ULTRA CERTIFIED OR CERTIFIABLY USELESS ?

13. March 2007, 16:05 | by WD Milner | Full Article |

I recently received a letter from Verisign promoting their new Extended Validation (EV) SSL Certificates.

These are now apparently the latest thing being touted by certificate authorities and members of the CA/Browser Forum as a means to help users to more readily identify fraud web sites and mitigate phishing. The new certificates supposedly indicate that the domain owner or organization has undergone more thorough identification. The whitepaper from Verisign also makes the claim that traditional SSL Certificates are not sufficient protection thereby using the FUD (fear, uncertainty, doubt) marketing ploy. Don't expect to see these on large numbers of sites anytime soon; they are only available to government agencies and incorporated companies and at quite healthy fees.

For those in love with Internet Explorer 7 eye candy, they will display the organization name on the location bar which will now turn a shade of green to indicate a “safe” site. I don’t suppose that anyone has ever told these people that the most common form of colour blindness is red-green; so how how exactly does a colour blind person tell the pinkish red warning bar from the minty green safe bar? I think they need a useability/accessibility person on their staff.

For those who always wonder about sites automatically updating their computers, the following from the Verisign whitepaper is interesting (emphasis mine):

While the EV interface elements occur automatically for Windows Vista clients visiting a site, IE7 on Windows XP requires an SSL root update before the browser is able to display EV certificates as such. VeriSign has created VeriSign® EV Upgrader, the first ever solution to enable all visiting IE7 browsers to detect EV SSL Certificates and display them appropriately. EV Upgrader takes advantage of existing root update capabilities in the Windows operating system to automatically and invisibly download and install the new EV root on the client system. To make EV Upgrader as easy to use for site administrators as possible, VeriSign has built it right into the VeriSign Secured Seal including the VeriSign Secured Seal you may already have installed on your site.

As if the above were not enough, a Stanford University study showed that the Extended Validation certificates did nothing to help users identify common phishing attacks, that the interface can actually be spoofed and that training users on the system can actually decrease their ability to detect attacks.

It would seem the only definite information it will provide a user is that the company paid extra money for their SSL certificates.

- 30 -

Categories: ,
Keywords: security,verisign,ssl,sertificates,microsoft,internet explorer,IE7

Comments


 



Textile help
 
* Indicates a required field.

As a SPAM prevention measure, comments are moderated and will be posted once vetted.

 

Article & Comments


Comments are not enabled for all articles or documents.

Article Navigation
|

Categories

Business
Communications
Electronics
Entertainment
Environment
Government
Internet and WWW
Miscellany
Music and Audio
News
Photography
Privacy
Psychology
Security
Society and Culture
Stage and Screen
Technology
Theology
Tips and Tricks
Web Design
Web Site


The Birches - Milner.ca Support Child Safety Online

 

 
 
 Help to FIGHT spam!
 • 
  •
•••