Small Businesses Worry About MS Anti-Phishing 291
prostoalex writes "Ever get that warm feeling of safety, when the anti-phishing toolbar on Microsoft Internet Explorer 7 turns green, telling you it's safe to shop on the site you're visiting? Well, you probably don't, but the millions of Internet users who will soon be running IE7 probably will be paying attention to the anti-phishing warnings. WSJ.com is reporting on how Microsoft is making it tough for small businesses to assure they're treated properly by the anti-phishing algorithm." From the article: "[S]ole proprietorships, general partnerships and individuals won't be eligible for the new, stricter security certificates that Microsoft requires to display the color. There are about 20.6 million sole proprietorships and general partnerships in the U.S... though it isn't clear how many are engaged in e-commerce... 'Are people going to trust the green more than white? Yes, they will,' says Avivah Litan, an analyst at Gartner Inc. and an expert on online payments and fraud. 'All the business is going to go to the greens, it's kind of obvious.'"
WTF? Phising and certs are different issues. (Score:5, Insightful)
WTF? Shouldn't that read:
'Are people going to notice the green or than white? No, they wont,' says WMF, an analyst at slashdot Inc. and an expert on stupid punditry.
On a slightly different note, I think the submitter has gotten the new expensive secure certs gold-rush/scam confused with the anti-phishing tech. Not surprising 'cause the article melds them together in a rather confusing manner.
Smart enough to notice that green toolbar (Score:4, Insightful)
Re:going to have come up with a better way (Score:5, Insightful)
Given the fact (Score:3, Insightful)
That even Microsoft itself has allowed its security certificates to lapse in the past, I don't think this is going to mean much. As soon as the address bar goes white when getting updates from microsoft.com, people will start to ignore it.
Besides, the user sophisticated enough to notice the difference probably won't care - by now, he's already got a set of favorite bargain sites, and when their address bar stays white, he'll just assume they're too cheap to buy the MS cert. After all, how *do* they undercut the competition?
And I'm guessing that most people - if they notice at all - will not be any more cautious. After all, that's what they bought anti-virus for, right? I'd be willing to bet that the average user believes AV software protects them from everything bad that could happen when using a computer.
Countdown (Score:5, Insightful)
4 [microsoft.com]... 3 [cert.org]... 2 [cert.org]... 1 [grok.org.uk]...
Re:extortion (Score:5, Insightful)
This isn't even a problem of "paying up".... the small one-person companies don't even qualify to get certified for the green status... no amount of money will anoint them. This is where is starts to be unfair.
damned if they do, damned if they don't (Score:3, Insightful)
Anyone what approach Firefox takes compared to IE7 here?
Sole Proprietorship (Score:3, Insightful)
From TFA, this is the reasoning behind the stocking saleswoman's problems. Now, I tend to disagree that it's difficult to find criteria for validating a Proprietorship, since I've formed one myself. While getting the trade certificate and license to collect tax are easy, obtaining a valid small business bank account is not. I'm thinking that those 3 taken as a whole should be enough information to determine whether the Proprietorship in question exists and is doing legitimate business, at least here in Canada.
I don't think Microsoft screwed up here, incredibly enough. They've released a new product based on standards (of all things!). It doesn't erroneously display this woman's site in yellow or red, and it will correctly display it in green when the forum which determined the new certificate standard makes it available to Proprietorships. The article accuses Microsoft of tilting the online commerce playing field heavily toward big business again, but this isn't really Microsoft's fault. I agree that the new certificate standard should have included everyone from the get-go, but you can't fault Microsoft for building this useful feature on the latest standard.
mandelbr0t
Gartner are idiots, so relax (Score:5, Insightful)
Re:Yeah, they will. (Score:4, Insightful)
Don't confuse ignorance with stupidity. There is a world of difference.
Re:damned if they do, damned if they don't (Score:4, Insightful)
Don't bother implementing any kind of "anti-phishing" crap and let the buyer be responsible for his own damn self for a change!
Re:WTF? Phising and certs are different issues. (Score:5, Insightful)
Users favorite deal sites can display an error message to IE7 users that tells them their browser is defective and that in order for them to keep prices low, they will need to upgrade their web browser to Firefox to purchase anything from the site. They can also have a continue anyways button and store a cookie to not display the message again. That way when there is no green bar the users will know it is because they are not using an approved browser.
YAY for Microsoft, let them shoot themselves in the foot.
Re:Yeah, they will. (Score:5, Insightful)
> an established corporate partner like Amazon or eBay. The benefits are obvious
Yes. Control. Amazon and Ebay can suck off most of the profits and prevent the small businesses from growing into competitors.
Re:WTF? Phising and certs are different issues. (Score:5, Insightful)
Huge corporations that quietly invest money in polluting the internet with phishing sites that create an environment where "white = tangably untrustworthy" will see returns on their investment because this exists.
There was a business model in polluting the P2P networks so they become inefficient services. Then there were businesses that did it. Now there is a new business model. What comes next, you think?
