to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y
We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

A New Type of SSL Certificate Is on the Way

compliance and privacy

Current News Updates

A New Type of SSL Certificate Is on the Way

Web businesses face a crisis in confidence. Consumer trust in the security of sites is declining, and in increasing numbers they are scaling back online transactions - or opting out entirely. According to Forrester Research on December 8, 2005, an astonishing 24% of Internet users reported that they would not be shopping online that holiday season because they did not feel safe. A full 61% reported that they had at least reduced online purchases for the same reason. This phenomenon has been masked by the overall increase in online activities like shopping, banking, trading securities, and filing taxes. The fact remains, however, that these online businesses are less effective than they should be, and are leaving money on the table.

Starting early in 2007, Web sites will be able to definitively demonstrate their identity to customers—and customers will be able to confirm identity before trusting sites. This opportunity comes thanks to the greatest development in the Web's secure backbone in over ten years. 2007 will see the introduction of a new kind of SSL Certificate, the first since the technology's origin over a decade ago.

These new certificates will be called Extended Validation SSL Certificates, and they represent over a year's effort by an industry consortium called the CA/Browser Forum. Starting early in 2007 the CA/Browser Forum intends to make these new certificates available for the benefit of Web businesses and site visitors alike. These certificates can facilitate online commerce in all its forms by increasing visitor confidence in legitimate sites and greatly reducing the effectiveness of phishing attacks.

The erosion of SSL's identity promise

Ask your typical online shopper what the little lock on the browser means, and she will tell you transmissions are encrypted and therefore protected from spying eyes. That's correct. It is what the lock means. However, it's not all that the original pioneers in e-commerce intended it to mean.

SSL Certificates originally came about to validate the identity of a site when connected. That's because although it is difficult to mimic the identity of a physical business, it is quite easy to mimic one online. The industry understood this principle way back in 1995 and therefore invented SSL Certificates. SSL's creators intended the certificate to vouch for site identity and therefore protect online shoppers from scams.

In the beginning it worked. Today it does not. The widespread use of the Web by lay people with no special level of computer education combined with the low visibility of the lock icon on popular browsers have made it possible for phishing to become the phenomenon we see today.

Despite its original intentions, traditional SSL isn't the solution. While some Certificate Authorities (CAs) do a very good job of authenticating identity, others do little or employ easily fooled practices. A site can even use a self-signed SSL Certificate with no identity authentication whatsoever. About a year ago we began to see widespread phishing attacks using low-authentication, “soft-target” SSL Certificates to further the illusion of legitimacy.

Introducing identity visitors can trust

In order for SSL Certificates to reclaim their role vouchsafing site identities to visitors, we must shore up two weaknesses in the existing system. First, we need a new category of SSL Certificate that carries a high level of promise regarding a site owner's identity. Then we need a browser interface that makes it easy for users to see that identity when it's known—and recognize when it isn't. These new certificates are the Extended Validation (EV) SSL Certificate already mentioned. (You may have heard of them under their working name, High Assurance or HA SSL Certificates. Don't confuse that with the so-called “high assurance” certificates that some CAs try to peddle but which do not carry EV status.)

The CA/Browser Forum, with over twenty leading Web browser manufacturers, SSL providers, and WebTrust auditors, has worked over a year to create a standardized authentication process that any CA must follow to issue EV certificates. Such CAs must undergo independent audit to confirm compliance with the specified process. The CA/Browser Forum built this process on existing business verification practices that have been demonstrated successful over years of widespread use.

Once a CA completes authentication according to this process, it may issue a certificate with Extended Validation status. This certificate operates exactly like a traditional SSL Certificate. In fact, browsers not built to recognize EV certificates (including Internet Explorer 6, Firefox 2, and their predecessors) behave exactly as with a non-EV certificate. New EV-compatible browsers, however, display these certificates in highly visible and more informative ways. The first such browser is Internet Explorer 7 (IE 7).

Internet Explorer 7: Green for go

IE 7 has added several interface conventions to enhance identification of site ownership. Most obvious is the “green address bar.” When an IE 7 browser accesses a page with an EV certificate, the background of the address bar turns green. This simple change indicates very visibly that a site definitely has undergone high-level identity authentication. The choice of color also employs demonstrated effective interface conventions. In the desktop interface world green signifies “safe to proceed,” just as red signifies danger.

Click to see a full discussion of the IE 7 green security bar

For a full discussion of the green SSL bar, please click here

The green address bar is not the only change with an EV certificate, however. IE 7 contains an additional field to the right of the address bar, the Security Status Bar. This field appears when the browser can offer information that may be useful to site visitors in evaluating sites. On pages with EV SSL Certificates the Security Status Bar displays the organization name. This text string comes directly from the certificate, where the CA placed it. Because the CA verified this name and the browser displays the name in its own interface (called the “chrome”), a visitor can rely on the accuracy of this string.

In the example of hypothetical online bank BizyBank, the bank's name appears right in the interface. End consumers can verify the site's identity by looking for the green bar and the name BizyBank, presenting a significant new obstacle to phishers seeking to take over BizyBank accounts. Today a phisher need only duplicate the original site and find a convincing URL to be in business. If BizyBank's customers learn to seek its name and a green address bar before providing confidential information, then a would-be phisher will not be able to present this interface. Even if the phisher sets up a real business to purchase EV certificates for the phishing site, the browser interface would not contain the name BizyBank.

The Security Status Bar also contains the name of the authenticating CA, enabling customers to consider the security employed by sites before choosing to do business. If a site visitor distrusts the chosen SSL provider, that customers can take his business elsewhere. Likewise, if a CA issues bad EV certificates, the public will learn not to trust sites using this SSL brand.

Discuss This Article

 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.