New Extended SSL Certs Make Online Debut

An anonymous reader writes "The first of the new 'extended validation' SSL certificates went live this week, signaling the latest effort by the browser makers and major Web sites to further verify the identity of SSL applicants and help consumers spot fraudulent Web sites, the Washington Post's Security Fix blog notes. The technology is pretty simple: Visit a login page for a site that uses one of these EV certs and the browser bar turns green; likewise, the browser's anti-phishing filters can turn the URL field red when the user is at a known phishing site. There is still quite a bit of debate over whether this whole scheme isn't just a new money-making racket for the SSL providers, and whether small mom-and-pop shops will be able to afford the pricey new certs."

It isn't whether they can afford them.

[khasim]

It isn't whether mom-and-pop shops can afford the new certificates.

It's whether they'll be allowed to purchase them.

That's because sole proprietorships, general partnerships and individuals won't be eligible for the new, stricter security certificates that Microsoft requires to display the color.

Re:Doesn't matter.

[TheSunborn]

No, ssl also tell you who you are communicating with.

Gripes with HTTPS

[RAMMS+EIN]

I have one major gripe with HTTPS:

If you don't pay the Powers That Be, you can still make your site more secure, but it will appear to be less secure.

The way HTTPS normally works is that you create a key to be associated with your domain name. This key is then signed by some certificate authority (supposedly after verifying you are you). If the certificate authority is one of those trusted by your visitors' browsers, the browser will go ahead and use your site, as well as display some indication that it is secure. The security includes both encryption (confidentiality) and authentication (you're really communicating with foobar.com - VeriSign says so).

However, you have to pay the certificate authority to sign your key. If you don't, you can still sign the key, but it won't be trusted by browsers. So far so good. The problem is that browsers will scream bloody murder, because they can't verify that you are you, making at look like you're attempting some kind of scam, while, actually, you're offering your visitors encryption. It's not as secure as encryption and authentication, but it's still better than plain HTTP - a protocol which browsers will accept without a hitch.

As a minor issue, the SSL key is sent during the connection set up, before the client can send a Host: header. This means that each host wishing to employ HTTPS has to have its own IP address - otherwise, the server doesn't know which key to use. There's actually a way around this: HTTP 1.1 specifies how to upgrade a connection to HTTPS, which can be done after the Host: header has been sent. Unfortunately, a lot of software appears not to support this feature.

Re:Doesn't matter.

[Beryllium Sphere(tm)]

All SSL really knows is what public key it's communicating with.

It will download a data structure in which the public key and some character strings are authenticated with yet another party's private key.

The rest is hope and trust that the signer does due diligence and hasn't been compromised.

If the "certificate" does prove who you're communicating with, SSL doesn't tell you that until you click on the padlock and look up certificate properties. Until then, all it's told you is that the domain name matches. If West African Phish and Game buys a certificate for "paypal-reverify.com", SSL will not warn you about them. This isn't hypothetical.

Netcraft confirms it :-) More than 450 Phishing Attacks Used SSL in 2005 [netcraft.com]

Re:It isn't whether they can afford them.

[zymurgy_cat]

Ironically, it's much easier to establish an individual's identity (many databases that you can look in and merge, require multiple forms of ID, etc.) than the fact whether an individual is actually a proper agent of some huge megacorporation.

Very true, and my experience is that most places don't even make an effort.

Last year, I decided to get a signed certificate for a site that my company uses for internal purposes. When I provided the information, the CA called me and pointed out that I needed to prove who I was by submitting a phone bill with the phone number I provided. Mind you, they called that phone number to ask me to provide information proving that it was my phone number. I obtained a record from a website that I faxed to them. Yes, I could have edited the page before printing.

The kicker is that my phone number is in a different state than the company's. (I work out of my home.) No one ever flagged this or attempted to contact the home office to verify that I was an employee or authorized agent.