Re:Sole Proprietorship (Score:4, Insightful)
Not required in the US.
>
Not every US state has sales tax (and in those that do many goods and services are exempt).
>
There is nothing especially special about a "small business bank account" here.
Re:Spend the extra time and setup your biz correct (Score:4, Insightful)
You don't get a "green" cert. You get an EV-SSL, or, Extended Verification SSL. It's not like MS invented something horrible to extort money out of people. FYI, Firefox and Opera implements anti-phishing toolbars as well.
http://www.digicert.com/ev-ssl-certification.htm [digicert.com]
And, guess what? cost of the EV-SSL, along with payments to banks, credit card processors, etc... are just a part of the cost of doing business.
-=- Terence
Summary makes a flawed assumption, MS another (Score:3, Insightful)
This depends on millions of new Intel machines being purchased after January 30. Febrary and March are the slowest period of the year for any non-essential item, as people are recovering from their holiday spending binges. Retail box sales of Vista will be all but limited to hard core gamers who want DirectX 10 a year before any games actually take advantage of it.
Ok, so IE7 is available on XP if you have SP2 installed. Still not staggering market share if you ask me.
The typical user doesn't notice anything above the top of the page, including the address bar, which is why there's an anti-phishing toolbar in the first place. They'll only notice the color change the first time it happens because a semi-helpful, condescending dialog box will pop up, which the user will check the "do not display again" box, click OK, and continue on their oblivious way without having read the actual message. After that, they'll probably never realize that it changes colors, and if they do, they'll momentarily wonder why, and continue on their merry way.
If something is routinely ignored, it's not useful because it's not being used. This is just one more thing that users will ignore while they submit their credit card info to http://amazon.com.hahawepwnyou.com/ [hahawepwnyou.com] to buy the latest American Idol greatest hits CD.
MS is widely considered to overdo it with the handholding of Windows users, making everything seem cozy and easy, and then they go and implement this toolbar which only gives the illusion of security, in the hopes that the ignorant masses they've created will pay attention to it.
Not gonna happen. Phishing will continue until people learn to use the Internet, jsut like spam will continue until SMTP is replaced.
What happens when this is cracked? (Score:3, Insightful)
And we know that it's only a matter of time...
And the clincher is that the longer it takes to crack, the worse the ramifications are going to be when it happens.
Re:Really? (Score:1, Insightful)
When evaluating "trust" the green-ness of IE isn't very primary to the process. This is a problem that has been with man since he started drilling holes in seashells, all Microsoft did was add another tool to give IE users more information about who they're dealing with. It's not particularly specific, but that doesn't preclude it from being a useful method to prompt people to focus their attentions. Consumers with information and choices isn't bad. If her stockings are so expensive, shoddy, ugly, and unreliably available that even a little bit more information in the hands of potential customers is threatening to her business, it was a doomed venture which was wasting people's time anyway.
She reminds me of my insane neighbor who when a tree from her property hit MY house was upset I could find her public tax records on-line. The horrors! I was saved a trip, conspiracy! Saving people time and allowing them to make better considered decision is the very essence of creating wealth.
Re:Really? (Score:3, Insightful)
Personally, no, but it is how a lot of people are likely to make decisions. That's the point.
Fortunately, our experience with RBLs shows that they never make mistakes, and small businesses never get seriously hurt by them.
Ah, a good, old-fashioned protection racket. I'm so glad they're still alive and well, even in these high-tech times.
Yes, because small businesses are never successful unless they're scammers.
Re:Spend the extra time and setup your biz correct (Score:1, Insightful)
And so we're back to "Nice site you have there, it'd be a shame if we told everyone who visited it you were a scammer." Of course, back when it was the mafia that charged to make sure nothing terrible happened, it was "just a part of the cost of doing business" too.
Have any other artificial barriers to business you'd like to construct while we're at it?
Re:Spend the extra time and setup your biz correct (Score:3, Insightful)
It's just a legal framework -- and no, you can never have "enough control" to guard against this. In a sole proprietorship, you are not legally distinct from your business, so any liabilities against the business can be taken out of your personal accounts. Assuming you are a legitimate business owner trying to make a profit (not just a shell corporation trying to avoid taxes), your biggest risk (I'm guessing) is from frivolous lawsuits. Somebody slips on the sidewalk in front of your storefront and sues your business for gajillion dollars. Assuming they win & your business can't pay up, it comes out of your personal savings account (or other assets). It's the same reason people carry umbrella liability insurance -- because we can't guard against the stupidity & greed of other people.
Re:Really? (Score:2, Insightful)
[N]o one bought a Christmas stocking from her previously because they mistakenly believed she was a giant multinational conglomerate...
yet you offer no reason or evidence and completely fail to support your arguments. How about you tell us why you're right and the WSJ is wrong.
Re:WTF? Phising and certs are different issues. (Score:4, Insightful)
I think you complete misssed the point.
It's a great business model.
If you want to buy stuff from the InterWeb thingy you want to buy from the GREEN because everyone else is EVIL.
