Extended Validation SSL, More Secure or Just a Racket?

Nalfeshnee writes "The Register is reporting on the new 'Extended Validation SSL' cert currently being touted by Verisign. Vista and IE7 will be using this but not, apparently, Firefox anytime soon. For this the Verisign Product Marketing Director Tim Callan squarely blames the Firefox dev team for 'not keeping up' with their new technology. However, the whole thing just seems to be a way for Verisign to enjoy ridiculous markup on selling 'more secure' certs."

Color coded?

Verisign say 99 per cent of sites will be get the "ok" and the address bar left white. Only outfits which fork out for an extended validation SSL will get the psychological filip of "green for go". Firms will have to stump up about 150 per cent of what they currently do for an SSL certificate.

I'm colorblind. Would I ever notice the difference?

Yes.

IE 7 will have different icons on the location bar to indicate that a site has the "higher" level of "security" (translation: "bought the new certificate").

Re:Color coded?

Don't worry. Once consumers realize that the new "super duper" certs are being given out to phishers as well, Verisign will come out with a 3rd level of verification ("extra super duper certificates") that cost 50% more, and they'll have to go to a numbering or lettering scheme ("1", "2", "3"). This will also facilitate the periodic addition of new levels whenever consumers realize Verisign still isn't doing the job they say they're getting paid to do.

Re:CACert

The Mozilla foundation did not have a good set of criteria for including a cert. Originally they pretty much just used the same ones as IE (pay a big heap of money). Now they do have a set of rules, and the CACert people are trying to prove that they comply with them. It should be done Real Soon Now(TM).

Secure?

Has anyone found an effective way of cracking regular SSL? Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?

I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?

Re:Secure?

Has anyone found an effective way of cracking regular SSL?

No.

Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?

No.

I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?

No.

SSL (and TLS) aren't encryption algorithms, they're protocol standards. These protocols make use of existing encryption algorithms to secure data. Many of these algorithms have a variable level of complexity, depending on things like key size. Since security (including encyrption) is always a tradeoff of resources versus security, the goal is to tweak the configuration parameters (again, such as key length) to find a level of security such that an attack against the cipher is less profitable an option than the next best choice, such as kidnapping the document's author. Those who require greater security can use turn up the complexity at the expense of using more resources.

As computation capability increases, the complexity of encryption system is increased to compensate, usually by increasing key length. If a flaw is discovered in a given encryption algorithm making it too easy to break, or if the algorithm isn't capable of being expanded to account for better decryption technology (such as DES) then that algorithm is discarded in favor of some stronger replacement. SSL remains the same.

Verisign's "Extended Validation" program has nothing to do with cipher strength, key length, or encryption. Instead, it's indicative of the vetting process that the company had to undergo to get the certificate. To get a certificate for citibank.net, I have to verify that I own that domain. I don't, necessarily, have to verify that I represent Citibank [1]. Under this High Assurance program, Verisign will vouch, not only for the validity of the domain, but also for the validity of the organization owning that domain.

This is a Good Thing, since there currently is only one tier of validation. An SSL certificate is designed to prevent man-in-the-middle attacks, which it does well. What it doesn't protect against (though we act as if it does) is forged identity attacks. Certificates used for financial transactions, for example, should go through a stronger vetting process than certificates used for securing a blog.

[1] In reality, almost all CAs do extended verification when the other party sounds like a high-profile company or financial institution. Nonetheless, Mistakes do happen [washingtonpost.com].

Re:Secure?

GoDaddy High Assurance SSL. [godaddy.com]
Comodo Trusted SSL. [trustlogo.com]
GeoTrust True BusinessID. [geotrust.com]

Business identity validation SSL certificates have been around for a long time. The only thing different about VeriSign's offering is that they're partnering with Microsoft to have the bar turn green if their more expensive cert is detected, to the disadvantage of all other SSL providers. This is an attempt by VeriSign to make it effectively necessary for businesses to use their cert so customers won't think that their site is insecure.

There's so much wrong with this attempt to gain a monopoly without adding anything of value to the market... but par for the course for VeriSign.

