IE 7 gives secure Web sites the green light

Microsoft has quietly flipped the switch on a new feature in Internet Explorer 7 meant to combat phishing scams.

The software giant in early January made a change on its computer systems that allowed Web sites fitted with a new type of security certificate to display a green-filled address bar in IE 7, Markellos Diorinos, a product manager for Windows at Microsoft, said in an interview.

"We have rolled out many of the parts that are required to get it working. We're coming close to the point where all the moving parts are in place," Diorinos said. Microsoft plans to promote the green bar at next week's RSA Conference in San Francisco, an annual security confab kicked off by Microsoft Chairman Bill Gates.

The colored address bar, a new weapon in the fight against phishing scams, is meant as a sign that a site can be trusted, giving Web surfers the green light to carry out transactions there. The green bar already appears on the secured sites of Overstock.com and VeriSign.

VeriSign has about 300 customers, including online retailer Overstock.com, that have signed up for the green bar certification process, said Spiros Theodossiou, a senior product manager at VeriSign. The company plans to unveil the names of more participating Web sites at the RSA Conference, he said.

Phishing is a prevalent online scam that uses faked Web sites to trick people into giving up personal information. The scams cost businesses millions of dollars and hurt consumer trust in the Internet. Nearly $2 billion in U.S. e-commerce sales were lost in 2006 due to security concerns, a recent Gartner survey estimated.

"We want users to build up their confidence and feel safe again about transacting online," Diorinos said. "EV (extended validation) is one of many things we're doing to achieve that."

SSL price hike
IE 7, Microsoft's newest Web browser, will show a green address bar only when displaying a Web site that has an "extended validation certificate," or EV SSL. This is a new type of security certificate being sold by the same companies that sell Secure Socket Layer, or SSL, certificates that allow traffic to be encrypted and that are indicated by a yellow padlock in Web browsers.

There is broad industry agreement that Web browsers need to better identify trusted sites. The padlock icon used today was designed to show that traffic with a Web site is encrypted, and that a third party, called a certification authority, has identified the site. However, the system has been weakened by lax standards and loose supervision.

EV SSL certificates are just like those that allow encrypted connections between browsers and sites. The difference is that the identity of each certificate holder has been verified. Requestors will be subject to a strict vetting process that all issuers must follow. As a result, EV certificates cost more than traditional SSL certificates.

For example, Cybertrust sells conventional certificates for $230 a year, but charges $800 a year for an EV SSL certificate. Similarly, VeriSign sells EV SSL certificates for $995 a year, while its traditional certificates go for $399. Discounters sell the common certificates for much less. GoDaddy, for example, has prices as low as $19.99 a year.

"With EV we have a common vetting standard, which raises the cost. That is why you can't have these rock-bottom prices," Johan Sys, a senior director at Cybertrust, said in explaining the price difference.

Shutting out the little guy
The new system adopted by Microsoft has won both praise and criticism. Initially, only incorporated entities will be able to get the trust indicator--a rule that shuts out smaller businesses. The CA Browser Forum, the organization that drafts the rules for EV SSL certificates, is still working on guidelines that would include all legitimate Web sites.

"The CA Browser Forum is continuing to work on that issue and that is probably No. 1 on the agenda," Diorinos said.

The CA Browser Forum, comprised of companies that issue certificates for Web sites and major browser makers, is treading carefully. It doesn't want to weaken the security of the EV SSL certificates, VeriSign's Theodossiou said.

"We don't want to come up with a standard for nonregistered businesses that adds a loophole," Theodossiou said. "We want to make sure that the standard is correct. Trying to push out something that adds loopholes is pushing out something that devalues the green toolbar."

Microsoft is the first browser maker to adopt the EV SSL certificates. Some say the Redmond, Wash.-software giant even jumped the gun by adopting an unfinished standard for issuing the certificates. Other browser makers are still contemplating how to support the new certificates in their products.

"We are including support for EV certificates in Firefox 3, but we are still investigating how we will communicate the additional information to the user," said Window Snyder, security chief at Mozilla, which coordinates development of Firefox, the most used Web browser after IE. Firefox 3 is due in the second half of the year, Snyder said.

Representatives for Opera have said they are waiting to see how Microsoft fares with the green bar in IE7, which last month reached more than 100 million users, before adding such functionality to its browser.

