Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Extended Validation SSL, More Secure or Just a Racket? 205

Posted by ScuttleMonkey
from the fun-with-revenue-generation dept.
Nalfeshnee writes "The Register is reporting on the new 'Extended Validation SSL' cert currently being touted by Verisign. Vista and IE7 will be using this but not, apparently, Firefox anytime soon. For this the Verisign Product Marketing Director Tim Callan squarely blames the Firefox dev team for 'not keeping up' with their new technology. However, the whole thing just seems to be a way for Verisign to enjoy ridiculous markup on selling 'more secure' certs."
This discussion has been archived. No new comments can be posted.

Extended Validation SSL, More Secure or Just a Racket?

Comments Filter:
  • Color coded? (Score:5, Insightful)

    by eric76 (679787) on Wednesday October 25, 2006 @05:55PM (#16585242)
    Verisign say 99 per cent of sites will be get the "ok" and the address bar left white. Only outfits which fork out for an extended validation SSL will get the psychological filip of "green for go". Firms will have to stump up about 150 per cent of what they currently do for an SSL certificate.

    I'm colorblind. Would I ever notice the difference?

    • Yes. (Score:4, Informative)

      by khasim (1285) <brandioch.conner@gmail.com> on Wednesday October 25, 2006 @06:09PM (#16585430)
      IE 7 will have different icons on the location bar to indicate that a site has the "higher" level of "security" (translation: "bought the new certificate").
    • Certs are a joke (Score:3, Insightful)

      by rs79 (71822)
      In a world where even PayPal can't get it right (and nobody cares) what does it matter?

      "Oh, it's an https site. It's encrypted. Cool". Next.

      Some time when you're really bored look at the low level ssl stuff (with openssl or something) and notice all the errors. The browsers ignore so many of these I think it's all a big joke.

      • In a world where even PayPal can't get it right (and nobody cares) what does it matter?

        Aside from their lack of care with your money, paypal gets a lot right - all their communication refers to paypal.com, not somerandomurl.com like a lot of real banks do. This single thing is probably worth way more than any fancy SSL hokum.

        • Re: (Score:3, Informative)

          by rs79 (71822)
          "paypal gets a lot right"

          I have a screen shot on a computer around here someplace of a browser alert window pointing out the cert domain doesn't match the domain. It was about 2-3 years ago. I can't remember for sure but I think it was www.paypal.com (the cert) didn't match paypal.com (which is what I type in).

          The points remain:
          1) People don't care if the cert is valid or not or in many cases if it's even signed by a root auhority the browser knows about
          2) There are lots of errors in certs the browsers igno
    • by interiot (50685) on Wednesday October 25, 2006 @06:56PM (#16585936) Homepage
      Don't worry. Once consumers realize that the new "super duper" certs are being given out to phishers as well, Verisign will come out with a 3rd level of verification ("extra super duper certificates") that cost 50% more, and they'll have to go to a numbering or lettering scheme ("1", "2", "3"). This will also facilitate the periodic addition of new levels whenever consumers realize Verisign still isn't doing the job they say they're getting paid to do.
    • However, they feel just as dumb as everyone else after they've been suckered into paying an extra $1000 for a Verisign Super-duper Whiz-Bang Mega-Ultra Cert.

      To be honest there is a difference between a cert from a real CA and some $10 cert from some outfit that doesn't care anything more about your true identity than whether your credit card payment goes through. Google for "high assurance" vs "low assurance".

      • Yeah, the "real" CA's require that you fax in something on, wait for it, letterhead. oooooh safety......
        • Re: (Score:3, Insightful)

          by TheRaven64 (641858)
          On the otherhand, CACert, which is free, requires to see two forms of government issued ID, one of which must have a photograph.

          Sadly, CACert's root certificate is still not included with Mozilla, although a number of distributions include it.

          • Does anyone know why CACert's root isn't included in Firefox?