It's called "open source"

Hey Verisign, it's called "open source". If you'd like the feature added submit a patch and they'll consider it. Until then the people working on it will finish when they can. Thanks.

I don't get it

I had never heard of "Extended Validation SSL" so I went to Google. Among the hits was something from Thawte, so I went there. It turned out to be a FAQ [thawte.com]. This FAQ contained such gems as:

4. Why is High Assurance/Extended Validation SSL being implemented?

Answer:

Improved online identity assurance, and improved browser representation of online identities, will empower users to better protect themselves against malicious and suspicious activity, which has gradually been eroding user confidence in digital security, including online shopping and banking. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.

And:

6. What is the difference between High Assurance/Extended Validation/Enhanced Validation SSL certificates and existing SSL certificates?

Answer:

The online identity assurance process is intended to be more comprehensive and standardized across the entire industry. Whereas currently online identity assurance processes vary from CA to CA, the new standards/processes under discussion by the CA Browser Forum, will have to be adhered to by all CAs if they wish to offer High Assurance/Extended Validation SSL certificates. This will encourage greater confidence in CAs as well as the processes that are used to vet and issue digital certificates. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.

Is it my imagination, or is this new Extended Validation SSL thing, in the end, just a bunch of paperwork? I may simply be missing the point. If someone can point to a better description of this thing that makes sense, please do so.

Re:I don't get it

Overall, this seems like a way to make the customer pay again for the CA's own bad practices.

That pretty much sums up this garbage. This is what SSL is supposed to already be, but as anyone who has filed for an SSL certificate already knows the whole thing pretty much works as a handshake... you're who, yes, ok, credit card with that name please, great, here you go.

And what about this "standardized across the industry"... I bought an SSL certificate from a 3rd party because they're in the Firefox/Opera/IE default trust lists, and because they cost $40 a year instead of $400, is this really a new industry standard or is this just Verisign's way of artificially creating a new market now that there's too much competition?

I'm going to guess

I'm guessing the certificate security itself isn't changed. What they're saying is they're just going to do more research on a company before they hand out certificates. Right now you fill in a form, fax it in, and *presto* you get certs. Now, I guess someone will actually call and check before issuing.

They could do this now with regular SSL, but they couldn't charge more money... too much competition out there.

The thing is, the encryption of SSL is not at issue; it's just a new product to market.

Re:I don't get it

I used to work at a certain SSL place, so here's what I could gather.

Right now to get a cert it's a phone call verification or something else that can be done remotely.

For High Assurance CAs, the issuer has to fly a person out to the physical site, take pictures of the site, go inside, take pictures of at least two(?) employees, get names of workers, get signatures, and so on. At least that was the idea last I heard.

Rather than a remote validation, which I guess is easier to forge and easier to issue a mistake to by accident, this requires in person validation and lots of other crap you can't do without actually going there and checking it out. You decide if it's worth it. If not seeing that "special green color" stops just a few customers from using your site, it probably is.

They SHOULD be doing this for everyone...

I think I remember reading about this either on firefox dev blogs or mailinglists or IRC. IIRC, the upshot was that verisign should be doing "extended validation" type things on all their clients. The validation they have now is really pretty shoddy, shoddy enough that they'd be risking getting kicked out if they weren't so big and so many websites would break. But that's just my memory, which could be bad, you'd have to look into it yourself.

Racket

More Secure or Just a Racket?

Definitely sounds like a racket to me. If you get the green bar by paying Verisign 150%, how does that differ from today's security certificates? Other than having to pay more money, and only being able to be verified by Verisign, that is. (Doesn't sound racket-y at all. Or was that rickety?) While they make it sound like the Green Bar is an excellent method of knowing that Amazon is really Amazon, I think it's actually a reverse attempt. By getting Amazon to use this spiffy new green bar, Verisign is attempting to legitimize their new technology in the eyes of the consumer. Little will actually change for the consumer, as he already knows when he's surfing Amazon.

The only place it would supposedly help is with Phishing. But since Phishing sites can't get certificates anyway, what does this help? If the lock isn't good enough, just change the URL Bar green for every VERIFIED certificate received. That will have the EXACT same effect.

