December 12, 2005 4:00 AM PST

Browsers to get sturdier padlocks

The yellow security padlock in Web browsers, weakened by lax standards and loose supervision, will get reinforced next year with tougher requirements and browser updates.

The browser icon was designed to show that traffic with a Web site is encrypted and that a third party, called a certification authority, has identified the site and vouches for its validity. But in recent years, standards of verification have slipped, undermining the sense of security implied by the padlock.

To solve that problem, a group of companies that issue the Secure Socket Layer certificates are working with major Web browser makers to develop a new type of "high assurance" certificate. The informal organization, dubbed the CA Forum, has held three unpublicized meetings this year and plans to meet again next year, representatives from the companies involved told CNET News.com.

News.context

What's new:
A group of companies is working to rebuild trust in the SSL security certificates issued to Web sites by developing industrywide standards for a stronger, "high assurance" product.

Bottom line:
The tougher certificates, coupled with browser developments, could help fight "phishing," which threatens the multibillion-dollar online retail market.

For more info:
More on browser security

"We as an industry must look into trust threats," said Melih Abdulhayoglu, chief executive of Comodo, a certification authority based in Jersey City, N.J., that set up the first CA Forum meeting. "You want the padlock to be meaningful. At the moment the value is confused because some providers issue certificates willy-nilly."

The planned new security certificates, allied to Web browser changes, are meant to help rebuild trust in the Web and fight phishing in particular.

The lock icon was designed to assure consumers that online transactions, such as banking and shopping, are protected. As such, it's key to Web commerce, a big business: Forrester Research predicts online retail sales in the United States will grow from $172 billion this year to $329 billion in 2010.

The issue has become more urgent with the advent of phishing scams, which use phony Web sites to trick unsuspecting victims into giving up sensitive information. Some phishers have used valid certificates to give their fraudulent sites a sense of legitimacy with a padlock icon.

"The level of identification that certification authorities do today is subject to somewhat broad standards," said Rob Franco, lead program manager for IE security at Microsoft. "In a world where users get phished and sites try to misrepresent themselves, I think it is important to have a new standard with more identity backing."

Behind the padlock
Today's SSL certificates contain an encryption key, which the certification authority attests belongs to the organization noted in the certificate. Its task is to verify an applicant's credentials, so that Web site users can trust the information in the certificates.

Initially, all certificate providers performed thorough checks of applicants before they issued a security certificate for a Web site. Several years ago, however, some providers relaxed their background checks in order to offer cheaper certificates, and the rest of the market followed, industry members said. Some companies will supply a certificate based on little more than a valid e-mail address, for example.

"The problem with a basic certificate is that the level of screening is too low, and the validation method at the browser is not easy enough for average user," said Jim Maloney, chief security officer at Corillian, which provides online banking technology to more than 100 banks, including Wachovia, JP Morgan Chase and Capitol One. Right now, people have to click on the padlock to get more information about who the certificate belongs to.

IE 7 padlock

Global financial institutions lost at least $400 million in 2004 due to phishing schemes, according to Financial Insights, part of analyst company IDC. Online threats have also instilled fear in consumers. Nearly half of U.S. voters in a survey said fear of identity theft was keeping them from conducting business online, the Cyber Security Industry Alliance reported in June.

Browsers are part of the certification problem. Certificates are regarded as equal by the applications, irrespective of the credentials and practices of the certification authority. All sites with an SSL certificate get the same padlock display.

"Web browsers have not been able to deal with the different kinds of certificates, which meant that it did not matter how strong the verification was by the certification authority, and some took advantage of that," Gartner analyst John Pescatore said.

When the padlock was first invented by Netscape in the early days of the Web, it stood for a secured connection with an identified Web site. That changed when some certification authorities started lowering their verification standards and discounting certificates, said Judy Shapiro, vice president of marketing at Comodo.

"Browsers did an end-run around this. Nobody expected anyone to delete what was a key part of the certificate issuance process, which was the business verification," she said. "Browsers were unprepared to display high assurance and low assurance certificates in a different way."

But that is set to change next year, with Microsoft planning to release Internet Explorer 7 and makers of other Web browsers also contemplating changes in the way their applications handle SSL certificates.

The move by browser makers is partly why certification authorities such as VeriSign, Comodo, GeoTrust and Cybertrust are banding together in the CA Forum to come up with an industry wide agreement on a new, highly verified certificate. The group has met informally to work on standard guidelines for issuing such certificates three times this year, in New York, Boston and Montreal, representatives from member companies said.

