Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Small Businesses Worry About MS Anti-Phishing

Posted by kdawson on Tue Dec 19, 2006 07:16 PM
from the green-means-good dept.
Security Businesses Microsoft
prostoalex writes "Ever get that warm feeling of safety, when the anti-phishing toolbar on Microsoft Internet Explorer 7 turns green, telling you it's safe to shop on the site you're visiting? Well, you probably don't, but the millions of Internet users who will soon be running IE7 probably will be paying attention to the anti-phishing warnings. WSJ.com is reporting on how Microsoft is making it tough for small businesses to assure they're treated properly by the anti-phishing algorithm." From the article: "[S]ole proprietorships, general partnerships and individuals won't be eligible for the new, stricter security certificates that Microsoft requires to display the color. There are about 20.6 million sole proprietorships and general partnerships in the U.S... though it isn't clear how many are engaged in e-commerce... 'Are people going to trust the green more than white? Yes, they will,' says Avivah Litan, an analyst at Gartner Inc. and an expert on online payments and fraud. 'All the business is going to go to the greens, it's kind of obvious.'"
+ -
story

Related Stories

[+] New Extended SSL Certs Make Online Debut 106 comments
An anonymous reader writes "The first of the new 'extended validation' SSL certificates went live this week, signaling the latest effort by the browser makers and major Web sites to further verify the identity of SSL applicants and help consumers spot fraudulent Web sites, the Washington Post's Security Fix blog notes. The technology is pretty simple: Visit a login page for a site that uses one of these EV certs and the browser bar turns green; likewise, the browser's anti-phishing filters can turn the URL field red when the user is at a known phishing site. There is still quite a bit of debate over whether this whole scheme isn't just a new money-making racket for the SSL providers, and whether small mom-and-pop shops will be able to afford the pricey new certs."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Small Businesses Worry About MS Anti-Phishing 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • 'Are people going to trust the green more than white? Yes, they will,' says Avivah Litan, an analyst at Gartner Inc. and an expert on online payments and fraud.

    WTF? Shouldn't that read:

    'Are people going to notice the green or than white? No, they wont,' says WMF, an analyst at slashdot Inc. and an expert on stupid punditry.

    On a slightly different note, I think the submitter has gotten the new expensive secure certs gold-rush/scam confused with the anti-phishing tech. Not surprising 'cause the article melds them together in a rather confusing manner.
    • You even used bad grammar and spelling, like a Slashdot editor!

        • Re:WTF? Phising and certs are different issues. (Score:5, Insightful)

          by ShieldW0lf (601553) on Tuesday December 19 2006, @07:57PM (#17307322) Journal
          Now there is a tangable commercial interest in creating phishing sites.

          Huge corporations that quietly invest money in polluting the internet with phishing sites that create an environment where "white = tangably untrustworthy" will see returns on their investment because this exists.

          There was a business model in polluting the P2P networks so they become inefficient services. Then there were businesses that did it. Now there is a new business model. What comes next, you think?

          • Irony (Score:5, Insightful)

            by The Clockwork Troll (655321) on Tuesday December 19 2006, @10:14PM (#17308402)
            The irony of all this, is that the only companies allowed to be deemed "trustworthy" are the corporate entities whose employees are shielded from personal liability.

    • Re:WTF? Phising and certs are different issues. (Score:5, Informative)

      by Anonymous Coward on Tuesday December 19 2006, @07:42PM (#17307148)
      I think any comment about IE7's anti-phishing system should note that it sends every website you visit to Microsoft. If you care even an iota about the privacy of your web browsing, you should choose "no" when IE7 asks you to enable its invasive anti-phishing system.

      • Re:WTF? Phising and certs are different issues. (Score:5, Insightful)

        by killjoe (766577) on Tuesday December 19 2006, @11:01PM (#17308654)
        Today I was trying to use a SSH java applet to connect to a server in IE7. IE7 refused to run the applet because it did not recognize the signature. I added the site to my trusted sites list but it still refused to load it. I went into advanced setting and told it to install unsigned activex controls but it still do it. After struggling for a little while longer I installed firefox (this was not my computer) and ran the applet I needed to run. Installing firefox and then installing java took less time then my struggles trying to get IE7 to load an open sourced applet.

        All this "protection" in IE7 is there to try and limit which software you run. MS has decided that before they can beat open source they need to winnow the list of companies that deal with it and this is a good first step to do that with. If this same applet was signed by novell I am sure it would run in IE.

    • Re:WTF? Phising and certs are different issues. (Score:5, Insightful)

      by thinkliberty (593776) on Tuesday December 19 2006, @07:54PM (#17307290)
      This can also work 2 ways.