The new certificates are double plus super good.

#1. In order to issue the new certificates, the Certificate Authorities (CA's) will be "required" to follow "industry standard" practices in "verifying" whomever applies for a new certificate.

#2. This additional "verification" is what will cost the additional money.

#3. Any business that does not pay the additional fees to be "verified" by "industry standard" practices will be ... the same as they are today.

#4. Phishing depends upon a person making a single error in judgment, one time. This will not stop phishing.

This will not stop anything. This is stupid. You're paying EXTRA to have someone do the verification they were supposed to be doing already. Imagine trying to run a business like that.

Boss - "I paid you last week, but you barely did any work. I'm going to fire you."

Employee - "If you give me a 50% raise, I'll perform the work to industry standards."

Boss - "Okay, that sounds like a good deal to me."

Riiight.

The padlock encryption symbol used by browsers has been effectively meaningless for some time, and consumer paranoia surrounding fraud remains a barrier to using online commerce for many.

In response, the verification industry in the form of the CA browser forum has come up with extended validation SSL, where the certificate really is a guarantee of kosher status. Honest.

Thank you The Register for saying what I was thinking.

Charging more to do what they should be doing.

The online identity assurance process is intended to be more comprehensive and standardized across the entire industry. Whereas currently online identity assurance processes vary from CA to CA, the new standards/processes under discussion by the CA Browser Forum, will have to be adhered to by all CAs if they wish to offer High Assurance/Extended Validation SSL certificates. This will encourage greater confidence in CAs as well as the processes that are used to vet and issue digital certificates. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.

Err, excuse me.. isn't the verification of the identity of the applicant of the certificate exactly what the CAs are meant to be doing anyway?

I thought that that is why we had these 'trusted' third-parties, to vouch for the identity of the certificate owner - that is the fundamental basis of PKI and certificates. If they weren't doing that before (which they clearly weren't doing properly), what the hell were they doing?

So, we're paying them extra to get a 'fixed' version of something that they caused to be broken in the first place because they couldn't do their job properly. WHy should paying an extra 50% on top of their fees all of a sudden make us able to trust them now?

Are you really surprised?

So, a product is proposed by Verisign (the guys who tried to shove their shoddy SiteFinder search engine down your throat by abusing their monopoly) and Microsoft (the guys who have been shoving their shoddy DOS and Windows down your throat for decades by abusing their monopoly).

You know what? I'm quite sure it's a shoddy product they're trying to shove down people's throat for some reason...

more info

Verisign used to call "Extended Validation SSL" "High Assurance SSL". A little more info here:

http://www.verisign.com/ssl/ssl-information-center /faq/high-assurance-ssl.html [verisign.com]

This seems to be composed of two parts:

1. Some higher-level of SSL certificate for which Verisign will somehow verify the legitimacy of the company rather than just their domain, and for which they will presumably charge more $$$.
2. Visual indication in browsers that a site has such a certificate, and displaying who validated the certificate (i.e. Verisign.)

Scam...

This is coming from the people who stole DNS, and sell certificates for hundreds of dollars which take milliseconds to make....

Now we're supposed to get a more "trustworthy" cert and make our address bar green?

Fuck you Verisign.

Tom

Anti-Phishing Technology will make it moot

Nobody uses SSL to verify that a site is who they say it is - when was the last time 99% of users looked at a website's certificate?

SSL is still good for keeping the data encrypted between client and server. You don't need some super-duper certificate for that.

Anti-phishing blacklists will be what works well for end-users. Being told explicitly that they're on a dangerous website is far more effective than 'hmm, well the location bar is in green!'. They won't even look.

Do disreputable sites get them?

The only way to judge whether this is legitimate is to see whether sites that do fraudulent things (get traffic from mistyped domain names, send out "renewal" requests to non-customers, etc) are able to get these certificates. If Verisign is able to make sure that sites that do these things or have a history of doing them can't get certificates, then maybe they'll mean more than current SSL certificates.

Of course, there are technical issues with a PKI system without trusted root certificates, so it might not work even then.

