It seems like every time people get together to do something about a security problem, other people get together to whine about it.
Now they’re whining about EV (Extended Validation) SSL Certificates: EV certs are a scheme by Microsoft to screw other browser vendors. They’re an attempt by certificate authorities to gouge Web site operators. They’re just more evidence of big corporations trying to stifle competition by the little guy.
Before we go into what EV certificates really are, let’s note that the cabal that designed this conspiratorial tool is an industry consortium called the CA/Browser Forum (CA for "Certification Authority").
EV certificates are a very high assurance certificate (in fact, the standard had previously been referred to as “High Assurance SSL”). But ironically what’s different and supposed to be confidence-inspiring about them has little to do with technology and more to do with old-fashioned detective work.
The CA/Browser Forum describes the vetting process that must be performed by CAs. (A more detailed spec is available in PDF form here.)
Applicants have to be legally recognized and identifiable entities with rights to use the company name and domain name specified for the certificate. Real checks are done, and the work involved justifies the high cost of the certificates (GeoTrust charges $899; Verisign is asking $1,299 for one year).
But with EV certificates, the identity of the site owner is prominent, as is the CA. For the color-coded functionality to be enabled, certificate revocation checks must be turned on. They really should have done it this way in the first generations of certs.
It’s true that EV certs suffer from the same flaw that afflicts all systems for authenticating sites to the user: they don’t, in and of themselves, prove that false sites are false. The user looking at a fake Paypal site has to notice that the green bar isn’t there. Anti-phishing systems like the ones in IE7 and Firefox 2 can help with this, but they aren’t 100 percent effective.
But just because they aren’t perfect is no reason to oppose EV certs. Some improvement is needed for the sake of consumers and of good brands. I sympathize with small businesses that cannot get the green bar on their own Web pages, but if enough money’s involved for them, they can always incorporate or use a store under eBay, Yahoo or some other large entity that will inevitably obtain a real EV cert.
In the meantime, Internet users are better off with EV certificates than without.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larryseltzer@ziffdavis.com.