Adoption of EV SSL certificates is expected to ramp up as more people become aware of the feature. "We think the adoption rate can take about 6 to 12 months until you hit a sweet spot where most of the high-profile Web sites will have it," Cybertrust's Sys said.

Microsoft plans to make promotional material available for Web site owners to explain what the green bar means, Diorinos said. "I will pop the champagne when we see widespread adoption of EV and when we start seeing users be more secure online," he said.

[m.meister]

Shafting the little guy

$1000/year is an annoyance to large companies, but represents a
big smack to the head for smaller guys.

The economics seem questionable. If the price increase is do to
extra work, why are subsequent years not cheaper?

No -- this is designed to smack down the little guy, nothing more.

[lwrules]

Yeah but can we trust microsoft!!

Their admins have been abusing their own phishing filter!! Perfect example, please explain how the following ANTI-MICROSOFT page could possibly set off their PHISHING filter!! We have filled out their "this is not a phishing page" form ten times and they have refused to correct it... Use IE7 with phishing filter on and go to this page... http://www.realvegassins.com/why-microsoft-sucks.html

[timber2005]

Hmm...

But its VERISIGN that sells the certificate... not Microsoft. Therefore its VERISIGN's problem, not Microsofts. I bet you could prove how Microsoft is causing cancer, world hunger, and the redness of Mars. Stop being a microhater.

[lee9372]

Product exists - its' called McAfee Siteadviisor

The product already exists - it's called McAfee site advisor. It's free for personal use or extended service for small fee. It does pretty much thing. It's not perfect, but it does what Microsoft aims to do.

[alexr186]

More Crap

I think they are look at all of this wrong. Never in a phishing attack, did the correct url was shown. I think we just need to education people to use trusted url and not create a process that is not equal for everyone. I think new ssl should be banded in the US because it go against the ethics of the US. Yet again another bogus thing from Microsoft. Big Surprise? Another way to waste our money. I give it 6 months till people don't use it anymore. They should rethink the idea, that can work with all companies, because it is the small companies that make the whole world grow, not the big companies.

[BMR777]

Reminds me a bit of the Netscape / TrustE Scandal

This reminds me a bit of the Netscape 8 TrustE scandal where the new Netscape 8 browser was giving "safe" ratings to sites like hotbar and smileycentral just because they had a "secure" certificate. These sites could then install whatever software they pleased.

I hope M$'s system is at least a little better.

[canadian_cnet_fan]

Cannot Save People From Themselves

I have only been into computers for 16 years and have more than the average user in terms of knowledge but i cannot code or anything. And I have FULLY decided you cannot save people from their own stupidity.

You can tell people DONT type in credit cards. Dont type in Soc Sec number. Or dont click on these links. Or DONT OPEN EMAIL ATTACHMENTS.

They do it anyway.

We have a big retail store up here (not the mighty W lol..) and they ask for your phone number EVERY TIME you buy something. Now they dont NEED IT. For any reason. And these knuckleheads STILL at least 9/10 give it to the cashier.

Let people beware on the net. There are enough tools around to figure out what to do. And if you DONT know what you are doing STAY OFF IT.

That is your ONLY SOLUTION. The hackers dont FORCE you to type anything they think it is a game with BIG dollar payouts. Your own ignorance is not their fault. Although why anyone who is smart enough to be a hacker spends time on that stuff i dunno.

[Woodmon]

The title of article is INCORRECT - EV SSL does not equal security

All sites can get mis-configured and/or hacked and become immediately insecure. (e.g. Super Bowl sites and Dept of Health sites today). If they had EV SSL certificates that would not have changed this.

The point is EV SSL does not equal security, but the article title suggests otherwise.

Maybe change title to "IE7 gives green light to web sites with EV SSL installed the green bar".

Just because a corporation purchased/installed an EV SSL certificate, so their website displays a green-filled address bar in IE 7, does not in any way mean the site is "secure". It just means it has an EV SSL cert installed.

Think of SSL as "extra assurance" and EV SSL as "extra extra assurance", but not "insurance".

SSL in this context refers to the owner of a website has purchased a certificate which, when properly enabled, will support the transmission of encypted info submitted via https, between a browser client and web server. (but this does not mean the site is secure).

And in addition, EV SSL indicates a "corporation" owning the website has purchased a more expensive certificate, indicating the company and it;s connection to the website has gone through a identity "vetting" process ... by specific providers handpicked to do the identity confirmation and to sell a certificate.

