Who Are You Surfin? New Ways to Be Certin

Opinion: Opponents of Extended Validation SSL certs would belittle any improvement that falls short of perfection.

It seems like every time people get together to do something about a security problem, other people get together to whine about it.

Now theyre whining about EV (Extended Validation) SSL Certificates: EV certs are a scheme by Microsoft to screw other browser vendors. Theyre an attempt by certificate authorities to gouge Web site operators. Theyre just more evidence of big corporations trying to stifle competition by the little guy.

Before we go into what EV certificates really are, lets note that the cabal that designed this conspiratorial tool is an industry consortium called the CA/Browser Forum (CA for "Certification Authority").

/zimages/2/28571.gifOpera Software has announced real-time fraud protection for its Web browser Opera 9.1, using technology from GeoTrust, a digital certificate provider, and PhishTank, a collaborative clearinghouse for data and information about phishing on the Internet. Click here to read more.

EV certificates are a very high assurance certificate (in fact, the standard had previously been referred to as "High Assurance SSL"). But ironically whats different and supposed to be confidence-inspiring about them has little to do with technology and more to do with old-fashioned detective work.

The CA/Browser Forum describes the vetting process that must be performed by CAs. (A more detailed spec is available in PDF form here.)

Applicants have to be legally recognized and identifiable entities with rights to use the company name and domain name specified for the certificate. Real checks are done, and the work involved justifies the high cost of the certificates (GeoTrust charges $899; Verisign is asking $1,299 for one year).

The CA/Browser Forum members include every certificate authority youve ever heard of and a few you havent. They also include, representing browser authors, Microsoft, Mozilla, Opera and KDE (but not Apple—I asked Apple why they werent involved with the Forum and got no response from the company). Finally, the CA/Browser Forum also says that:

...members of the Information Security Committee of the American Bar Association Section of Science & Technology Law and the Canadian Institute of Chartered Accountants have participated in developing the standards for Extended Validation SSL certificate procedures and standards. I happen to know people on the ABAs Information Security Committee and asked them for comment and got no response.

In any event, this group has hardly been acting in secret. Ive read about EV certificates for months, but its only generating controversy now because CAs have begun to issue the certs (Overstock.com got the first) and browser upgrades to support them are just around the corner.

What most users will see is in new browsers (IE7 most famously, but also the latest Opera), when a site has one of these certificates, the browser address bar will turn green and the certificate owner name will be displayed big and bold. The color change in IE will be analogous to the red and yellow color changes used by their phishing filter to denote suspicious and known phishing sites.

Some have suggested that the "suspicious" yellow address bar is an attempt to cause confusion for users of Firefox who see a gold address bar when the site is using an SSL certificate.

Next page: The Tool of Big e-Business?