If you want to get more business sent your way, you have to purchase the certificates to go GREEN or else you lose money.
So if the businesses buy in to this green craze then it starts to feed into a cyclic frenzy of cornering the purchasing power of the consumers. And everyone pays Microsoft. And that makes it a great business model.
But we all know that Microsoft is pretty much regarded as a joke by more and more people every day. Just not enough quite yet.
its the GOVERNMENTs job (Score:3, Insightful)
- SSL certs are signed by the US government for all biz with an EID
- SSL certs are signed (again) by the States the corp is in
- SSL certs (again; optionally) are signed by a 3rd party that is payed to go further than the government to ensure you are legit
- Governments make incorporation requirements on par with a typical cert authority. My state is at least as good as a CA.
Benefits:- Cert authorities(CA) can not extort money from us to avoid a little warning dialog
- CAs will have to do more since the gov does the basics
- Browsers can highlight government backed certs (little flag icons or green?)
- Consumers know governments more than they do some CA
- Government has reasonable information on the corp owners
- Consumers know the corp has to file taxes on regular basis (can't be totally fake)
- Consumers know what country or state the corp is involved with, allows them the freedom to support local business
- Costs little in taxes, much of the stuff is there on their computers already, they can offer the whole thing for free as part of the incorporation process.
- Digital certs are more secure than a paper document from the secretary of state
- Makes it easy to find the corp as well as file complaints with the secretary of state which incorporates them
- CAs are forced to improve their services, no need to regulate them
This is well within government bounds, which legally defines corporations, LLC, LLP (partnership,) regulates them, and taxes them. This would be a cheap additional business service that would ultimately protect citizens (which is a fundamental reason for government.)Perhaps the government learns and uses digital certs on legal documents like birth certificates? (nah, that would be too smart...BTW, I could fake my birth certificate with a copy machine)
Irony (Score:5, Insightful)
Re:going to have come up with a better way (Score:2, Insightful)
Really, I'd hope people don't sue for this. If your sole source of income relies on a system you can't control, then you have a bad business model, plain and simple. Be it Google, or Microsoft, or VeriSign.
Plus...do you really want to make it EASIER to phish? That's just more junk mail in your inbox, because it'll continue to work.
Forcing FF on someone is just as bad as forcing IE (Score:1, Insightful)
Re:WTF? Phising and certs are different issues. (Score:5, Insightful)
All this "protection" in IE7 is there to try and limit which software you run. MS has decided that before they can beat open source they need to winnow the list of companies that deal with it and this is a good first step to do that with. If this same applet was signed by novell I am sure it would run in IE.
Re:WTF? Phising and certs are different issues. (Score:2, Insightful)
Re:going to have come up with a better way (Score:3, Insightful)
I'm fully over it, actually never found myself under it
Its still a low down dirty market grab putting themselevs quietly in a position of authority they have no business assuming, any way you cut it. We can debate the roots of a definition, but the fact remains that this is going to cost some mom and pops a few conversions.
That's sad.
Re:Forcing FF on someone is just as bad as forcing (Score:2, Insightful)
Re:WTF? Phising and certs are different issues. (Score:2, Insightful)
Re:Really? (Score:3, Insightful)
It's like you have no grasp of how people use the internet. People didn't jsut sit down and type in "www.auntiesstockings.com", they most likmely went to their search engine of choice and searched for something like 'holiday stockings crafts homemade' and got a bunch of hits for sites with those keywords. Then they see "Auntie's Christmas Stockings" and decide to give the site a try. As soon as they get there however the bar doesn't turn green, so they decide it's not a legitimate business and click Back on the browser and buy from a different site.
The point is not that previous customers are going to suddenly stop trusting a site they've already done business with (although that is a possibility). The point is that new users coming to a site for the first time, who use the IE7 green color as the sole indicator of trust, will immediately distrust the site when they don't see that green. It has nothing to do with the quality of the products or anythign else, no green bar will mean they assume it's a scam.
I agree that giving the user more info is a good thing, but the problem is MS has not provided adequate means for small legitimate businesses to display the same level of 'trust' as a major corporation. MS needs to provide a streamlined and straightforward way for ALL legitimate businesses to properly utilize this extra feature, by not doing that MS is essentially raising an artifical barrier to competition because of the lack of knowledge by the vast majority of the web using public. And the catch-22 is, if Joe Sixpack were savvy enough to properly use the anti-phishing notifications from IE7 then he probably wouldn't need to be protected from phishing/scam sites in the first place.
Re:WTF? Phising and certs are different issues. (Score:3, Insightful)
Re:going to have come up with a better way (Score:3, Insightful)
Sure, you're free to believe whatever you like. But in most jurisdictions, there are laws about things like libel and slander. I'd think that such laws might be easily used in this case.
If I were to start up my own business that published ratings of other businesses' honesty based on whether they've paid me for a rating, I'd be in court real fast. In some jurisdictions, I'd might be in jail, too.
It'll be interesting to see whether Microsoft is powerful enough to get away with such public libel without any punishment.