Small Businesses Worry About MS Anti-Phishing

prostoalex writes "Ever get that warm feeling of safety, when the anti-phishing toolbar on Microsoft Internet Explorer 7 turns green, telling you it's safe to shop on the site you're visiting? Well, you probably don't, but the millions of Internet users who will soon be running IE7 probably will be paying attention to the anti-phishing warnings. WSJ.com is reporting on how Microsoft is making it tough for small businesses to assure they're treated properly by the anti-phishing algorithm." From the article: "[S]ole proprietorships, general partnerships and individuals won't be eligible for the new, stricter security certificates that Microsoft requires to display the color. There are about 20.6 million sole proprietorships and general partnerships in the U.S... though it isn't clear how many are engaged in e-commerce... 'Are people going to trust the green more than white? Yes, they will,' says Avivah Litan, an analyst at Gartner Inc. and an expert on online payments and fraud. 'All the business is going to go to the greens, it's kind of obvious.'"

going to have come up with a better way

[yagu]

Microsoft may think they've solved a problem and maybe they have, but this could be creating a bigger problem, though as usual it'll be no skin off of Microsoft's nose.

Microsoft's stance (FTA):

Microsoft says green shouldn't be considered a seal of approval, but rather a sign that the site owner is a legitimate business.

It may not be formal logic (all farmers wear overalls, therefor if I wear overalls.... (hint: I am not a farmer)), but most internet users are going to make the simple logical leap and assume that not "green" implies not legitimate.

It's easy for Microsoft to skate... they don't live the existence of normal business - it's a shame they have so much input into what others' business rules look like. This probably isn't fair. There has to be a legitimate way to become legitimate.

Re:going to have come up with a better way

[tonywong]

So Microsoft has decided that whitelisting companies is a good idea, and everyone else is to be lumped into a greylist and blacklist area? No wonder the individuals in the grey zone are peeved, the association with blacklist websites alone will tank sales.

bonding

[TheSHAD0W]

I agree with Microsoft, actually; it can be difficult to take what looks like a perfectly legitimate business and guarantee that they aren't actually sniffing for your personal information. But only labeling large businesses as "safe" will indeed put serious burdens on smaller companies.

Perhaps Microsoft could allow for companies who wish to "go green" to purchase a certain amount insurance from established bonding companies assuring shoppers that their information won't go awry. Bonding companies know how best to deal with this sort of risk; they would subject their client companies to audits, making sure servers were secure and weren't caching the wrong sort of data.

Re:Spend the extra time and setup your biz correct

[Ashtead]

But is Microsoft the right one to enforce this? Even if sole proprietorship or general partnership might be inadvisable, it isn't illegal, and Microsoft or anyone else who is not the government has absolutely no jurisdiction and no mandate to make it so.

Something seems definitely out of bounds here...

Re:Really?

[troll -1]

The only people this can significantly hurt are business which were doomed to fail in anycase, and scammers.

But doesn't TFA say that many of the people that will be doomed to fail are legitimate businesses like Aunt Joy Christmas stockings? Though Microsoft will claim they're not. She won't be green. She'll lose business. It's small businesses that will hurt.

Re:Green hack

[rjdegraaf]

What about a window without an address bar, but with an image which looks like an address bar.

Why is this unfair?

[raehl]

If you can't get a certificate as a sole proprietorship, INCORPORATE! Problem solved.

Nobody is making anyone run their business as a sole proprietorship. And this day in this sue-happy age, there's plenty of other reasons incorporation is a good idea.

Re:Given the fact

[Todd Knarr]

Actually I think the bigger problem is that Microsoft and Verisign in the past have allowed a completely valid, high-grade signing certificate with Microsoft's own corporate identity to be issued to crackers (see http://www.pcworld.com/article/id,45284-page,1/art icle.html [pcworld.com] or the more authoritative http://www.microsoft.com/technet/security/bulletin /MS01-017.mspx [microsoft.com] for details). Note that a class-3 code-signing certificate was one of the more secure grades Verisign issues, it's not their standard e-mail-address-only ones. So how long until the bad guys start getting their own EV-SSL certificates and make the whole scheme not merely useless but advantageous to the phishers?

