to read about someone attacking another
company as using antiquated verification techniques,
particularly when that person works for their largest competitor,
in this instance, VERISIGN. Comodo, whom I DO NOT WORK FOR,
but whose product we use, is clearly far and away the more
technically superior company which is probably why it is the
fastest growing company in SSL field. We did exhaustive
research before choosing Comodo, and Verisign actually was
fourth on our list of preferences for the very reasons that Steve
Troletti posted. I am not surprised at all that he wrote what he
wrote which is an outright unmitigated lie. Shame on him.
Posted by BuckyFuller (3 comments )
Link Flag
Big Phish ...
The main goal is to allow Verisign and others to take back the market and counter the trend toward lower cost certificates.
It's a shame browser makers are participating in this scam.
Posted by My-Self (242 comments )
Reply Link Flag
RE
I am not sure it's really a scam. If anyone can can get a certificate based on little more than their word and do as they please with impunity the certificates means very little.
Posted by unknown unknown (1951 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.