Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses Microsoft

Small Businesses Worry About MS Anti-Phishing 291

prostoalex writes "Ever get that warm feeling of safety, when the anti-phishing toolbar on Microsoft Internet Explorer 7 turns green, telling you it's safe to shop on the site you're visiting? Well, you probably don't, but the millions of Internet users who will soon be running IE7 probably will be paying attention to the anti-phishing warnings. WSJ.com is reporting on how Microsoft is making it tough for small businesses to assure they're treated properly by the anti-phishing algorithm." From the article: "[S]ole proprietorships, general partnerships and individuals won't be eligible for the new, stricter security certificates that Microsoft requires to display the color. There are about 20.6 million sole proprietorships and general partnerships in the U.S... though it isn't clear how many are engaged in e-commerce... 'Are people going to trust the green more than white? Yes, they will,' says Avivah Litan, an analyst at Gartner Inc. and an expert on online payments and fraud. 'All the business is going to go to the greens, it's kind of obvious.'"
This discussion has been archived. No new comments can be posted.

Small Businesses Worry About MS Anti-Phishing

Comments Filter:
  • 'Are people going to trust the green more than white? Yes, they will,' says Avivah Litan, an analyst at Gartner Inc. and an expert on online payments and fraud.

    WTF? Shouldn't that read:

    'Are people going to notice the green or than white? No, they wont,' says WMF, an analyst at slashdot Inc. and an expert on stupid punditry.

    On a slightly different note, I think the submitter has gotten the new expensive secure certs gold-rush/scam confused with the anti-phishing tech. Not surprising 'cause the article melds them together in a rather confusing manner.
    • You even used bad grammar and spelling, like a Slashdot editor!
      • You even used bad grammar and spelling, like a Slashdot editor!

        Yuo say that as if Im capable of something else using!
        • by ShieldW0lf ( 601553 ) on Tuesday December 19, 2006 @06:57PM (#17307322) Journal
          Now there is a tangable commercial interest in creating phishing sites.

          Huge corporations that quietly invest money in polluting the internet with phishing sites that create an environment where "white = tangably untrustworthy" will see returns on their investment because this exists.

          There was a business model in polluting the P2P networks so they become inefficient services. Then there were businesses that did it. Now there is a new business model. What comes next, you think?
          • Irony (Score:5, Insightful)

            by The Clockwork Troll ( 655321 ) on Tuesday December 19, 2006 @09:14PM (#17308402) Journal
            The irony of all this, is that the only companies allowed to be deemed "trustworthy" are the corporate entities whose employees are shielded from personal liability.
          • Re: (Score:3, Insightful)

            A few words: "Class Action Lawsuit" Microsoft as a monopoly is adversely labeling businesses because they don't pay for a certificate and they can do this only because they are a monopoly. And if microsoft is doing this to fight phishing, where is the liability if that protection does not work? I'm sure someone will figure out how to get a green bar without a certificate and a phishing they will go. Meanwhile, the legitimate small business gets labeled "untrustworthy" by Microsoft software. Now THAT i
    • by Anonymous Coward on Tuesday December 19, 2006 @06:42PM (#17307148)
      I think any comment about IE7's anti-phishing system should note that it sends every website you visit to Microsoft. If you care even an iota about the privacy of your web browsing, you should choose "no" when IE7 asks you to enable its invasive anti-phishing system.
      • by killjoe ( 766577 ) on Tuesday December 19, 2006 @10:01PM (#17308654)
        Today I was trying to use a SSH java applet to connect to a server in IE7. IE7 refused to run the applet because it did not recognize the signature. I added the site to my trusted sites list but it still refused to load it. I went into advanced setting and told it to install unsigned activex controls but it still do it. After struggling for a little while longer I installed firefox (this was not my computer) and ran the applet I needed to run. Installing firefox and then installing java took less time then my struggles trying to get IE7 to load an open sourced applet.

