New Extended SSL Certs Make Online Debut 106
An anonymous reader writes "The first of the new 'extended validation' SSL certificates
went live this week, signaling the latest effort by the browser makers and major Web sites to further verify the identity of SSL applicants and help consumers spot fraudulent Web sites, the Washington Post's Security Fix blog notes. The technology is pretty simple: Visit a login page for a site that uses one of these EV certs and the browser bar turns green; likewise, the browser's anti-phishing filters can turn the URL field red when the user is at a known phishing site. There is still quite a bit of debate over whether this whole scheme isn't just a new money-making racket for the SSL providers, and whether small mom-and-pop shops will be able to afford the pricey new certs."
Interesting problem (Score:3, Insightful)
I predict (brave of me, I know) that no matter what efforts are made to protect Internet users, there will still be phishing on the Internet.
I think we're better off with the training.
Re:It isn't whether they can afford them. (Score:3, Insightful)
The small guy is getting shafted (Score:4, Insightful)
The smallest of legit web sites will not pay this, especially when they're just starting up. Add to that the requirements (what type of corporate entity the site belongs to) and you'll have few small takers. This is definitely going to hurt small sites as all of the medium and large sites will eventually sign up. Users will eventually expect the green bar on every site where they might do business. So I see this as merely a money making scheme. If they really wanted to improve security they wouldn't rely on the type of corporation or charge such high fees.
Re:It isn't whether they can afford them. (Score:4, Insightful)
Thats because we all know there is no such thing as a shady corporation with enough money for expensive certifications.
Nice gig for the Certificate Authorities (Score:3, Insightful)
Since they've done such a bad job of this so far (it was quite strict at first), they've now turned around and offered a more expensive certificate with the promise that this time they'll _really_ do their job.
I've no doubt they'll get away with it when all the big names buy the more expensive certificates and see an opportunity to squeeze out the smaller competition, and/or otherwise help to raise the barrier to entry for their market. Watch this get a lot of media attention and advertising.
Six dumbest ideas... (Score:3, Insightful)
The Six Dumbest Ideas in Computer Security [ranum.com] - See #5 - 'Educating Users'.
That's really trustworthy! (Score:4, Insightful)
The example in the article immediately points out a failure of this idea. Go to entrust.com and your address bar turns green. And who is the CA that has verified that this site is really operated by entrust? "Entrust or an independent local registration authority has verified that Entrust Inc is an existing business and owns or operates the domain name www.entrust.com".. Yeah. So, this is basically a self-signed certificate, but it turns up green, because you're supposed to trust entrust, because you're supposed to trust entrust, because you're supposed to trust internet explorer.
Meanwhile, their 'extra validation' CPS states that they offer no warranties or guarantees, nor any detail about what they DO do to make extra super sure they don't issue certificates to some random Joe.
Re:It isn't whether they can afford them. (Score:4, Insightful)
Ironically, it's much easier to establish an individual's identity (many databases that you can look in and merge, require multiple forms of ID, etc.) than the fact whether an individual is actually a proper agent of some huge megacorporation.
Re:Interesting problem (Score:4, Insightful)
Debate? What debate? (Score:3, Insightful)
Re:The small guy is getting shafted (Score:3, Insightful)
There are plenty of home-based businesses that have essentially zero capital when starting up. Remember that $500 is a lump-sum payment and can equal a month's rent for some people in some places. You could use a payment processor or even only accept money directly face-to-face, but will people start thinking that all companies without a green cert are untrustworthy, even if they don't take money and personal details online? This amounts to a protection racket not much different from the goons that came to brick and mortar stores and said "we need some money to protect you from thugs breaking into your store at night and torching it."
-b.
Re:It isn't whether they can afford them. (Score:3, Insightful)
What's irritating to me is that I've been a sole proprietorship for almost six years now. I can furnish bank and credit references and tax records to that effect. Seems as though there ought to be a way to verify through those records.
I already ante up extra $$$ for a cert from a well recognized authority. But $1299?
Entrust's SSL certificate, and its problems (Score:5, Insightful)
Domain: www.entrust.com
Server identity:
CN = www.entrust.com
serialNumber = DOC:19961216
OU = it
O = Entrust Inc
jurisdictionOfIncorporationStateOrProvinceName = MD
jurisdictionOfIncorporationCountryName = US
L = Ottawa
ST = Ontario
C = CA
Issuer identity:
CN = Entrust Certification Authority - L1A
OU = (c) 2006 Entrust, Inc.
OU = www.entrust.net/CPS is incorporated by reference
OU = CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY
OU = AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE
O = Entrust, Inc.
C = US Certificate has 10 extensions.
The CA Browser Forum has published a standard for these certificate. [cabforum.org] So that's what we go by.
How do you tell this is an Extended Validation certificate? That's not in the CA Browser Forum's standard. It's dependent on the certificate issuer.
It's documented, on Entrust's web site [entrust.net] "Each EV SSL Certificate issued by the Entrust EV SSL CA to a Subscriber contains an Object Identifier (OID) defined by the Entrust EV SSL CA in the certificate's certificatePolicies extension ... which
by pre-agreement with Application Software Vendors, marks the certificate as being an EV SSL Certificate.
The following OID has been registered by the Entrust EV SSL CA for inclusion in EV SSL Certificates: 2.16.840.1.114028.10.1.2"
That OID number appears in the middle of a comment in the certificatePolicies extension. So, for each issuer, you have to look for something different.
The certificate checker has to be really careful. To verify that a certificate is an Extended Validation certificate, it's not enough to find that OID. You have to make sure that the certificate was issued by the issuer entitled to use that OID. Otherwise, it's easy to forge these certificates.
But if you're too thorough in the checking, the certificate bounces. The whole point of an Extended Validation certificate is to validate the company's identity. So we have the new fields "serialNumber", "jurisdictionOfIncorporationStateOrProvinceName", and "jurisdictionOfIncorporationCo
There are many problems - some are legacy problems (Score:5, Insightful)
It is far worse than that:
In the end, the benefit of SSL is that of encrypted traffic. The data goes from the client to the server, and nowhere else. That's what a certificate actually ensures. Nothing else. Not one blessed thing. The people who built this scam were either miserably uninformed and/or confused, or underhanded types who recognized the money to scooped up from people who could not afford to have a browser inaccurately claim that their business "might be a scam."
This is just one more case where superficial thinking about something is being used as an excuse to generate a large and healthy cash cow over and above the current certificate scam. Nothing can legitimately substitute for you checking for complaints, longevity, experience with the product(s) you are interested in, that sort of thing. Which in turn means that by definition, the foisting off on the consumer that the "browser bar turning green" means "shopping or interaction is OK" is outright illegitimate.
And will any of that stop this from happening? Not a chance. Because it isn't only the consumers that are failing to do due diligence here; it is the browser writers as well, and as per usual, we start with Microsoft who does not have the consumer's best interests at heart.
The attempt is being made here to do something that is impossible. Wy? Because an operation that was trustworthy yesterday can become untrustworthy tomorrow. Likewise, an operation that was controlled by scammers can replace those people. It is a matter of people and goals that no one can see through the veil of the Internet. This is aside from the creation of a "ghetto" of untrusted merchants who cannot get certified, or cannot afford to get certified.
I saw a comment elsewhere here by some moron who was pontificating about how "if some business cannot afford $500 for this cert, I would not trust them, etc. ad nauseam." The fact is, some businesses are striving on the edge and that money is important to them. Seeing as how it does nothing for them but keep them from being creamed by this new scam - meaning, it doesn't add value to what they do, just brings them back to a status quo