CONTINUED: The greening of IE 7…
Page 1 | 2

14 comments

Join the conversation!
Add your comment
It's the users
You should put padlocks on users since no matter what you do 99% of the time it's the user who clicks on attachments that are clearly a virus


<a class="jive-link-external" href="http://otherthingsnow.blogspot.com/" target="_newWindow">http://otherthingsnow.blogspot.com/</a>
Posted by SqlserverCode (165 comments )
Reply Link Flag
What an inane comment
Thanks for trying to redirect this issue somewhere else and not at all lend any idea to the problem at hand
Posted by volterwd (466 comments )
Link Flag
Ditto the inane comment
Even if this article had anything to do with viruses, which it doesn't, attachments that contain viruses are seldom, if ever, 'obvious'. The only time you can generally recognize them is when you've been warned beforehand.
Posted by Michael Grogan (308 comments )
Link Flag
RE
From your comment I am entirely sure you understand the purpose of the padlock, the technology behind it, and what they're trying to do. Viruses are different issue, this is concerned with making it harder for phishers etc to spoof a website. Instead of the current system of issuing SSL certificates which are basicly issued on little more the persons or companies word they won't do anything ethically suspect. The new process will make it harder to get certificate because companies who want them will have to prove they deserve one.

It true these certificates can be used to sign downloads, that's not the primary purpose as far as this article goes.
Posted by unknown unknown (1951 comments )
Link Flag
what will be next?
Ultra high assurance certificates?
Posted by Steven N (487 comments )
Reply Link Flag
Wrong impression
Your article called "Browsers to get sturdier padlocks" gives the wrong inpression that IE is leading the way with address bar highlighting. Mozilla Firefox has had this feature for some time. Firefox also displays a dialog that allows the user to view the certificate which IE does not currently do...
Posted by malcolm-d (5 comments )
Reply Link Flag
Incorrect
1&gt; Double-click the lock in IE to see the certificate.
2&gt; Firefox's address bar highlight applies to all SSL certificates, not just enhanced validation certs.
Posted by bayden (7 comments )
Link Flag
Comodo Pushing Antiquated Verification
It comes to me as no surprise that Comodo would be behind such a move. They are kind of like the Entertainment Industry. They refuse to change and modernize their Industry to provide the end user with a higher quality product. Instead they insist everyone should curb their business model to fit the needs of Comodo.

I have no problem with an SSL provider verifying the details of someones identity prior to issuing a certificate. I also understand that with security comes a certain level of inconvenience. However Comodo uses antiquated methodologies that leave the door open to counterfeiting and put the total burden of proof on the end user. Using facsimile copies of Article of Incorporation is antiquated and only keeps the honest people in line. I can print Articles of Incorporation and fax them all day long. They also don't accommodate for larger entities that have multiple locations for Retail, Technical, Administrative, and Sales office. You then have to send a letter on Company letterhead documenting the addresses. Again I can print and fax those all day.

Comodo needs to stop whining and invest in modern verification techniques to offer a quality solution that is well balanced between security and inconvenience. They also need to invest in tech support. 4 day turn around on customer support issues gives you plenty of opportunity to switch to the competition that usually answers the phone and gives the customer what they want.

Comodo is grasping at strings and playing the emotional security card to keep on offering an inferior product plagued with inconveniences instead of keeping up with the competition and offering quality solutions.
Posted by stroletti (2 comments )
Reply Link Flag
VeriSign Employee Attacks Comodo
It is always fascinating to read about someone attacking another
company as using antiquated verification techniques,
particularly when that person works for their largest competitor,
in this instance, VERISIGN. Comodo, whom I DO NOT WORK FOR,
but whose product we use, is clearly far and away the more
technically superior company which is probably why it is the
fastest growing company in SSL field. We did exhaustive
research before choosing Comodo, and Verisign actually was
fourth on our list of preferences for the very reasons that Steve
Troletti posted. I am not surprised at all that he wrote what he
wrote which is an outright unmitigated lie. Shame on him.
Posted by BuckyFuller (3 comments )
Link Flag
VeriSign Employee Attacks Comodo
It is always fascinating to read about someone attacking another
company as using antiquated verification techniques,
particularly when that person works for their largest competitor,
in this instance, VERISIGN. Comodo, whom I DO NOT WORK FOR,
but whose product we use, is clearly far and away the more
technically superior company which is probably why it is the
fastest growing company in SSL field. We did exhaustive
research before choosing Comodo, and Verisign actually was
fourth on our list of preferences for the very reasons that Steve
Troletti posted. I am not surprised at all that he wrote what he
wrote which is an outright unmitigated lie. Shame on him.
Posted by BuckyFuller (3 comments )
Link Flag
VeriSign Employee Attacks Comodo
It is always fascinating to read about someone attacking another
company as using antiquated verification techniques,
particularly when that person works for their largest competitor,
in this instance, VERISIGN. Comodo, whom I DO NOT WORK FOR,
but whose product we use, is clearly far and away the more
technically superior company which is probably why it is the
fastest growing company in SSL field. We did exhaustive
research before choosing Comodo, and Verisign actually was
fourth on our list of preferences for the very reasons that Steve
Troletti posted. I am not surprised at all that he wrote what he
wrote which is an outright unmitigated lie. Shame on him.
Posted by BuckyFuller (3 comments )
Link Flag
Big Phish ...
The main goal is to allow Verisign and others to take back the market and counter the trend toward lower cost certificates.
It's a shame browser makers are participating in this scam.
Posted by My-Self (242 comments )
Reply Link Flag
RE
I am not sure it's really a scam. If anyone can can get a certificate based on little more than their word and do as they please with impunity the certificates means very little.
Posted by unknown unknown (1951 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.