        All this "protection" in IE7 is there to try and limit which software you run. MS has decided that before they can beat open source they need to winnow the list of companies that deal with it and this is a good first step to do that with. If this same applet was signed by novell I am sure it would run in IE.
    • by thinkliberty ( 593776 ) on Tuesday December 19, 2006 @06:54PM (#17307290)
      This can also work 2 ways.

      Users favorite deal sites can display an error message to IE7 users that tells them their browser is defective and that in order for them to keep prices low, they will need to upgrade their web browser to Firefox to purchase anything from the site. They can also have a continue anyways button and store a cookie to not display the message again. That way when there is no green bar the users will know it is because they are not using an approved browser.

      YAY for Microsoft, let them shoot themselves in the foot.
      • Re: (Score:3, Interesting)

        by marcello_dl ( 667940 )

        ...sites can display an error message to IE7 users that tells them their browser is defective and that in order for them to keep prices low, they will need to upgrade their web browser to Firefox...

        Good idea, but i'd say not "defective", but "deliberately denying small businesses the status of legitimate web sites". That's the truth.
        BTW, what if somebody got certified somehow, and then hosted a portal for businesses he trusts giving them the green light? I guess certification contract explicitly forbids that in the first 10 lines of the agreement :)

    • by tacocat ( 527354 ) <`tallison1' `at' `twmi.rr.com'> on Tuesday December 19, 2006 @08:30PM (#17308118)

      I think you complete misssed the point.

      It's a great business model.

      If you want to buy stuff from the InterWeb thingy you want to buy from the GREEN because everyone else is EVIL.

      If you want to get more business sent your way, you have to purchase the certificates to go GREEN or else you lose money.

      So if the businesses buy in to this green craze then it starts to feed into a cyclic frenzy of cornering the purchasing power of the consumers. And everyone pays Microsoft. And that makes it a great business model.

      But we all know that Microsoft is pretty much regarded as a joke by more and more people every day. Just not enough quite yet.

  • by yagu ( 721525 ) * <yayagu.gmail@com> on Tuesday December 19, 2006 @06:20PM (#17306888) Journal

    Microsoft may think they've solved a problem and maybe they have, but this could be creating a bigger problem, though as usual it'll be no skin off of Microsoft's nose.

    Microsoft's stance (FTA):

    Microsoft says green shouldn't be considered a seal of approval, but rather a sign that the site owner is a legitimate business.

    It may not be formal logic (all farmers wear overalls, therefor if I wear overalls.... (hint: I am not a farmer)), but most internet users are going to make the simple logical leap and assume that not "green" implies not legitimate.

    It's easy for Microsoft to skate... they don't live the existence of normal business - it's a shame they have so much input into what others' business rules look like. This probably isn't fair. There has to be a legitimate way to become legitimate.

    • by coolgeek ( 140561 ) on Tuesday December 19, 2006 @06:23PM (#17306918) Homepage
      I think there will be an obstruction of trade class action suit filed against Microsoft for this.
      • as they demonstrate browsing the web with FireFox - Look, your honor, there are not green/white/yellow/red indicators!
      • Re: (Score:2, Insightful)

        by calciphus ( 968890 )
        What makes you think you can sue MS? You can't sue Google (successfully) just because your page gets blocked by them, even though they are arguably obstructing trade on your site. You can't sue VeriSign for not giving you a free certificate, even though some people won't shop at non-VeriSign secured sites.

        Really, I'd hope people don't sue for this. If your sole source of income relies on a system you can't control, then you have a bad business model, plain and simple. Be it Google, or Microsoft, or VeriSign
    • by tonywong ( 96839 ) on Tuesday December 19, 2006 @06:33PM (#17307052) Homepage
      So Microsoft has decided that whitelisting companies is a good idea, and everyone else is to be lumped into a greylist and blacklist area? No wonder the individuals in the grey zone are peeved, the association with blacklist websites alone will tank sales.
    • by Ucklak ( 755284 )
      "it's a shame they have so much input into what others' business rules look like"

      Yeah like E-commerce sites hosted with IIS will be favored over Apache hosted sites.
    • by zotz ( 3951 )
      "There are about 20.6 million sole proprietorships and general partnerships in the U.S..."