Uh, what was the middle choice again?

"More secure or just a racket?"

C'mon, ScuttleMonkey, are you trying to get a job as a pollster for Karl Rove?

"Would you be more likely or less likely to vote for John McCain for president if you knew he had fathered an illegitimate black child?"

All the brower teams and SSL CAs agreed to this

The article is, not surprisingly, VeriSign's version of events. The Extended Validation standard emerged from talks among a consortium of browser makers (the IE team, Mozilla, Opera and Konqueror) and a ghroup of SSL certificate authorities, which includes not only VeriSign but also geoTurst (since bought by VeriSign), Comodo, Entrust and Go Daddy. The group is known as the The CA/Browser Forum, the group of certificate authorities and browser developers that is working with the American Bar Association's Information Security Committee on finalizing an open standard for the validation process, which is to be followed by all participating CAs. So this isn't just a VeriSign issue, but the culmination of an 18-month process.

The plan was for all the browsers to implement the color bar scheme, based on IE's implementation. There were optimistic announcements by all involved, but no final standard has emerged. VeriSign and other SSL certificate authorities are preparing to start selling these in January. It's not clear to me if Firefox/Mozilla has actually opted out or is just moving more slowly than MSFT in incorporating the changes in the browser. Mozilla tends to be deliberate about SSL-related changes in the browser.

Spinal Tap Syndrome...

..."but our Verisign certificate goes up to 11!"

What about this paragraph?

One snarl-up for Mozilla may have been working out an alternative to the rest of Microsoft's site-rating system. As well as getting dishing out green address bars, servers at Redmond will blacklist dodgy and suspect sites, which can look forward to red and amber flashing up.

I don't feel all paranoid about this, and I think the technology is a good concept, but dang, do we want any for profit company to be the one in charge of maintaining these lists? And what's the appeal process, if my online store got listed red or amber for even a couple weeks at the wrong time, that's a serious hit to my business. Now, like I said, I'm not really concerned that MS is going to go off and start red flagging sites they have a grudge against, I generally trust them, but do we even want to give any for-profit the temptation? (I wouldn't want to take this responsibility on as part of my company, I'd much rather start a specific organization for it which was completely transparent and accountable)

racket?

Verison is involved.
Everything Verisign does is a racket.
Therefore, it's a racket.
Q.E.D.

Where's the specification?

Has anyone actually been able to find the specification for "high assurance" certificates? Apparently this is being closely held. The spec comes from something called the "CA Browser Forum", which is invitation-only and doesn't seem to have a web site. A standard was supposed to be issued in August, but apparently agreement wasn't reached until a meeting in September. There are many press releases, but no hard data.

So that's why it's not in Mozilla.

It's actually a good idea. Early in the history of SSL, getting a certificate required presenting appropriate business identification info to the certificate issuer. The problem is that some issuers (GoDaddy comes to mind) started issuing "domain only" SSL certificates; the only verification is that the domain can get email. Then, instead of revoking GoDaddy's root certificate for this, the other cert issuers copied GoDaddy's approach. Now anybody can get a meaningless certificate with a meaningless Relying Party Agreement.

The way it's supposed to work is that the certificate issuer bears financial responsibility for misidentification of the certificate owner. Some certificates from Verisign have a Relying Party Agreement [verisign.com] that does provide a financial guarantee to the party relying on the certificate - $100 for a class 1 cert, $5000 for a class 2 cert, and $100,000 for a class 3 cert. Most of the other issuers have relying party agreements which promise nothing and deliver less.

So what's happening is that, soon, you'll be able to tell the difference between the crap certificates and the good ones. Before you buy. The idea is that if you put your credit card into a site that showed a green toolbar in IE, and it wasn't really the company it should have been, you can collect from the certificate issuer. This puts certificate issuers on the hook for phishing losses.

Unfortunately, the rules and the Relying Party Agreements for the new certificates haven't yet appeared, so we can't tell if the rules are tough enough to make this work. Since they're being drafted by the certificate issuers, there will probably be some loophole that lets them off the hook.

