Yesterday Microsoft officially announced Extended Validation SSL support in IE7 at the RSA show, but already some of these new certificates started appearing few weeks ago. An Extended Validation certificate is just like a regular SSL certificate, but with stricter issuing criteria.
The Certification Authorities must:
- establish the legal identity as well as the operational and physical presence of website owner;
- establish that the website owner has exclusive control over the URL;
- confirm the identity and authority of the individuals acting for the website owner.
As a compensation to the web owner for this more complex and expensive process the browser will display more generous visual signs to reassure visitors. More specifically IE will display a green URL bar and the name of the business owner.
EV certificates are supposed to increase users confidence that a web site is legitimate and also supposed to stop phishing. So everybody should be happier now? Not exactly …
Problem #1 - Effectiveness against phishing
An interesting study(pdf) done by Stanford and Microsoft (!) researchers showed that the green bar made almost no difference in whether a user could detect an illegal site. Here is the very last paragraph of this paper:
If Extended Validation becomes widespread, we expect that online criminals will try to mimic its trust indicator, just as they have copied other legitimate financial websites in the past. Like its predecessor, the lock icon, extended validation is vulnerable to picture-in-picture user interface spoofing attacks. We found these attacks to be as effective as homograph attacks, the best known phishing attack. Designing a user interface that resists both homograph and picture-in-picture attacks should be a high priority for designers of future browsers.
The study will be presented at Usable Security 2007 conference next week, not a good timing now that the new certificates are already sold and marketed. (Thanks to Tim Erlin for the tip.)
Problem #2 - Exclusion of small businesses
EV certificates are quite expensive ($1499 from Verisign) and only a small subset of existing companies are eligible to apply: sole proprietorships, general partnerships and individuals are excluded! This happened because members of the CA/Browser Forum, the industry group of Certification Authorities and browser developers promoting EV, couldn’t agree on criteria for validating small businesses effectively.
An article from the Wall Street Journal reports the case of Ms. Murphy, an entrepreneur that has been successfully selling handmade Christmas stockings on the Internet for 12 years.
Ms. Murphy, a sole proprietor, worries what will happen once consumers grow accustomed to the new bars. “Green means go shop with confidence. What does not having the green bar mean?” Ms. Murphy asks. “For that new customer, are they going to pass me by because I don’t have a green bar?” She’ll know soon enough.
Therefore, if a business is too small to incorporate and apply for the new certificate the only chance to get a green bar is to market its products through a kind corporate partner like Amazon, eBay or Yahoo. A bit of profit dilution won’t kill anybody, but it makes harder to grow competitors …
And I won’t be surprised if search engines will add the EV compliance to the list of qualifying parameters that affect website rankings.
Doesn’t this start to smell like a scam? Or racketeering? I can’t believe EV doesn’t violate anti-trust laws. Hey Brussels!
Problem #3 - A US-centric solution
The whole EV proposal came from a group made mostly of US based corporations with the only exceptions of Swisscom, Diginotar and Opera Software. No national European CAs, no Asian or European banks, no open standard bodies. And, unsurprisingly, to date only US based CAs are ready to issue EV certificates.
We used to think of the Internet as the great playing field leveler allowing individual based in remote places to compete against large corporations. I hope it could remain this way …
But how many chances has a small chinese ecommerce site to comply with the Certification Practice Statement of Verisign or GoDaddy and get its own EV certificate? How effective is the mapping of concepts like general partnership to the chinese legal system? How complex to obtain and translate “verified legal opinions”?
Conclusion
Extended Validation hurts honest businesses, doesn’t punish phishers, doesn’t protect consumers. Financial Cryptography says:
Likely the EV project will fail, due to the simple mathematics of it. Too few target sites (<<1000) and too much cost in audits, re-checks, re-issue of keys (yes, required) and so forth and so on.
SSL has long been sold to end users as an indication of security and trust, maybe it’s time to change things … Unfortunately, SSL certificates provide an attractive business model and we better think twice before buying a new one (EV or not) and contributing to this ill devised “security system”.
Almost 7 years ago Bruce Schneier and Carl Ellison wrote an enjoyable and sound paper: “Ten Risks of PKI: What You’re not Being Told about Public Key Infrastructure”. Go, get it! It is as valid as it was then. Nothing has changed. Except that today we are relying on the Internet for so many more things …
Delicious
Digg
Reddit
Facebook
Yahoo
Netscape
StumbleUpon
Extended validation SSL, a bad taste joke
Bonsoir, Ce n’est pas s
Extended validation SSL, a bad taste joke
Marco: Thanks for your comment over at my blog!
I’ve responded there, but here’s what I think in case you don’t end up back there.
I don’t consider EV a bad taste joke, more a wine that will get better with age…
RE: Limited effectiveness. I posted on that study last month. http://trustme.goingon.com/permalink/post/9529 ‘Proved’ is by far too strong a word - it was a limited study with a very small sample. I’m a glass half full person and I noted the researchers’ own optimism for the success of EV as it becomes more widespread, and as their findings are folded into new releases of browsers.
RE: Exclusion of small business. This is a temporary situation. The CA/Browser Forum is working towards extending the guidelines to include a wider range of business entities.
RE: US-Centric. I think many members of the CA/Browser forum would disagree. You noted in your blog entry Swisscom, Diginotar and Opera Software. The CA/Browser Forum site shows representation goes beyond the US. http://www.cabforum.org/forum.html
Certum - Poland Comodo CA Ltd - UK DigiNotar - Netherlands Echoworx Corporation - Canada GlobalSign - Belgium/UK ipsCA, IPS Certification Authority s.l. - Spain QuoVadis Ltd. - Bermuda Swisscom Digital Certificate Service - Switzerland TDC Certification Authority - Denmark Thawte, Inc. - South Africa (OK they’re owned by Verisign, but I think they’d take offense at being called a US company!) Trustis Limited - UK
Equal chances
Andrew, your remarks are certainly valid, but I’m afraid EV is one of those wine that does not improve with age …
With regard to non-US representation in CA/Browser Forum, it is limited to private companies. No national european CAs or other institutional bodies are present.
My concern is not about fair representation, but about criteria to issue certificates. I’m not convinced that all the players (big and small ones, in the US or in Pakistan) will have the same chances to obtain the right certificate.
Marco
I already written code that installs the GREEN Bar
and is works just fine. It makes my certs look just like the ones from the major companies.
If I can do it so can anyone else that can program.
I am using this certs on my site and its GREEN and working just like the ones from the famous so called authorities.
By the way anyone that wants
By the way anyone that wants the code, just right and I will be happy to send it to you.
Stephen Cohen steve [at] 17q [dot] com
making ev certificate work
We just bought a EV certificate from Thawte and installed it on our site that had a regular SSL certificate installed and running fine, but it is not working exactly. On IE7, the green bar disappears after about 1 sec of beign on the page. Customer support said that was becuase some of the images on the pages were not https or something. The odd thing is that it was working on the old certificate. Has anyone encountered this before?
Also, we are trying to get Google analytics to work in a secure environment and having trouble with it. Any ideas?
hmmm
Quite a perfect finishing touch with the locks. Wonderful image, perfect for expressing the entire article. Maybe you should be in advertising instead of bothering your mind with Microsoft’s need for Extended Validation and other things such as this.
Post new comment