One thing to say to Microsoft

[Todd Knarr]

Only one response needed: http://www.microsoft.com/technet/security/bulletin /MS01-017.mspx [microsoft.com]

This was a class-3 code-signing certificate from Verisign, giving all the correct details for Microsoft but the request was coming from a bunch of crackers. How long, then, until the phishers figure out how to get EV-SSL certificates of their own?

The Haiku people did this

[alex_guy_CA]

I remember a few years ago, this company licensed a Haiku to put in the email headers. If the Haiku was there, you were automatically white listed in various spam filters. If you used the Haiku without paying the licensed, you could be sued not for spam, but for copyright infringement. I wonder if they still exist. Anyway, small businesses were priced out of the system. If you weren't sending 1,000,000 emails a month, don't bother calling them because you can't afford it. It seemed like such a stupid way to do business in an internet age. I'd pay .05 to make sure an email made it to a client. Oh well.

There's another problem here

[wbean]

We have a Web site where we process orders for other companies. The pages are customized to our customers' look and feel and the credit cards are process against their accounts but all of the transactions take place on our server and use our certificate.

We have no problem getting the new certificates but what company name should appear in the bar? If we put our own name in, we will consfuse the end users who have never heard of us. If we want to use our customers company name, then they each have to get their own certificate and we have to assign separate IP addresses to each of our customers - at the moement we only need one IP.

What a nuisance.

Re:Countdown

[StikyPad]

"A way" already exists, and it's called XSS, or Cross-Site Scripting [wikipedia.org]. It's all a matter of how secure any given "green light" site is, which means the "green light" is borderline worthless, from an anti-phishing standpoint anyway. There are even vulnerabilities which do not require any social engineering, such as a vulnerability in the user reviews section of a business's website, or something similar.

So really, like the padlock "secure" icon (which tells you only that you're on a an encrypted connection, and is meaningless if the target site has been compromised), it's just presenting a false sense of security, while at the same time giving small businesses a small stain on their reputation.

Re:Why is this unfair?

[lordkuri]

Bullshit. Why should I be forced to spend more money when a Sole Proprietorship is JUST AS LEGITIMATE as a Corporation. Matter of fact, a lot of people tend to think that a sole prop. is *more* legitimate, from years of dicking from most major corporations.

Small Business Can't Afford These Anyway

[miller60]

VeriSign is charging $1,299 a year [verisign.com] for extended validation certificates, and I wonder how many small businesses would be willing to fork over that amount for the benefits of EV SSL. Other certificate authorities will eventually offer these as well, and charge less.

Several CAs, including Digicert [websitehostdirectory.com], are seeking to have the standard revised to include small businesses. I don't believe the CA/Browser Forum has finalized the standard yet, as there were some holdouts last I checked.

Re:Really?

[mwvdlee]

The only people this can significantly hurt are business which were doomed to fail in anycase, and scammers.

I have a small business, legally registered, which is a sole proprietorship. Even though my business is legal and even though I'm personally legally responsible for the business I cannot get this green bar.

I can pay the money for it (even though this starts to smell like a scam itself; pay the money for the certificate or you'll be blacklisted) and would if I could, but simply because they haven't defined rules to verify my type of business (which would be easy; My business is registered, has a clean tax-record and I can provide any identification they'd need).

So now MY business will not get on the whitelist because THEY fail to even set the rules by which I could get on the whitelist.

I seriously think MS should hold out on displaying the bars until sufficient rules are in place that allow all legal businesses equal recognition as such.

Re:WTF? Phising and certs are different issues.

[marcello_dl]

...sites can display an error message to IE7 users that tells them their browser is defective and that in order for them to keep prices low, they will need to upgrade their web browser to Firefox...

Good idea, but i'd say not "defective", but "deliberately denying small businesses the status of legitimate web sites". That's the truth.
BTW, what if somebody got certified somehow, and then hosted a portal for businesses he trusts giving them the green light? I guess certification contract explicitly forbids that in the first 10 lines of the agreement :)

Re:WTF? Phising and certs are different issues.

[jasen666]

No, IE will not even pass the applet to the JVM if it does not pass the certification test. AND, the same JVM will run the applet just fine in Firefox.
Nice try though.