SSL and Extended SSL

Honestly, I believe that there should be a WC3 conference to contribute a single CA that makes its way onto all browsers. Give the WC3 CA site an automated system for generating certs, including an open API and then combine DNS registration protocals with the CA gen protocals. Publicly open the API, and charge small, if anything. This service is an easy one to implement. The real issue is getting browsers to add it to its automatically trusted CA list. I can create SSL at home, but I can't get browsers to add my home web onto the trusted CA list by default.

Microsoft

"See only we are secure"

phffft

The problem with CAs...

... is that they are a commercial venture. They will sign just about anything as long as they are paid. I have seen more than one piece of malware signed by Thawte. The whole model of third party commercial CAs is badly flawed in concept. One only needs to pay a CA like Verisign or Thawte to appear legitimate to the average user and then proceed with whatever nefarious purpose one desires.

I trust a self-signed certificate more than one signed by Thawte or Verisign. (I do trust Entrust though, as they are Canadian)

Extended Validation SSL? Is it 256 bit? I think not (what would be the point?). 128 bit SSL is 128 bit SSL regardless of who signs it and how. You must trust the server you are dealing with in the first place, SSL is merely there to make your cummunications with that server private (all the more so if self-signed).

I expect that this "Extended Validation" is an implicit admission that up till now they have been signing pretty much anything as long as they get paid. Even so, it is not up to a CA to assure users that a particular site or application is not nefarious in purpose.

The signing CA model is flawed and very misleading to the average user. I say it does more harm than good.

Fund raising idea for firefox

Mozilla.org should get into the SSL certificate reselling business and set the location bar to green when one of the mozilla signed certs is present. Verisign could then have the option of paying a royalty to mozilla.org for each extended certificate if they want green URL bars too.

SSL is worthless anyway

Have you audited any of the dozens of CA certificated that ship with your OS?

Do you fetch a new CRL for each of them whenever you access a site using SSL?

It is Verisign's job

...as a Certificate Authority to ensure that any sites they issue certificates to are trustworthy. All PKI systems are based on this kind of trust model. If there is any lack of trust/confidence in online ssl-encrypted commerce, it is their fault. Merely because they have been ignoring their role as a trust arbitrator and giving out certs to anyone, they decide now to actually do their part, charge more, and have Microsoft put a flashy "green for go" interface on it.

Then, of course, you must slam Firefox for "losing the browser war" by not keeping up by making their URLs turn green. You know, (speculation alert) you can probably bet Microsoft patented the green url indicator anyway, locking Firefox out.

CardSpace anyone?

So far nobody has mentioned InfoCard/CardSpace. I think you will find that one of the major pushes for the new extended certificates is to improve the user experience with respect to security. Presently anyone can get an ordinary SSL certificate - a phishing site can easily obtain an existing SSL certificate that will allow them to fool more average joe users that no certificate at all. With an extended certificate a company's name, location and logo are also included as part of the certificate so it should be much easier for uneducated users to make the connection between the certificate and the organization whose site they are visiting and more difficult for the phishing sites to do so. So the new certificates provide a better way for websites to prove their identity to users and aim to provide a consistent way of presenting this information to users so that they can make a choice as to whether or not they trust a site.

For details see the section titled Improved User Confidence in the Identity of Web Applications in Introducing Windows CardSpace: http://msdn.microsoft.com/library/en-us/dnlong/htm l/introinfocard.asp/ [microsoft.com]

CardSpace is a Good Thing. Check out Kim Cameron's blog http://www.identityblog.com/ [identityblog.com] for ongoing coverage. Microsoft is doing everyone a big favor in the identity space - they fully acknowledge their mistakes of the past (e.g. Passport) and are very open in terms of what they are doing and how they are doing it. Further, the specifications behind all of this are unencumbered (see http://www.identityblog.com/?p=574/ [identityblog.com].

Inform author

A Firefox implementation of extended validation can only be a matter of time, since the Mozilla Foundation knows in order to compete it cannot afford for its browser to be just as good as IE7; it has to be better.

Will someone please inform the author and Verisign that Firefox is BETTER then IE7.