      Well, if the article get things right, these 20.6 million businesses now have one more reason to drop MS completely. I figure if that begins, things will change.

      all the best,

      drew
  • by namityadav ( 989838 ) on Tuesday December 19, 2006 @06:23PM (#17306912)
    I hope a user smart enough to notice and use the phishing feature of IE, would be smart enough to use Firefox instead
    • by mottie ( 807927 )
      it's pretty hard not to notice it. when you start IE7 for the first time it asks you if you want to turn it on, and yes is the default. it's not hidden away in an obscure menu system or anything like that.
  • Given the fact (Score:3, Insightful)

    by gillbates ( 106458 ) on Tuesday December 19, 2006 @06:26PM (#17306962) Homepage Journal

    That even Microsoft itself has allowed its security certificates to lapse in the past, I don't think this is going to mean much. As soon as the address bar goes white when getting updates from microsoft.com, people will start to ignore it.

    Besides, the user sophisticated enough to notice the difference probably won't care - by now, he's already got a set of favorite bargain sites, and when their address bar stays white, he'll just assume they're too cheap to buy the MS cert. After all, how *do* they undercut the competition?

    And I'm guessing that most people - if they notice at all - will not be any more cautious. After all, that's what they bought anti-virus for, right? I'd be willing to bet that the average user believes AV software protects them from everything bad that could happen when using a computer.

  • Countdown (Score:5, Insightful)

    by DrYak ( 748999 ) on Tuesday December 19, 2006 @06:29PM (#17306990) Homepage
    Countdown to the phisher finding a way to subvert the system and obtain legitimate certs to green-light their scam sites :
    4 [microsoft.com]... 3 [cert.org]... 2 [cert.org]... 1 [grok.org.uk]...
    • Exactly. The only certain effect here is that the scammers will find a way to either create or emulate the green light.
      • Re: (Score:3, Interesting)

        by StikyPad ( 445176 )
        "A way" already exists, and it's called XSS, or Cross-Site Scripting [wikipedia.org]. It's all a matter of how secure any given "green light" site is, which means the "green light" is borderline worthless, from an anti-phishing standpoint anyway. There are even vulnerabilities which do not require any social engineering, such as a vulnerability in the user reviews section of a business's website, or something similar.

        So really, like the padlock "secure" icon (which tells you only that you're on a an encrypted connection
  • by Darkon ( 206829 ) on Tuesday December 19, 2006 @06:30PM (#17307006)
    If you make certificates too easy to obtain then every phisher and his dog will just buy one and create a false impression of legitimacy. If you try too hard to restrict them to bona fide companies then you risk shutting out the mom and pop outfits. What's the answer?

    Anyone what approach Firefox takes compared to IE7 here?
    • by mrchaotica ( 681592 ) * on Tuesday December 19, 2006 @06:52PM (#17307270)
      What's the answer?

      Don't bother implementing any kind of "anti-phishing" crap and let the buyer be responsible for his own damn self for a change!

    • by Kelson ( 129150 ) *

      If you make certificates too easy to obtain then every phisher and his dog will just buy one and create a false impression of legitimacy. If you try too hard to restrict them to bona fide companies then you risk shutting out the mom and pop outfits. What's the answer?

      Don't overload the certificate concept. If you make it clear that all an SSL cert means is that no one is listening in on the conversation between your browser and the website (assuming your machine and the server aren't compromised themselv

    • To run a business in the usa, you file with the secretary of state of your state plus file for a federal employer ID. You do about as much for that as a Cert authorities(CA) has you do.
      1. SSL certs are signed by the US government for all biz with an EID
      2. SSL certs are signed (again) by the States the corp is in
      3. SSL certs (again; optionally) are signed by a 3rd party that is payed to go further than the government to ensure you are legit
      4. Governments make incorporation requirements on par with a typical cert au
      • To run a business in the usa, you file with the secretary of state of your state plus file for a federal employer ID. You do about as much for that as a Cert authorities(CA) has you do.

        In most states, provided you don't have an actual storefront, you don't need to file anything to be a sole proprietorship. The only thing you may need to file in states that have sales tax (not all do!) is an app. for license to collect sales tax. All that takes is a valid address and possibly an SSN#, at least in NY stat

  • by mandelbr0t ( 1015855 ) on Tuesday December 19, 2006 @06:30PM (#17307012) Journal

    The Forum excluded sole proprietorships, general partnerships and individuals because its members couldn't agree on criteria for validating them effectively, something some members said can be difficult.

    From TFA, this is the reasoning behind the stocking saleswoman's problems. Now, I tend to disagree that it's difficult to find criteria for validating a Proprietorship, since I've formed one myself. While getting the trade certificate and license to collect tax are easy, obtaining a valid small business bank account is not. I'm thinking that those 3 taken as a whole should be enough information to determine whether the Proprietorship in question exists and is doing legitimate business, at least here in Canada.

    I don't think Microsoft screwed up here, incredibly enough. They've released a new product based on standards (of all things!). It doesn't erroneously display this woman's site in yellow or red, and it will correctly display it in green when the forum which determined the new certificate standard makes it available to Proprietorships. The article accuses Microsoft of tilting the online commerce playing field heavily toward big business again, but this isn't really Microsoft's fault. I agree that the new certificate standard should have included everyone from the get-go, but you can't fault Microsoft for building this useful feature on the latest standard.

    mandelbr0t

    • by John Hasler ( 414242 ) on Tuesday December 19, 2006 @07:05PM (#17307378) Homepage
      > While getting the trade certificate...

      Not required in the US.

      > ...and license to collect tax...

      Not every US state has sales tax (and in those that do many goods and services are exempt).

      > ...obtaining a valid small business bank account is not.

      There is nothing especially special about a "small business bank account" here.
  • by roca ( 43122 ) on Tuesday December 19, 2006 @06:32PM (#17307036) Homepage
    Users will quickly learn to ignore the status bar color just like they've learned to ignore all other security warnings (thanks to expired certificates and other false negatives we throw in their face every day).
  • bonding (Score:3, Interesting)

    by TheSHAD0W ( 258774 ) on Tuesday December 19, 2006 @06:38PM (#17307098) Homepage
    I agree with Microsoft, actually; it can be difficult to take what looks like a perfectly legitimate business and guarantee that they aren't actually sniffing for your personal information. But only labeling large businesses as "safe" will indeed put serious burdens on smaller companies.

    Perhaps Microsoft could allow for companies who wish to "go green" to purchase a certain amount insurance from established bonding companies assuring shoppers that their information won't go awry. Bonding companies know how best to deal with this sort of risk; they would subject their client companies to audits, making sure servers were secure and weren't caching the wrong sort of data.
  • by Silicon_Knight ( 66140 ) on Tuesday December 19, 2006 @06:39PM (#17307120)
    I'm a small businses owner, and guess what, I would have ZERO problems with this "green bar" policy.

    Reason? I made damn sure that I'm incorporated as either a limited liability company (L.L.C) (www.3dprints4less.com - not up yet) or a S-corporation (www.seattleprototypes.com).

    In this day and age of litigation, there is NO reason why if you're going into businses you should even consider sole proprietarship or general partnership agreement. IANAL, but go pick up any of the Nolo self-help books (recomemnded by lawyer friends) and they make it clear: The LLC and corp status is a bit more paperwork to upkeep, but offers MUCH better protection for the business owners. As a sole proprietarship, you are personally liable - down to your last nickel in your bank account, if your business incurs any liabilities. As a general partnership, you would be personally held liable for not only your business's liabilities, but the action of your partners well (if your partner racks up a debt, skips town, and the creditor have easy access to you - guess who's in the hot seat).

    Not to mention, there's huge benifits you can get tax wise, from being a corporation or LLC. Corporate tax rates are a heck of a lot lower for one!

