The Tool of Big
e-Business?"> But the real controversy has to do with the fact that EV certificates are only available to registered corporations, not sole proprietorships, general partnerships and individuals. The Forum decided there was no practical method with a high-enough degree of confidence to confirm the identity and authority of such persons and groups. This is the origin of the claim by some that EV certs are a big business tool to stifle small business, but the claim doesnt come with any constructive advice, just complaining. Im personally the sole proprietor of my own business; as far as I know, the only way to confirm that I have a business in this form would be to audit my tax return. As much respect as I have for Verisign, I dont think the answer is to let them have access to my 1040.And when you see people blithely assert that phishers wont be deterred because they will just get EV certs themselves, you should ask them how the phishers are going to do that. Even if they go to the trouble of incorporating and paying the not-insubstantial fees for the certificate, note that the use of the certificate will be tied to the domain for which it is bought. They cant just stick the phishing site on some Comcast users hijacked PC; they wont get the green bar that way. If Im going to criticize anyone about EV certificates, its that they expose what a failure earlier generations of SSL certificates were. Both CAs and browser vendors deserve criticism for this. SSL certs serve two technical functions: They are a key for encrypting the communications between the user and the site, and they authenticate the site to the user. For the first purpose SSL is a big success. For the second, they are basically a failure. Normal users cant be expected to go through the trouble to check the details of a certificate to see if they really should trust the authenticated entity and the certificate authority that issued the cert. This is inconvenient in standard browsers for standard SSL certs. And there have been plenty of examples of shady operations with shady names getting SSL certs from reputable vendors. Even if CAs are diligent about revoking certs that develop problems, you cant assume that the browser will have revocation checks turned on. Like it or not, the genies well out of the bottle on these certs; they have been devalued permanently as an authentication device. Kaspersky Lab has published evidence that Google is making money from phishing attacks. Click here to read more. But with EV certificates, the identity of the site owner is prominent, as is the CA. For the color-coded functionality to be enabled, certificate revocation checks must be turned on. They really should have done it this way in the first generations of certs. Its true that EV certs suffer from the same flaw that afflicts all systems for authenticating sites to the user: they dont, in and of themselves, prove that false sites are false. The user looking at a fake Paypal site has to notice that the green bar isnt there. Anti-phishing systems like the ones in IE7 and Firefox 2 can help with this, but they arent 100 percent effective. But just because they arent perfect is no reason to oppose EV certs. Some improvement is needed for the sake of consumers and of good brands. I sympathize with small businesses that cannot get the green bar on their own Web pages, but if enough moneys involved for them, they can always incorporate or use a store under eBay, Yahoo or some other large entity that will inevitably obtain a real EV cert. In the meantime, Internet users are better off with EV certificates than without. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at email@example.com.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.
Even if you could devise a system that could give enough confidence to confirm the identity of individuals, sole proprietorships and general partnerships, it would be even more expensive for having done so. The inevitable result would be criticism of the system for charging the little guy more than the big corporation.