How often is sensitive information is stolen during transmission? I always hear about hackers stealing information of past customers. So, what does the new SSL has to do with better security?

You want TECHNOLOGY? Ok, here's some.

"Technology?" Give me a break. They're looking at what authority signed the cert, and if the web browser has been told to dogmatically trust that authority more than others, then it turns something green.

Actually, it's not a bad idea. There are degrees of trust, and showing it to the user is fine. But you bet your ass this is mostly just a cashgrab from Verisign.

A Firefox implementation of extended validation can only be a matter of time, since the Mozilla Foundation knows in order to compete it cannot afford for its browser to be just as good as IE7; it has to be better.

Good news. There's a way to do this, that will absolutely embarrass MSIE, making its version of https look completely insecure by comparison, and screw Verisign over, in the process.

Support an OpenPGP-based cert model [gnu.org] (perhaps using GNU TLS library [gnu.org], perhaps not). Suddenly, you can have certs that are signed by multiple authorities, including users themselves, and display a whole spectrum of trust metrics. Equifax can make mistakes and issue an incorrect cert to a bank [washingtonpost.com], but can three CAs all make the same mistake, without a conspiracy? And what if you get the bank's fingerprint on your snailmail statements, or there's a sign showing the fingerprint when you walk into it, and thus you can cert it yourself? What if you haven't ever been to the bank (ok, I can't imagine that) but you have 3 friends who have, and you have certified them, and told your computer they are each marginally trusted, and they all certify the bank? Three friends are sure as hell a lot more trustworthy than some faceless corporation named Verisign, whose identification policies you don't even know, whose private key storage policy you don't even know, and in fact doesn't have a single employee you have even met, assuming they have any employees at all and aren't a robot in the basement of a building at the NSA.

It's purely a money-making scam for Verisign

It's purely a money-making scam by Verisign (and other CAs). The only thing high-assurance about "high-assurance" certs is the assurance that you'll be charged more money for them. See the Defcon talk Phishing Tips and Techniques - Tackle, Rigging, and How and When to Phish [auckland.ac.nz] for a discussion of why "high-assurance" certs are worthless except to the companies issuing them.

Enough centralized control - where's mod_pgp?

Okay, I admittedly have a relatively limited understanding of the technical details, but it's my understanding that the OpenPGP standard does essentially the same thing as the SSL encryption and authentication, but with an explicit "web of trust" model rather than a centralized "Verisign says they're okay" sort of model used by SSL.

Since Verisign et al don't seem to REALLY be verifying identities any more (unless now you pay extra for the "special" certificates), why keep paying them at all? Wouldn't it be possible to do a mod_pgp (or "mod_gnupg" or whatever) modules for Apache and an extension for firefox to use OpenPGP encryption instead of (or in addition to) SSL?

Anybody with better technical understanding want to comment?...

DRM All Over Again?

(1) There are few if any perfect encryption systems; security is based on the estimated computing (i.e., time) cost to break.

(2) Realistically we should only be interested in encryption that is "good enough" for our purposes. That is to say, systems that give us reasonable security in proportion to the risk involved. Expecting perfection is not realistic.

(3) "Good enough" keeps shifting, but it is possible to create systems that will be reasonably good enough for, say, about 5 years.

(4) Systems that use too much or unnecessary encryption are resource hogs, which in turn means they cost you unnecessary money and time.

(5) Thanks for nothing Verisign, you greedy bastards.

what's the price structure?

If the extra up-front validation is the main thing, Verisign should be charging a high one-time-fee for undertaking those steps, then charging a low low monthly rate to rest on their laurels and do nothing further. Somehow I doubt that's the price structure they adopted here.

Just a Racket ..

"The system is implemented in IE7 by turning the address green for sites holding a extended validation certificate"

Any bets on how soon will someone come up with a piece of code that turns the address green on bogus sites. Any security device that relies on the user having to do something or in this case not doing something, is bound to fail. How about a cert built into the DNS system that way when the browser queries a domain name the DNS server returns an 'invalid' code and nothing pops up in the browser. I here by put this in the public domain.