    So, Aunt Joy making custom stockings, please, go pick up a self help book and get your business setup properly. This way some slimebag ambulance chaser can't sue you out of the house you're growing old in when some irresponsible parent let their kid chew off a bit of the stocking and the kid chokes on it.

    -=- Terence
    • by Ashtead ( 654610 ) on Tuesday December 19, 2006 @06:51PM (#17307254) Journal

      But is Microsoft the right one to enforce this? Even if sole proprietorship or general partnership might be inadvisable, it isn't illegal, and Microsoft or anyone else who is not the government has absolutely no jurisdiction and no mandate to make it so.

      Something seems definitely out of bounds here...

      • But is Microsoft the right one to enforce this? Even if sole proprietorship or general partnership might be inadvisable, it isn't illegal, and Microsoft or anyone else who is not the government has absolutely no jurisdiction and no mandate to make it so.

        Something seems definitely out of bounds here...

        What, like the fact that it's a free market and whoever provides the 'safest' service has a leg up? (notice safest is in quotes) Seems pretty normal to me. What exactly is out of bounds about this? And, by o

    • Hey mate, the world doesn't end at the US borders. In other parts of the world being a sole trader is common and accepted you need do nothing to "get in business", no forms to fill, nothing to apply for, you just wake up one morning and start "in business". It is a legal structure for a business, why treat it any less legitimately than another.
      • In other parts of the world being a sole trader is common and accepted you need do nothing to "get in business", no forms to fill, nothing to apply for, you just wake up one morning and start "in business".

        BTDT, in the US. No big deal. The only forms I needed to fill out were tax returns and a sales tax license that allowed me to collect NY State sales tax on sales.

        -b.

    • As a sole proprietarship, you are personally liable - down to your last nickel in your bank account, if your business incurs any liabilities.

      As a sole proprietor, shouldn't you have enough control over your business to guard against this? And shouldn't you be moral enough to *want* to actually pay your liabilities when you do something wrong?

      I've never understood why society allows LLCs and S-corporations to begin with- seems like a huge opportunity for con artists to take advantage of everybody else.
      • Re: (Score:3, Insightful)

        by Draknor ( 745036 )
        As a sole proprietor, shouldn't you have enough control over your business to guard against this? And shouldn't you be moral enough to *want* to actually pay your liabilities when you do something wrong?

        It's just a legal framework -- and no, you can never have "enough control" to guard against this. In a sole proprietorship, you are not legally distinct from your business, so any liabilities against the business can be taken out of your personal accounts. Assuming you are a legitimate business owner tryin
        • It's just a legal framework -- and no, you can never have "enough control" to guard against this. In a sole proprietorship, you are not legally distinct from your business, so any liabilities against the business can be taken out of your personal accounts. Assuming you are a legitimate business owner trying to make a profit (not just a shell corporation trying to avoid taxes), your biggest risk (I'm guessing) is from frivolous lawsuits.

          The reason frivolous lawsuits exist is because business owners attempt
          • by Copid ( 137416 )
            The reason frivolous lawsuits exist is because business owners attempt to skimp out on their responsibilities to begin with. If you acted morally towards the people coming on to your property there'd be no grounds for a lawsuit.
            I think that you and the rest of us are using different working definitions for the word "frivolous."
        • because we can't guard against the stupidity & greed of other people.

          In the case of the USA, isn't this what the 2nd amendment is supposed to be for? You know, the right to keep and bear arms...

    • So, Aunt Joy making custom stockings, please, go pick up a self help book and get your business setup properly.

      I'm sure Aunt Joy would love to, as would I, but neither of us can absorb the $500 filing fee. Stockings just ain't that profitable.
    • Taxes are a reason not to incorporate, at least in my state. A former boss incorporated for self-protection and the need to pay taxes quarterly nearly drove him under, since the computer-repair business can be rather seasonal.
    • n this day and age of litigation, there is NO reason why if you're going into businses you should even consider sole proprietarship or general partnership agreement.

      Registering as a corporation costs time and money. If you're just starting out, you may not have either to spare. Even $500 can be a big deal for some people, especially those who are young and in transition. Why should be impose one more artificial barrier to the success of the little guy?

