Security vendors like VeriSign consider a new technology called EV SSL an important measure against phishing attacks. But two recent items suggest it will do little to stop skilled conmen from spoofing trusted websites. Exhibit A was this post from network services company Netcraft, which documents a recently discovered cross- …
I think there's a bit more Reg angle to be had in looking at the relative cost of SSL certificates that are the "normal" kind vs the ones with this "extended verification". I had a look at the price list and figured out immediately the primary problem this technology was meant to solve!
(P.S. The Extended Verification SSL certificates advert over the article was priceless. :)
The SSL providers such as Verisign etc. all charge an arm and a leg more, and for what? SSL certs are money for old rope.
This new EV cert is just an excuse to grab more money! unless people know what happens in the browser and there is more take up it will be useless!
The paris angle: She'd be cheaper :-) Allegedly...
Spot on Eugene - it's marketing BS
Eugene is spot on - a standard web server cert is about USD$200 and an EV cert is about USD$700...
Same level of crypto - there is not any real security benefit in a technical sense.
All you are doing is paying the cert provider an extra $500 for them to do the identity checks they were supposed to do in the first place...
The whole raison d'etre of PKI was that the cert "proved who you were" and the cert providers were supposed to take reasonable steps to verify your identity before issuing the certs.
They didn't - hence the "circle of trust" is broken.
And now they want us to pay for them to fix it!
Green browser bar?
Sorry, what is a green browser bar?
I'd be very surprised if it's only 70% that don't know what a green browser bar is. Fact is, the vast majority of users don't care who issued the certificate or whether it's valid; any warning dialogs will go unread and made to go away as quickly as possible. We're all doomed, I tell you.
(oo-err: "70%?" on its own isn't recognised as a valid title; bug or feature?)
Well, I think the answer is "Definitely not": I just got this...
Dear Egg Banking Member,
Due to the high number of fraud attempts and phishing scams, it has been decided to implement EV SSL Certification on this Internet Banking website.
The use of EV SSL certification works with high security Web browsers to clearly identify whether the site belongs to the company or is another site imitating that company's site.
It has been introduced to protect our clients against phishing and other online fraudulent activities. Since most Internet related crimes rely on false identity, Egg went through a rigorous validation process that meets the Extended Validation guidelines.
Please Update your account to the new EV SSL certification by <a href="...">Clicking here</a>.
You are strictly advised to login into your egg aAccount using the above link.
Your egg account will automatically be added to our recent internet banking security system.
(Failure to verify account details correctly will lead to account suspension)
Account Sentinel Service
� Egg Bank Online Customer Service: 1998 - 2008
(Do not reply to this email. Egg Bank retains the right to send you periodic updates on alerts and services).
Its not all about the encryption...
Ev SSL is really how SSL validation should have been done originally, once they iron out some of the americanisms and make the standard a little more internationalised.
A business that requires an EV SSL certificate is validated in a lot of detail, whilst this may be a bit more draconian than the stupid email me back and I'll give you a cert approach some CA's adopt EV *actually* validates the identity of the business before issuing, checks for business registration and id of the owner are checked by a real person, and cross checked again by a real person.
Whilst verisign charge an arm and a leg, there are plenty of other root CA's that can provide EV SSL certs, and don't rip you off, just look up digicert, comodo and some other the others.
One of the main things is that the EV SSL validation processes will be consistent accross CA's. this means that I can feel a little more confident that the person I'm doing business with has been checked as reputable. This doesn't stop phishing, and probably won't but it will stop dodgy businesses from obtaining the certs.
A consistent approach to validation will also mean that the price will probably come down as the CA's can't compete on the level of validation performed for their certificates. Part of the problem is that EV SSL has been marketed as solving a problem that it doesnt really. Another visual aid for an end user is great, but how many people actually understand what the padlock means, or have ever read a CPS or looked at who issued a cert, so can understand what level of validation has been performed for the business they are about to transact with.
@ Stephen, as for the "identity checks they are supposed to do in the first place" I agree with the spirit of what you are saying, but the problem is that with bog standard SSL the id checks they do are only geared towards what they say they will do in the CPS which could be nada. With EV standardising this hopefully we will be able to get rid of crappy low validation certificates, and remove some of the low end "I'll give ssl to anyone" CA's out there.
I work with several major CA's to assess how they perform validation, its not money for old rope, these guys really do put a lot of effort in, and are audited every year to make sure they are doing it all properly and that their underlying infrastructure is secure.
Hopefully EV will be a step in the right direction, but its certainly not a one stop fix all.
EV *IS* good!
Alas, this is sensationalist reporting that only increases the risks to all web users by reinforcing their ignorance to EV-certs. That's a shame. I expect more from El Reg.
From above: "The SSL providers such as Verisign etc. all charge an arm and a leg more, and for what? SSL certs are money for old rope."
Acutally, the extra cost is well worth it! When you apply for an EV Cert, the CA carries out more than 10 identity checks against you, your position within the company you're applying for, the company's existence and registered place of business, whether the company is undergoing investigation for or has been convicted of a range of fraudlent charges, etc. Often, they will in fact comission an independent, certified autitor to personally visit your place of business to ensure that the company does in fact do work from that location.
Only when the checks all come back positive does the CA then issue you with an SSL cert.
So what does an EV Cert say that an normal SSL cert doesn't? The cert contains the name and location of the company is that owns the cert and the URL against which the cert is issued. Along with the multi-million dollar liability each EV-cert issuing CA signs up to, the identity of sites protected by an EV-cert are therefore are more trustworthy than sites protected with a standard SSL cert that does nothing to validate the identity of the cert's owner.
While EV-certs do nothing to prevent cross-site scripting (this is an issue that's completely orthogonal to SSL), they are an important step forward in the march to make the web a safer place to surf.
Paris becuase I'm sure she enthusiastically uses all forms of protection!
Re: Well, I think the answer is "Definitely not": I just got this...
Was that quoted mail, perchance, from somebody off on a phorming^Wphishing run?