"Callan puts Mozilla's apparent heel-dragging on the new security technology down to the character of its development community"

fud injection: the inneficient Open Source process as compared to the professional commercial product.

"Firms will have to stump up about 150 per cent of what they currently do for an SSL certificate."

How about you get fined each time a phishing site is registered with Verisign.

was Extended Validation SSL, More Secure or Just a Racket?

So, yes Firefox is a chaotic open source software

If Firefox (Mozilla) is not keeping up with technology fast, where is the OS X support? E.g. will there be a Safari update to support that thing? Why not? There, Apple.com, traditional business with "security department", will they ship it?

If Verisign loses the "compatibility", there won't be any Verisign in matter of couple of years. Remember I said it.

SSL'es power comes from Compatibility. When you implement a SSL site with Verisign, you know your clients,even the ones using Opera on their Symbian PDA's will have no problem accessing it,with same security standard.

Oh, what about Symbian support Verisign? They don't keep up with technology too I guess :) I am nearly sure that it will be implemented on Windows CE next.

I remember first days when Outlook Express came with S/MIME support. When you wanted it, a IE page opened with huge Verisign icon asking for $$$ for a full feature certificate. It took years for some to figure there is Thawte.com which gives them for FREE.

Speaking about Thawte, look at that:
http://www.thawte.com/ssl-digital-certificates/hig h-assurance/index.html [thawte.com]

"To this end, and through our involvement with the CA Browser Forum, we are working with the American Bar Association Information Security Committee, browser manufacturers such as Mozilla, KDE, Microsoft and Opera as well as leading CAs to define industry standard online identity assurance processes that will serve to reassure all our customers of our dedication to building a trusted digital future that instills confidence and trust in all internet users."

So, there is a open technology which will be supported by ALL browsers (Read KDE as Apple). You know what to install from who.

Time for Firefox to simply bypass the cert cartel

The thing is, no one is going to care whether an address comes up green or white. If they ever start caring, no one is going to buy the cheap certificates anyway. This is just a mandated price increase by Verisign, or a moot point. Why not just stick CAcert's [cacert.org] root certificate in Firefox and be done with it?

Stupid design

I don't see why this required a change to SSL. CAs already have multiple root certs, one for each level of verification they support. All that was really needed was a configuration to set the bar color on a root by root basis. Then it would "Just Work" with no further changes.

That would be a much better model of how trust is supposed to work. It's not a question of how much Verisign trusts that X is really X, what matters is how much *I* trust Verisign to be right. If I believe that "Snake Oil Limited" is more trustworthy than Verisign, that's my business (or problem) and the color bar should reflect that belief. If *I* believe that Verisign's double sooper secret cert means something, then my color bar will reflect that.

I suppose they didn't do that because then people might decide they don't really trust Verisign that much and configure them to show up as the warning color. Either that or they were hoping to slow their competition down by making them jump through a few extra hoops.

The only software changes that are REALLY needed is a simple way to support virtual sites using https without assigning each site a port and proper support for a web of trust system.

VeriSign Offers Clarification, Apology

Tim Callan of VeriSign has written a blog post [verisign.com] clarifying and adding context to the statements in the Register that launched this thread. In the post, he offers an apology for the criticism of Mozilla. An excerpt:

"Let me start by stating that the story as written is very much not in keeping with the tenor of the actual conversation I had with the reporter in question. Among other things, the story makes it sound like VeriSign is critical of the Mozilla Foundation for not having announced support for the Extended Validation SSL standard at this time. Quite the opposite, in fact. Several members of the FireFox community have been key contributors to the Extended Validation effort and are active participants in the CA/Browser Forum. I never characterized Mozilla as heel-dragging in any sense of the word, and it was my effort to defend Mozilla's method of operation that led to the most regrettable moment in the article."

Re:Free Certs are Evil

If you're going to astroturf, you might want to make a snazzy new account instead of posting AC. Something like "geekgrrrl69" would at least catch the dumber denizens of the site.

Re:Free Certs are Evil

That's really irrelevant for the most part - I'm yet to find (though I'd love to be proved wrong!) free certs that have appropriate root certs in IE and Firefox, etc.