November 13, 2006 4:00 AM PST
With IE 7, green means go for legit sites
The colored address bar is designed to be a sign that a specific site can be trusted, giving people the green light to carry out transactions there. It is a weapon in the fight against phishing scams, which use fraudulent Web sites.
The idea is among the draft guidelines created by the CA Browser Forum, an organization comprised of companies that issue certificates for Web sites and major browser makers. Last week, Microsoft decided to adopt that draft version for IE 7, released last month. It plans to add the functionality in January.
A primary concern is to help the targets of online scams, said Markellos Diorinos, a product manager for Windows at Microsoft. "If you look at the phishing problem today, it is usually about all the big brands that get hijacked," he said. "We addressed the problem that we have at hand today, and that was one very important thing for us."
There is broad agreement in the industry that Web browsers need a better way to identify trusted sites. The familiar yellow padlock icon found on sites today was designed to show that traffic with a Web site is encrypted and that a third party, called a certification authority, has identified the site. However, there's agreement that the system has been weakened by lax standards and loose supervision.
But the new system adopted for IE 7 has been causing friction, too. Initially, only corporations will be able to get the online trust indicator--a rule that shuts out smaller businesses. While the CA Browser Forum is still working on final guidelines that would include all legitimate Web sites, those could take a while to complete.
That has led some to complain that the software giant is moving too fast. Other browser makers are taking a "wait and see" approach, and some certificate issuers and small businesses say that Microsoft is jumping the gun in introducing the technology before everyone's on board.
"I believe this is an unfair standard," said Gregory Waldron, chief executive officer at Visual Water, a Conifer, Co.-based seller of water features and fountains. "It undoes what I think is really one of the greatest things about the Internet: the ability for anyone with a good idea and a little capital to compete with Amazon or Overstock."
IE 7 will display a green address bar when the user goes to a Web site that has obtained an "extended validation certificate," or EV SSL, given only to incorporated entities. This new type of security certificate will be sold by the same companies that today sell Secure Socket Layer, or SSL, certificates that allow traffic to be encrypted and that are indicated by a yellow padlock.
| What?s EV SSL? |
| EV SSL stands for Extended Validation Secure Socket Layer. These are SSL certificates just like those that allow encrypted connections between browsers and sites. |
The difference, though, is that the identity of each certificate holder has been verified. Requestors will be subject to a strict vetting process which all issuers must follow.
The problem is that while it is easy for sellers of certificates to verify the authenticity of a corporation, it is tough to do the same for sole proprietorships, partnerships and other types of businesses. The CA Browser Forum has talked about guidelines to do this for over a year and has not yet been able to agree.
As Visual Water is a limited liability company, Waldron believes he won't be able to get its Web site displayed with a green address bar in IE 7. He says that Microsoft is putting him at a competitive disadvantage.
"What shocks me about Microsoft is that it makes so much money off of small businesses and then it seems that sometimes they forget we exist," Waldron said. "Incorporation doesn't make a company more legitimate than another company."
The Redmond, Wash.-based software giant recognizes that under the draft guidelines, not every legitimate Web site will be able to show a green browser bar. "That is definitely a legitimate concern, but it is not an immediate problem," Diorinos said, stressing that corporations bear the brunt of most phishing attacks.
Other browser makers
Opera Software and makers of the open-source Konqueror browser agree with Microsoft that the big-brand phishing problem should have first priority. Phishing is a prevalent online scam that uses Web sites faked to look like they belong to a legitimate provider to trick people into giving up personal information. The scams, which often target financial institutions, cost businesses millions of dollars and hurt consumer trust in the Net.
"Our main concern has been protecting users from phishing attacks. Most of these companies that the current guidelines cover are the victims of phishing attacks," said Michael Smith, part of the standards team at Opera.
Still, Opera is waiting to see how Microsoft fares with the green bar in IE 7 before adding such functionality to its browser, Smith said.