Verisign needs to sort out their site so that it works with their Extended Validation (High Assurance) Certificate

Let this be a lesson to those companies out there that are going to purchase an Extended Validation (EV) certificate - please make sure that your site is coded so that the EV will display.  Extended validation certificates are not cheap, and you do not want to be forking out money for an EV, only to have it fail to display.

Take the following example - I did not realise that Verisign was using an Extended Validation Certificate, and will explain why.

Verisign issued the EV certificates used by Paypal and Ebay.  Let's have a look at some further information about these new certificates by clicking on the View Certificates option if we click next to the lock icon:

 

When we view the certificate details we see this:

Let's have a look at the Issuer Statement.  Clicking that button opens an Internet Explorer window, and a Verisign page.   The Address Bar is green when the Verisign page first opens, but it does not stay that way. Several of the screenshots in this article are taken using XP, but the problem also exists in Windows Vista.

This is the window that opens when we click on the Issuer Statement button:

When the Verisign page opens, we see a dialogue box asking for permission to display nonsecure items, and therein lies the problem.  That dialogue box appears when Internet Explorer is set to "prompt" before displaying what is called mixed content, which is the default setting for IE7.  In this case, Verisign has a secure (https) page that is displaying content (graphics) that is not a part of the secure page, instead being pulled from another area (sometimes called hot linking, or inline linking), thereby triggering the dialogue box.  If we select "yes" and allow IE to display the non-secure content, the green Address Bar disappears.  If we select "no", the green Address Bar stays, as you can see from the shots below.  The only fix from the user's point of view is to set Internet Explorer 7 to never display mixed content, which some will say is a good idea for security reasons, but the fact of the matter is that Web sites need to make sure that their expensive Extended Validation certificates work when Internet Explorer 7 is being used with its default settings.

A Knowledge Base article that explains one of the ways that a Web page with frames may trigger the dialogue box can be found here:
http://support.microsoft.com/kb/184960

The equivalent SecureTrust "Issuer Statement" page that is reached in the same way when we visit a site that is using a certificate issued by SecureTrust, does NOT have this problem.  Well done SecureTrust.  I wonder if it was luck, or if SecureTrust knew there would be a problem if their page had mixed content.

I'll be reporting what I have found to the Internet Explorer team to see what they say; I suspect the behaviour will be "by design" because it pretty much guarantees that all content on an EV protected site is actually hosted by that site.

Here are screenshots of what happened on the Verisign page.

We say yes to displaying mixed content - the green bar disappears:

We say no to displaying mixed content - the green bar stays:

Published Mon, Feb 5 2007 18:43 by sandi

Comments

# Microsoft releases new and updated information about Extended Validation and IE7

Tuesday, February 06, 2007 2:54 PM by Spyware Sucks

As I have noted a couple of times over the past couple of days, IE7 Extended Validation has gone live: