A new protection against phishing will start soon - Extended Validation (EV) SSL Certificates
The internet is not what it once was - the time of innocence is long gone. The bad guys are making sustained, concerted attempts to separate people from their money via the internet by any means at their disposal. Because of this, MS have taken several steps (such as the Phishing Filter and untrusted certificate alerts) to make it easier for the user to spot that he is being fooled, and harder for the bad guys to fool us.
For years the small lock icon in the Internet Explorer status bar was considered enough of a safety check, and users only looked at that lock to make sure that a site was using 128 bit encryption. But in reality, any site that had a matching web site and certificate could generate that little lock, and there was no guarantee that, just because the lock was there, you were dealing with the good guys. Anybody could get a certificate, and the checks that were made before certificates were issued were sometimes insufficient.
Sometimes certificates were issued to people who were not who they said they were, or for Web sites using names that had been deliberately chosen as likely to fool a user. A famous example of this is when, a few years ago, Verisign were silly enough to issue certificates to somebody pretending to be "Microsoft", a mistake that Microsoft is taking steps to protect us from to this very day. Don't believe me? Fire up IE. Go to Tools, Internet Options, Content Tab. Click on the Certificates button then examine the far right tab entitled "Untrusted Publishers". See those two entries for "Microsoft"? The fact that Verisign messed up big time is one very telling example of why we have not been able to truly depend on "Security Certificates" or lock icons to prove that a site is legitimate and trustworthy.
IE7 already warns us when we visit a site with an untrusted certificate (generally a self signed certificate such as that automatically generated by Windows 2003 Small Business Server). When we visit such a site, the Address Bar turns red, and a warning page appears. You will find more information about the untrusted certificate warning here:
http://msmvps.com/blogs/spywaresucks/archive/2006/01/31/82198.aspx
Its all well and good to be warned when we are visiting a known bad site (via the Phishing Filter) or warned when there may be a problem with a site certificate (via the untrusted certificate warning), but how can we know for sure that we are visiting a safe site?
Reality is that it is much easier to guarantee a known good site than it is to track down and block all of the bad sites that are out there - bad sites that are constantly moving home, changing URLs and doing everything they can to avoid detection.
IE7 users (and Opera 9 users) will soon be able to take advantage of a feature that already exists in IE7, but has not yet been activated, that will provide a strong visual indication and guarantee that the site you are visiting is legitimate. This new protection is called Extended Validation (EV) SSL Certificates. Due to begin roll out at the end of January 2007, EV SSL certificates will only be issued under very specific circumstances, meaning that the bad guys are going to find it extremely hard to pretend to be a financially sensitive site such as Banks or online trading sites if the real site take advantage of EV SSL and their users become accustomed, and are told only to trust, a site if they see the green bar.
A screenshot of the green addressbar triggered by an EV SSL certificate in IE7
Interest in the EV SSL certificate has been strong, with the following certification companies taking part in the Certification Authority/Browser Forum:
Certum
Comodo CA Ltd
Cybertrust
DigiCert, Inc.
Echoworx Corporation
Entrust, Inc.
GeoTrust, Inc.
GoDaddy.com, Inc.
IdenTrust, Inc.
ipsCA, IPS Certification Authority s.l.
Network Solutions, LLC
QuoVadis Ltd.
RSA Security, Inc.
SecureTrust Corporation
TDC Certification Authority
Thawte, Inc.
Trustis Limited
VeriSign, Inc.
Wells Fargo Bank, N.A.
XRamp Security Services, Inc.
Web browser developers are also members of the CA/Browser forum, including:
KDE
Microsoft Corporation
Opera Software ASA
The Mozilla Foundation
How is EV SSL certification going to work?
Anybody who requests an EV SSL certificate will be subject to a thorough, standardized vetting process which all issuing CAs must adhere to. This means that if you go to an EV SSL-secured Web site, you will be able to trust that the organization that operates the site has undergone and passed the very thorough EV SSL authentication process as defined by the CA/Browser Forum. If you go to a site, and it has the green bar, you can be sure that the Web site is what it claims to be, rather than a fraudulent Web site being operated by a phisher.
What are the certification requirements?
The certification requirements are very strict. The 65 page certificate guidelines can be found here:
http://www.cabforum.org/EV_Certificate_Guidelines_-_Draft_10-2...pdf
A summary can be found here:
http://www.cabforum.org/vetting.html
I think you will be very impressed with the thoroughness of the vetting process if you have the time and patience to read through the entire 65 page document.
The success of EV SSL will depend on the major phishing targets, and major financial institutions, taking advantage of EV SSL and training their visitors to look for the green bar. I strongly recommend that reputable, financially sensitive sites investigate EV SSL certificates, and start using them as a protection for their users. It is important to note that there are some organisations and groups that currently will not be granted EV SSL certificates, although this may change in the future once qualification guidelines are locked down. Such groups include, but are not limited to:
(1) General partnerships
(2) Unincorporated associations
(3) Sole proprietorships
(4) Individuals (natural persons)