(Which cert providers were picked to provide/sell EV SSL certs, and the criteria those cert providers were chosen by (how they were themselves vetted), and who chose them, and the actual identity vetting processes are big questions for another topic and article).

Anyway...

EV SSL does not EQUAL security, just as SSL does not EQUAL security.

C-Net: Please do not throw around the word "secure" or "security" so lightly, in your article tiles or otherwise.

[everydaypanos]

What the news here?

If i get it correctly, EV SSL does not add anything new or better. It is the same weird technology with the difference that the one that requests the certificate has been "better" checked.

[rklrkl]

Scam to get more money for secure certs

I think this "EV SSL" is a con-trick to get companies to spend more money on secure certificates than they currently are. For example, Verisgn's already overpriced standard SSL certificate (in the UK, it's 259 pounds [$500] +VAT for just one year!) *already* goes through company validation (e.g. Verisign use WHOIS, Companies House, D&B Numbers and phone up the org contact via the company switchboard) - so what extra is EV SSL going to do?

Answer: Nothing. All it will mean is that a bit will be set in the secure cert to indicate "EV SSL" and IE7 will show a green background instead of a yellow background for the SSL URL. So the question does remain - if the standard Verisign SSL cert already validates the company, will they tell us what extra their EV SSL does? And is that worth more than doubling price?

I think what really happened behind the scenes is that Verisign and their ilk were upset that all their business was going to secure certs that didn't do any validation (e.g. GoDaddy's $20 or the even cheaper www.theplanet.com's $15) and wanted to grab customers back by making it clear in the browser how "expensive" the cert was, thus forcing companies down the route of paying up to 50 times more for their secure cert without actually improving the encryption of said cert one iota.

[technewsjunkie]

Bad, bad, news

Leaving Microsoft to determine who is secure is preposterous, and
a threat to non-Microsoft technologies.

[rick47591]

IE7

IE7 is badddd news! It is full of security holes and it has more fluff than a herd of sheep. As usual, Microsoft added many features that will never be used by the norm and left out some features from IE6 that many of miss using and due to these features being gone, our work time has increased. Thanks Microsoft for making your latest internet explorer 7 such a joke.

[darix2005]

IE

something new

---
http://mortgage.emigrantas.com - all about mortgages

[rapier1]

Couple of comments

1) Its important to understand that this is to help protect against
phishing by making sure that the user has a distinct visual
reminder that this site has a valid certificate that has *not* been
self generated. Since small businesses are *rarely* the target of
phishing scams this is hardly an attempt to crush them.

2) While MS may have led this effort the story does note that
Firefox is following suit. MS *does* have some good ideas (like
the non standard html tag that lead to the development of AJAX)

[disco-legend-zeke]

Verisign = Evil Ripoff , Wait till a competitor emerges before buying.

While i applaud the emergance of a higher level of website ownership certification, it is sad to see it available only from a company with such a track record of overcharging and other monopolistic abuses of both customers and competitors.

When the first "under $400" certificates came out, Verisign bought up the providers to stifle competition.

In my long experience with Verisign, and parent company Network Solutions they have always attempted to maximize their gain at the expense of customers.

Foe example, if you fell for their new "wholesale" domain name service, you may have failed to notice some fine print that gives them exclusive ownership of your domain name if you fail to reply to a WHOIS confirmation in a few days. OUTRIGHT THEFT.

Now they have used their power to dream up an even more expensive product, and have somehow gotten Microsoft to buy into their scheme.

$700 extra to make a couple phone calls to verify a website ownership.

Let us hope their anti-competitive efforts are unsuccessful.

[wbenton]

The Red light... Green light.

Microsoft's green light will continue showing green even though it should be showing red once hackers spoof IE.

That will hopefully put on the red brake lights over the issue.

It will happen and probably MUCH sooner than Microsoft expects, but they won't come out with an immediate patch which means that one can't trust that little green light any more.

It WILL HAPPEN!!! The writing is on the wall. Microsoft is not security savy enough to prevent it from happening.

IE should be red lighted entirely with the green light going to Mozilla based browsers!!!

Walt

[C++ Genius]

EV SSL is nothing new, it's only patchwork

Quote: "However, the system has been weakened by lax standards and loose supervision."

What makes it certain that the same thing won't happen with EV SSL.

Why is EV SSL not the answer? This is why:
http://cybertopcops.blogspot.com/2006/11/why-ev-ssl-and-new-breed-of-anti.html