      That being said, I see a possible service in small bu

  • So how long till the first hack that turns IE green?

    Doh!
    • Re: (Score:2, Interesting)

      by rjdegraaf ( 712353 )
      What about a window without an address bar, but with an image which looks like an address bar.
  • Well this is quite easy issue. For MSIE that is MS that says what site is OK or no. So there is convicted monopoly laveraging it's monopoly again trying to protect me (and by the way doing their own business with filters).

    On the other side is Fx or Opera using third party blacklists (since they do browsers not other stuff like lists).

    So the difference between MSIE+MS filters is that both come from the same monopoly. Fx or Opera use third party data (assuming that is not the same benefit for them) for filter
  • If you run a small business put a heading saying "Best viewed with Mozilla Firefox or Opera" and put "Get Firefox" and "Get Opera" buttons at the top. You can also add a bit text explaining that while the page will work in IE, it'll be improved by the other two.

    You could always add a bit of blurb on how dodgy IE is if you want to rub salt in.
    • by LordEd ( 840443 )
      If you're a small business and place Firefox/Opera buttons on your site, you are distracting your customer base from the purpose of visiting your site (buying products and services)
  • Lets not give small businesses a green bar. Of course small business generates 60+% of sales in the U. S. annually, but we don't care if we alienate them. Typical MS attitude. How they got so powerful and remain so clueless amazes me.
    • by Ucklak ( 755284 )
      The small business owners could revert to the old 1997 methodology where they can display a logo "Site works best with Firefox" AND make a buck on the download instead of those older "Works best with IE" logos.

  • If IE is going to put a firm at a competitive disadvantage, the logical thing to do is target non-IE users, and, perhaps, run a non MS shop, that is if MS does not believe you are trustworthy.

    Look at the demographics. Who are these non-IE users. Well, many of them are mac users with enough expendable income to buy a mac. Many are *nix users who like do it yourself projects. The independent minded window user cannot be ignored either.

    It seems to me that many firms go under because they are all chasin

  • by Dracos ( 107777 ) on Tuesday December 19, 2006 @07:34PM (#17307648)
    millions of Internet users who will soon be running IE7

    This depends on millions of new Intel machines being purchased after January 30. Febrary and March are the slowest period of the year for any non-essential item, as people are recovering from their holiday spending binges. Retail box sales of Vista will be all but limited to hard core gamers who want DirectX 10 a year before any games actually take advantage of it.

    Ok, so IE7 is available on XP if you have SP2 installed. Still not staggering market share if you ask me.

    The typical user doesn't notice anything above the top of the page, including the address bar, which is why there's an anti-phishing toolbar in the first place. They'll only notice the color change the first time it happens because a semi-helpful, condescending dialog box will pop up, which the user will check the "do not display again" box, click OK, and continue on their oblivious way without having read the actual message. After that, they'll probably never realize that it changes colors, and if they do, they'll momentarily wonder why, and continue on their merry way.

    If something is routinely ignored, it's not useful because it's not being used. This is just one more thing that users will ignore while they submit their credit card info to http://amazon.com.hahawepwnyou.com/ [hahawepwnyou.com] to buy the latest American Idol greatest hits CD.

    MS is widely considered to overdo it with the handholding of Windows users, making everything seem cozy and easy, and then they go and implement this toolbar which only gives the illusion of security, in the hopes that the ignorant masses they've created will pay attention to it.

    Not gonna happen. Phishing will continue until people learn to use the Internet, jsut like spam will continue until SMTP is replaced.

    • Subject: Summary makes a flawed assumption, MS another

      millions of Internet users who will soon be running IE7

      I don't think this is a flawed assumption (that millions will soon be using IE7). It seems like an obvious assumption, to me.

