Who Are You Surfin? New Ways to Be Cert'in

By Larry Seltzer  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Opinion: Opponents of EV SSL certs would make the perfect the enemy of the good.

It seems like every time people get together to do something about a security problem, other people get together to whine about it.

Now they're whining about EV (Extended Validation) SSL Certificates: EV certs are a scheme by Microsoft to screw other browser vendors. They're an attempt by certificate authorities to gouge Web site operators. They're just more evidence of big corporations trying to stifle competition by the little guy.

Before we go into what EV certificates really are, let's note that the cabal that designed this conspiratorial tool is an industry consortium called the CA/Browser Forum (CA for "Certification Authority").

Opera Software has announced real-time fraud protection for its Web browser Opera 9.1, using technology from GeoTrust, a digital certificate provider, and PhishTank, a collaborative clearinghouse for data and information about phishing on the Internet. Click here to read more.

EV certificates are a very high assurance certificate (in fact, the standard had previously been referred to as "High Assurance SSL"). But ironically what's different and supposed to be confidence-inspiring about them has little to do with technology and more to do with old-fashioned detective work.

The CA/Browser Forum describes the vetting process that must be performed by CAs. (A more detailed spec is available in PDF form here.)

Applicants have to be legally recognized and identifiable entities with rights to use the company name and domain name specified for the certificate. Real checks are done, and the work involved justifies the high cost of the certificates (GeoTrust charges $899; Verisign is asking $1,299 for one year).

The CA/Browser Forum members include every certificate authority you've ever heard of and a few you haven't. They also include, representing browser authors, Microsoft, Mozilla, Opera and KDE (but not Apple—I asked Apple why they weren't involved with the Forum and got no response from the company). Finally, the CA/Browser Forum also says that:

...members of the Information Security Committee of the American Bar Association Section of Science & Technology Law and the Canadian Institute of Chartered Accountants have participated in developing the standards for Extended Validation SSL certificate procedures and standards.
I happen to know people on the ABA's Information Security Committee and asked them for comment and got no response.

In any event, this group has hardly been acting in secret. I've read about EV certificates for months, but it's only generating controversy now because CAs have begun to issue the certs (Overstock.com got the first) and browser upgrades to support them are just around the corner.

What most users will see is in new browsers (IE7 most famously, but also the latest Opera), when a site has one of these certificates, the browser address bar will turn green and the certificate owner name will be displayed big and bold. The color change in IE will be analogous to the red and yellow color changes used by their phishing filter to denote suspicious and known phishing sites.

Some have suggested that the "suspicious" yellow address bar is an attempt to cause confusion for users of Firefox who see a gold address bar when the site is using an SSL certificate.

Next page: The Tool of Big e-Business?

But the real controversy has to do with the fact that EV certificates are only available to registered corporations, not sole proprietorships, general partnerships and individuals. The Forum decided there was no practical method with a high-enough degree of confidence to confirm the identity and authority of such persons and groups.

This is the origin of the claim by some that EV certs are a big business tool to stifle small business, but the claim doesn't come with any constructive advice, just complaining. I'm personally the sole proprietor of my own business; as far as I know, the only way to confirm that I have a business in this form would be to audit my tax return. As much respect as I have for Verisign, I don't think the answer is to let them have access to my 1040.

Even if you could devise a system that could give enough confidence to confirm the identity of individuals, sole proprietorships and general partnerships, it would be even more expensive for having done so. The inevitable result would be criticism of the system for charging the little guy more than the big corporation.

And when you see people blithely assert that phishers won't be deterred because they will just get EV certs themselves, you should ask them how the phishers are going to do that.

Even if they go to the trouble of incorporating and paying the not-insubstantial fees for the certificate, note that the use of the certificate will be tied to the domain for which it is bought. They can't just stick the phishing site on some Comcast user's hijacked PC; they won't get the green bar that way.

If I'm going to criticize anyone about EV certificates, it's that they expose what a failure earlier generations of SSL certificates were. Both CAs and browser vendors deserve criticism for this.

SSL certs serve two technical functions: They are a key for encrypting the communications between the user and the site, and they authenticate the site to the user. For the first purpose SSL is a big success. For the second, they are basically a failure.

Normal users can't be expected to go through the trouble to check the details of a certificate to see if they really should trust the authenticated entity and the certificate authority that issued the cert. This is inconvenient in standard browsers for standard SSL certs.

And there have been plenty of examples of shady operations with shady names getting SSL certs from reputable vendors.

Even if CAs are diligent about revoking certs that develop problems, you can't assume that the browser will have revocation checks turned on. Like it or not, the genie's well out of the bottle on these certs; they have been devalued permanently as an authentication device.

Kaspersky Lab has published evidence that Google is making money from phishing attacks. Click here to read more.

But with EV certificates, the identity of the site owner is prominent, as is the CA. For the color-coded functionality to be enabled, certificate revocation checks must be turned on. They really should have done it this way in the first generations of certs.

It's true that EV certs suffer from the same flaw that afflicts all systems for authenticating sites to the user: they don't, in and of themselves, prove that false sites are false. The user looking at a fake Paypal site has to notice that the green bar isn't there. Anti-phishing systems like the ones in IE7 and Firefox 2 can help with this, but they aren't 100 percent effective.

But just because they aren't perfect is no reason to oppose EV certs. Some improvement is needed for the sake of consumers and of good brands. I sympathize with small businesses that cannot get the green bar on their own Web pages, but if enough money's involved for them, they can always incorporate or use a store under eBay, Yahoo or some other large entity that will inevitably obtain a real EV cert.

In the meantime, Internet users are better off with EV certificates than without.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larryseltzer@ziffdavis.com.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine's eWEEK Security Watch blog.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...