A New Type of SSL Certificate Is on the Way
Web businesses face a crisis in confidence. Consumer trust in the security of sites is declining, and in increasing numbers they are scaling back online transactions - or opting out entirely. According to Forrester Research on December 8, 2005, an astonishing 24% of Internet users reported that they would not be shopping online that holiday season because they did not feel safe. A full 61% reported that they had at least reduced online purchases for the same reason. This phenomenon has been masked by the overall increase in online activities like shopping, banking, trading securities, and filing taxes. The fact remains, however, that these online businesses are less effective than they should be, and are leaving money on the table.
Starting early in 2007, Web sites will be able to definitively demonstrate their identity to customers—and customers will be able to confirm identity before trusting sites. This opportunity comes thanks to the greatest development in the Web's secure backbone in over ten years. 2007 will see the introduction of a new kind of SSL Certificate, the first since the technology's origin over a decade ago.
These new certificates will be called Extended Validation SSL Certificates, and they represent over a year's effort by an industry consortium called the CA/Browser Forum. Starting early in 2007 the CA/Browser Forum intends to make these new certificates available for the benefit of Web businesses and site visitors alike. These certificates can facilitate online commerce in all its forms by increasing visitor confidence in legitimate sites and greatly reducing the effectiveness of phishing attacks.
The erosion of SSL's identity promise
Ask your typical online shopper what the little lock on the browser means, and she will tell you transmissions are encrypted and therefore protected from spying eyes. That's correct. It is what the lock means. However, it's not all that the original pioneers in e-commerce intended it to mean.
SSL Certificates originally came about to validate the identity of a site when connected. That's because although it is difficult to mimic the identity of a physical business, it is quite easy to mimic one online. The industry understood this principle way back in 1995 and therefore invented SSL Certificates. SSL's creators intended the certificate to vouch for site identity and therefore protect online shoppers from scams.
In the beginning it worked. Today it does not. The widespread use of the Web by lay people with no special level of computer education combined with the low visibility of the lock icon on popular browsers have made it possible for phishing to become the phenomenon we see today.
Despite its original intentions, traditional SSL isn't the solution. While some Certificate Authorities (CAs) do a very good job of authenticating identity, others do little or employ easily fooled practices. A site can even use a self-signed SSL Certificate with no identity authentication whatsoever. About a year ago we began to see widespread phishing attacks using low-authentication, “soft-target” SSL Certificates to further the illusion of legitimacy.
Introducing identity visitors can trust
In order for SSL Certificates to reclaim their role vouchsafing site identities to visitors, we must shore up two weaknesses in the existing system. First, we need a new category of SSL Certificate that carries a high level of promise regarding a site owner's identity. Then we need a browser interface that makes it easy for users to see that identity when it's known—and recognize when it isn't. These new certificates are the Extended Validation (EV) SSL Certificate already mentioned. (You may have heard of them under their working name, High Assurance or HA SSL Certificates. Don't confuse that with the so-called “high assurance” certificates that some CAs try to peddle but which do not carry EV status.)
The CA/Browser Forum, with over twenty leading Web browser manufacturers, SSL providers, and WebTrust auditors, has worked over a year to create a standardized authentication process that any CA must follow to issue EV certificates. Such CAs must undergo independent audit to confirm compliance with the specified process. The CA/Browser Forum built this process on existing business verification practices that have been demonstrated successful over years of widespread use.
Once a CA completes authentication according to this process, it may issue a certificate with Extended Validation status. This certificate operates exactly like a traditional SSL Certificate. In fact, browsers not built to recognize EV certificates (including Internet Explorer 6, Firefox 2, and their predecessors) behave exactly as with a non-EV certificate. New EV-compatible browsers, however, display these certificates in highly visible and more informative ways. The first such browser is Internet Explorer 7 (IE 7).
Internet Explorer 7: Green for go
IE 7 has added several interface conventions to enhance identification of site ownership. Most obvious is the “green address bar.” When an IE 7 browser accesses a page with an EV certificate, the background of the address bar turns green. This simple change indicates very visibly that a site definitely has undergone high-level identity authentication. The choice of color also employs demonstrated effective interface conventions. In the desktop interface world green signifies “safe to proceed,” just as red signifies danger.
For a full discussion of the green SSL bar, please click here
The green address bar is not the only change with an EV certificate, however. IE 7 contains an additional field to the right of the address bar, the Security Status Bar. This field appears when the browser can offer information that may be useful to site visitors in evaluating sites. On pages with EV SSL Certificates the Security Status Bar displays the organization name. This text string comes directly from the certificate, where the CA placed it. Because the CA verified this name and the browser displays the name in its own interface (called the “chrome”), a visitor can rely on the accuracy of this string.
In the example of hypothetical online bank BizyBank, the bank's name appears right in the interface. End consumers can verify the site's identity by looking for the green bar and the name BizyBank, presenting a significant new obstacle to phishers seeking to take over BizyBank accounts. Today a phisher need only duplicate the original site and find a convincing URL to be in business. If BizyBank's customers learn to seek its name and a green address bar before providing confidential information, then a would-be phisher will not be able to present this interface. Even if the phisher sets up a real business to purchase EV certificates for the phishing site, the browser interface would not contain the name BizyBank.
The Security Status Bar also contains the name of the authenticating CA, enabling customers to consider the security employed by sites before choosing to do business. If a site visitor distrusts the chosen SSL provider, that customers can take his business elsewhere. Likewise, if a CA issues bad EV certificates, the public will learn not to trust sites using this SSL brand.