      This depends on millions of new Intel machines being purchased after January 30. Febrary and March are the slowest period of the year for any non-essential item, as people are recovering from their holiday spending binges. Retail box sales of Vista will be all but limite

  • by Todd Knarr ( 15451 ) * on Tuesday December 19, 2006 @07:40PM (#17307702) Homepage

    Only one response needed: http://www.microsoft.com/technet/security/bulletin /MS01-017.mspx [microsoft.com]

    This was a class-3 code-signing certificate from Verisign, giving all the correct details for Microsoft but the request was coming from a bunch of crackers. How long, then, until the phishers figure out how to get EV-SSL certificates of their own?

  • by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Tuesday December 19, 2006 @07:45PM (#17307754) Journal

    And we know that it's only a matter of time...

    And the clincher is that the longer it takes to crack, the worse the ramifications are going to be when it happens.

  • by alex_guy_CA ( 748887 ) <alex@NoSPAm.schoenfeldt.com> on Tuesday December 19, 2006 @07:45PM (#17307760) Homepage
    I remember a few years ago, this company licensed a Haiku to put in the email headers. If the Haiku was there, you were automatically white listed in various spam filters. If you used the Haiku without paying the licensed, you could be sued not for spam, but for copyright infringement. I wonder if they still exist. Anyway, small businesses were priced out of the system. If you weren't sending 1,000,000 emails a month, don't bother calling them because you can't afford it. It seemed like such a stupid way to do business in an internet age. I'd pay .05 to make sure an email made it to a client. Oh well.
  • Is just in the way. what better way to kill them off then FUD them into bankruptcy.
  • > There are about 20.6 million sole proprietorships and general partnerships in the U.S...

    As if millions of small businesses owners suddenly cried out for their lawyers.
  • by wbean ( 222522 ) on Tuesday December 19, 2006 @07:56PM (#17307846)
    We have a Web site where we process orders for other companies. The pages are customized to our customers' look and feel and the credit cards are process against their accounts but all of the transactions take place on our server and use our certificate.

    We have no problem getting the new certificates but what company name should appear in the bar? If we put our own name in, we will consfuse the end users who have never heard of us. If we want to use our customers company name, then they each have to get their own certificate and we have to assign separate IP addresses to each of our customers - at the moement we only need one IP.

    What a nuisance.
    • "We have no problem getting the new certificates but what company name should appear in the bar?"

      As small business owner faced with having to go through all sorts of shit setting up a corp to merely appear nice and trustworthy like a big company such as Enron, I'd quite happily forefeit my fancy logo in favor of your generic "Acme Online Stores message bar.

      As for Microsoft, I wish they'd just go away.
  • It's late, and I just got back from drinking a lot of wine at my office Christmas party, so maybe I'm missing something, but bear with me and point it out politely, but as I see it we have the following:

    1) MS do nothing about phishing, and are lambasted about a lack of security, not addressing the problem, etc

    2) MS do something about phishing, and are lambasted about making it harder for unknown/sole traders to set up "trusted" websites

    Do I have that right? MS do nothing, get slated, do something, get slate
  • for the security exploit that allows random phishing sites to turn the tool bar green.

    Or worse, turns a legit site red, and then suggest a bogus site to visit instead.

    Considering the MS security history, this is very plausible.
  • I've bought plenty of stuff online, and I've never been burned. For sites that look dodgy, just transfer the payment through PayPal or something of the sort so your CC# isn't given out directly to the company. Only buy stuff on a credit card with a limit - they can't charge more than the limit to the card without the bank closing the card and notifying you. As far as phishing e-mails go, check the frickin' URL before you give out your data. If you're too stupid to do that and/or respond to e-mails that
  • by miller60 ( 554835 ) on Tuesday December 19, 2006 @10:40PM (#17308892) Homepage
    VeriSign is charging $1,299 a year [verisign.com] for extended validation certificates, and I wonder how many small businesses would be willing to fork over that amount for the benefits of EV SSL. Other certificate authorities will eventually offer these as well, and charge less.

    Several CAs, including Digicert [websitehostdirectory.com], are seeking to have the standard revised to include small businesses. I don't believe the CA/Browser Forum has finalized the standard yet, as there were some holdouts last I checked.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...