      Users favorite deal sites can display an error message to IE7 users that tells them their browser is defective and that in order for them to keep prices low, they will need to upgrade their web browser to Firefox to purchase anything from the site. They can also have a continue anyways button and store a cookie to not display the message again. That way when there is no green bar the users will know it is because they are not using an approved browser.

      YAY for Microsoft, let them shoot themselves in the foot.

  • Microsoft may think they've solved a problem and maybe they have, but this could be creating a bigger problem, though as usual it'll be no skin off of Microsoft's nose.

    Microsoft's stance (FTA):

    Microsoft says green shouldn't be considered a seal of approval, but rather a sign that the site owner is a legitimate business.

    It may not be formal logic (all farmers wear overalls, therefor if I wear overalls.... (hint: I am not a farmer)), but most internet users are going to make the simple logical leap and assume that not "green" implies not legitimate.

    It's easy for Microsoft to skate... they don't live the existence of normal business - it's a shame they have so much input into what others' business rules look like. This probably isn't fair. There has to be a legitimate way to become legitimate.

    • Re:going to have come up with a better way (Score:5, Insightful)

      by coolgeek (140561) on Tuesday December 19 2006, @07:23PM (#17306918) Homepage
      I think there will be an obstruction of trade class action suit filed against Microsoft for this.

    • Re:going to have come up with a better way (Score:4, Interesting)

      by tonywong (96839) on Tuesday December 19 2006, @07:33PM (#17307052) Homepage
      So Microsoft has decided that whitelisting companies is a good idea, and everyone else is to be lumped into a greylist and blacklist area? No wonder the individuals in the grey zone are peeved, the association with blacklist websites alone will tank sales.

        • Re:Really? (Score:5, Interesting)

          by mwvdlee (775178) on Wednesday December 20 2006, @04:35AM (#17310164) Homepage
          The only people this can significantly hurt are business which were doomed to fail in anycase, and scammers.


          I have a small business, legally registered, which is a sole proprietorship. Even though my business is legal and even though I'm personally legally responsible for the business I cannot get this green bar.

          I can pay the money for it (even though this starts to smell like a scam itself; pay the money for the certificate or you'll be blacklisted) and would if I could, but simply because they haven't defined rules to verify my type of business (which would be easy; My business is registered, has a clean tax-record and I can provide any identification they'd need).

          So now MY business will not get on the whitelist because THEY fail to even set the rules by which I could get on the whitelist.

          I seriously think MS should hold out on displaying the bars until sufficient rules are in place that allow all legal businesses equal recognition as such.

  • Smart enough to notice that green toolbar (Score:4, Insightful)

    by namityadav (989838) on Tuesday December 19 2006, @07:23PM (#17306912)
    I hope a user smart enough to notice and use the phishing feature of IE, would be smart enough to use Firefox instead

  • Countdown (Score:5, Insightful)

    by DrYak (748999) on Tuesday December 19 2006, @07:29PM (#17306990) Homepage
    Countdown to the phisher finding a way to subvert the system and obtain legitimate certs to green-light their scam sites :
    4 [microsoft.com]... 3 [cert.org]... 2 [cert.org]... 1 [grok.org.uk]...

  • Gartner are idiots, so relax (Score:5, Insightful)

    by roca (43122) on Tuesday December 19 2006, @07:32PM (#17307036) Homepage
    Users will quickly learn to ignore the status bar color just like they've learned to ignore all other security warnings (thanks to expired certificates and other false negatives we throw in their face every day).

  • Spend the extra time and setup your biz correctly! (Score:5, Informative)

    by Silicon_Knight (66140) on Tuesday December 19 2006, @07:39PM (#17307120)
    I'm a small businses owner, and guess what, I would have ZERO problems with this "green bar" policy.

    Reason? I made damn sure that I'm incorporated as either a limited liability company (L.L.C) (www.3dprints4less.com - not up yet) or a S-corporation (www.seattleprototypes.com).

    In this day and age of litigation, there is NO reason why if you're going into businses you should even consider sole proprietarship or general partnership agreement. IANAL, but go pick up any of the Nolo self-help books (recomemnded by lawyer friends) and they make it clear: The LLC and corp status is a bit more paperwork to upkeep, but offers MUCH better protection for the business owners. As a sole proprietarship, you are personally liable - down to your last nickel in your bank account, if your business incurs any liabilities. As a general partnership, you would be personally held liable for not only your business's liabilities, but the action of your partners well (if your partner racks up a debt, skips town, and the creditor have easy access to you - guess who's in the hot seat).

