Have you seen the green bar yet? Hooray for High Assurance!

High Assurance (now known as Extended Validation aka EV) Certificates are up and running for IE7 (the green address bar).  To test if it is working for you, go to www.paypal.com and see if the bar turns green (see screenshot below).  If the bar doesn't turn green for you install the Windows Root Certificate update available here:
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe

Information about the root certificate program can be found here:
http://support.microsoft.com/kb/931125

Paypal is already displaying the green bar - so is Ebay - so is SecureTrust - bye bye phishers!!!  MySpace, despite being such a high risk (and oft targeted) environment and its ongoing problems with fake log-in pages, is not using a High Assurance Certificate {{boo hiss}}

The combination of High Assurance Certificates and Internet Explorer's Phishing Filter is going to make it harder and harder for phishers to succeed in fooling people.

Please share the URLs of any other sites that have started using High Assurance - let's get the word out there and really p*ss off the phishers - I am *so* very pleased and excited that this is finally up and running.

If the green bar does not appear for you, and you are using IE7: 

Phishing filter - must be set to automatic
Automatic server certificate revocation checking - must be enabled: Tools -> Internet Options -> Advanced -> Security -> Check for Server Certificate revocation.

 

Published Sun, Feb 4 2007 20:26 by sandi
Filed under:

Comments

# re: Have you seen the green bar yet? Hooray for High Assurance!

Sunday, February 04, 2007 4:30 PM by Andy

It's actually extended validation isn't it? I was looking at these for one of my clients but they seemed to be very expensive and i'm not really sure what the added bonus is. After all, normal certificates are meant to be validated before given out anyway.

The prices from Verisign were even more astronomical than their normal certificate (which was $999/yr instead of network solutions $99/yr for a 3 year contract. However Network solutions didn't have the EV certificates available....which makes me wonder just how widespread these certificates are going to be used if they are that expensive to purchase, SSL companies don't sell them and people have already got certificates lasting 3 years.

# re: Have you seen the green bar yet? Hooray for High Assurance!

Sunday, February 04, 2007 5:41 PM by sandi

Andy,

*Anybody* can buy a "normal" certificate and the validation checks have been perfunctory at best - there was even an incident where Verisign issued two certificates to "Microsoft" after accepting a fraudulent application (see the 'untrusted' certificates listed in IE for proof of that).

High Assurance (aka Extended Validation) certificates, on the other hand, are only issued under very rigorous qualification requirements.

http://blogs.msdn.com/ie/archive/2006/10/20/ie7-and-high-assurance-at-rsa-europe.aspx

http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx

I have other explanatory articles on this blog site, and at microsoft.com, that will help explain the difference between "normal" certificates and HA / EV certificates.

# .:Computer Defense:. » “Study Finds Security Flaws on Web Sites of Major Banks” or “Common Knowledge: Users Regularly Click-Thru”

Monday, February 05, 2007 4:34 PM by .:Computer Defense:. » “Study Finds Security Flaws on Web Sites of Major Banks” or “Common Knowledge: Users Regularly Click-Thru”

PingBack from http://www.computerdefense.org/?p=242

# Test Center Tracker: Mobile mashups

Tuesday, February 06, 2007 8:06 AM by Test Center Daily

Smash it up: Mobio's Mobile 2.0 puts personalized mashups on mobile devices. Could be just the thing for that intern who gets lost on the way to get coffee. Check out the video of Mobio's Demo presentation and see for...

# Microsoft releases new and updated information about Extended Validation and IE7

Tuesday, February 06, 2007 2:54 PM by Spyware Sucks

As I have noted a couple of times over the past couple of days, IE7 Extended Validation has gone live:

# History repeating itself?

Tuesday, March 20, 2007 6:27 AM by BillyBob

Many years ago, all the CAs carefully vetted anyone wanting an SSL Certificate, I remember the hassle clearly.  Of course, time moved on and with freely available tools, anyone could knock out a cert suitable for securing their web server.

So now with EV certs, the vetting procedure is back in place (and seems no more extensive than it was all those years back).  Of course, these "new" checks come at a much higher price.  One that only big corporations aren't going think about.  The little guy is left in the wind ("We're working on that" says the forum).

All they had to do was verify that for a given CA, the vetting procedures were being followed like they used to be. If so, add them to a special list and hey presto, the "green bar" can be used.  Hmmmm sounds familiar.

Of course, this forum, this collaboration of the big players, didn't get together and sit in endless meetings for the benefit of the average ripped off granny.  They were losing money, and now they've a solution that not only (may) stop the loss, but generates some extra green at the same time.

There's your green bar, ladies and gents - green for green.  Can you say "Kerching!"