    Not to mention, there's huge benifits you can get tax wise, from being a corporation or LLC. Corporate tax rates are a heck of a lot lower for one!

    So, Aunt Joy making custom stockings, please, go pick up a self help book and get your business setup properly. This way some slimebag ambulance chaser can't sue you out of the house you're growing old in when some irresponsible parent let their kid chew off a bit of the stocking and the kid chokes on it.

    -=- Terence

  • There's another problem here (Score:5, Interesting)

    by wbean (222522) on Tuesday December 19 2006, @08:56PM (#17307846)
    We have a Web site where we process orders for other companies. The pages are customized to our customers' look and feel and the credit cards are process against their accounts but all of the transactions take place on our server and use our certificate.

    We have no problem getting the new certificates but what company name should appear in the bar? If we put our own name in, we will consfuse the end users who have never heard of us. If we want to use our customers company name, then they each have to get their own certificate and we have to assign separate IP addresses to each of our customers - at the moement we only need one IP.

    What a nuisance.

    • Re:extortion (Score:5, Insightful)

      by yagu (721525) * <yayagu@gmEEEail.com minus threevowels> on Tuesday December 19 2006, @07:29PM (#17306994) Journal

      This isn't even a problem of "paying up".... the small one-person companies don't even qualify to get certified for the green status... no amount of money will anoint them. This is where is starts to be unfair.

        • Re:Why is this unfair? (Score:5, Interesting)

          by lordkuri (514498) on Tuesday December 19 2006, @09:08PM (#17307948)
          Bullshit. Why should I be forced to spend more money when a Sole Proprietorship is JUST AS LEGITIMATE as a Corporation. Matter of fact, a lot of people tend to think that a sole prop. is *more* legitimate, from years of dicking from most major corporations.

        • Re:Why is this unfair? (Score:5, Informative)

          by Reverberant (303566) on Tuesday December 19 2006, @11:18PM (#17308750) Homepage

          If you can't get a certificate as a sole proprietorship, INCORPORATE! Problem solved. [...] And this day in this sue-happy age, there's plenty of other reasons incorporation is a good idea.

          Sole proprietor here. As someone who has spent a lot of time and energy looking at sole proprietorship vs llc vs s-corp incorporation, let me just mention that (contrary to popular belief) incorporation isn't some magic bullet that completely shields business owners/officers from liability - just ask Ken Lay. Incorporation does help shield business owners from the incompetence/misconduct of other employees. Of course this doesn't matter in one-person companies where (by definition) all the business decisions are made by the business owners.

          Incorporation does, in theory, separate business assets from personal assets. However, in our "sue-happy" environment, there is a very easy way to get around this separation: simply sue the business *and* the owner.

          There are scenarios when it makes sense to incorporate: lower tax rates (only worth it for six-figure revenues by my calcs), if you have employees, if you have multiple locations, if you're trying to establish a Chinese wall for separate-but-related business, etc.

          Incorporating in my case (1-person business) would mean hiring a lawyer and accountant to file the annual state forms, draw up the stock agreement, and file the taxes in return for a few hundred dollars in tax savings and pretty much no liability protection. I found it was much cheaper to buy gen liability and E&O insurance (needed anyway for certain gov't contracts I have), and remain a sole proprietor. I imagine that this is true for hundreds (if not thousands) of other businesses across the US.

    • Re:How does the Phishing thing work? (Score:5, Informative)

      by Kelson (129150) * on Tuesday December 19 2006, @07:49PM (#17307228) Homepage Journal
      Actually there's two issues -- site verification and anti-phishing -- which are getting mashed together because they act on a similar concept (how much can I trust this site?) and display through the color in the address bar.

      White is the default state, and says nothing about the site.
      Red is when the site matches a blacklist of known phishing sites. (If you have the antiphishing turned on, it will check with MS each time you load a new page.)
      Green is when the site uses one of these new SSL certificates which provides additional data and (supposedly) has a tougher approval process in which the certificate authority does an actual background check on the company instead of just making sure they have a working phone number. One hopes a blacklist hit will trump this.

      A secure site that uses a standard SSL cert and is not a known phisher will have a white location bar.

    • Re:Sole Proprietorship (Score:4, Insightful)

      by John Hasler (414242) on Tuesday December 19 2006, @08:05PM (#17307378)
      > While getting the trade certificate...

      Not required in the US.

      > ...and license to collect tax...

      Not every US state has sales tax (and in those that do many goods and services are exempt).

      > ...obtaining a valid small business bank account is not.

      There is nothing especially special about a "small business bank account" here.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.