            Seems like that would be a no-brainer; I can't believe Firefox is really interested in perpetuating the Verisign monopoly. (Or is Verisign a donor?)
            • Re:CACert (Score:4, Informative)

              by TheRaven64 (641858) on Wednesday October 25, 2006 @10:58PM (#16588204) Journal
              The Mozilla foundation did not have a good set of criteria for including a cert. Originally they pretty much just used the same ones as IE (pay a big heap of money). Now they do have a set of rules, and the CACert people are trying to prove that they comply with them. It should be done Real Soon Now(TM).
  • Secure? (Score:2, Insightful)

    by Kazrath (822492)
    Has anyone found an effective way of cracking regular SSL? Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?

    I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?
    • by Jahz (831343)

      Has anyone found an effective way of cracking regular SSL? Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?

      I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?

      1. You have clearly not read the article, or even the entire /. summary.
      2. Who is talking about cracking SSL? Nobody... the underlying algorithm algorithms can be changed.
      3.

      • Re: (Score:3, Informative)

        by cortana (588495)
        If you read their terms of service you will see that they "guarantee" sweet fuck all.

        On a related note, I was doing some poking around the other day and noticed this:

        $ certtool -i < /etc/ssl/certs/Verisign_Class_1_Public_Primary_Cer tification_Authority.pem

        X.509 certificate info:

        Version: 1
        Serial Number (hex): 00:CD:BA:7F:56:F0:DF:E4:BC:54:FE:22:AC:B3:72:AA:55
        Subject: C=US,O=VeriSign\, Inc.,OU=Class 1 Public Primary Certification Authority
        Issuer: C=US,O=VeriSign\, Inc.,OU=Class 1 Publi

        • by Jahz (831343)

          ...snip certificate...
          1. It's only a 1024 bit RSA key. That is weak by today's standards.

          You use of the word "weak" implies that 1024-bit RSA can be cracked. As of today, I know of no method to efficiently crack a 1024-bit RSA key generated by a strong RSA implementation. There was a big uproar in 2002 when a paper was published claiming that 1024-bit RSA could be cracked with about a billion dollars worth of computing hardware. Maybe by now the costs have come down... but 1024-bit keys ar

    • Re:Secure? (Score:5, Interesting)

      by tyler_larson (558763) on Wednesday October 25, 2006 @07:04PM (#16586014) Homepage
      Has anyone found an effective way of cracking regular SSL?

      No.

      Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?

      No.

      I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?

      No.

      SSL (and TLS) aren't encryption algorithms, they're protocol standards. These protocols make use of existing encryption algorithms to secure data. Many of these algorithms have a variable level of complexity, depending on things like key size. Since security (including encyrption) is always a tradeoff of resources versus security, the goal is to tweak the configuration parameters (again, such as key length) to find a level of security such that an attack against the cipher is less profitable an option than the next best choice, such as kidnapping the document's author. Those who require greater security can use turn up the complexity at the expense of using more resources.

      As computation capability increases, the complexity of encryption system is increased to compensate, usually by increasing key length. If a flaw is discovered in a given encryption algorithm making it too easy to break, or if the algorithm isn't capable of being expanded to account for better decryption technology (such as DES) then that algorithm is discarded in favor of some stronger replacement. SSL remains the same.

      Verisign's "Extended Validation" program has nothing to do with cipher strength, key length, or encryption. Instead, it's indicative of the vetting process that the company had to undergo to get the certificate. To get a certificate for citibank.net, I have to verify that I own that domain. I don't, necessarily, have to verify that I represent Citibank [1]. Under this High Assurance program, Verisign will vouch, not only for the validity of the domain, but also for the validity of the organization owning that domain.

      This is a Good Thing, since there currently is only one tier of validation. An SSL certificate is designed to prevent man-in-the-middle attacks, which it does well. What it doesn't protect against (though we act as if it does) is forged identity attacks. Certificates used for financial transactions, for example, should go through a stronger vetting process than certificates used for securing a blog.

      [1] In reality, almost all CAs do extended verification when the other party sounds like a high-profile company or financial institution. Nonetheless, Mistakes do happen [washingtonpost.com].

      • Actually all you need to do to get a cert is sign a piece of paper saying you will do all the checks and take the risk and they you can get a trusted cert for anything. Well you also need a valid D&B number with some history on it (couple years). Last I checked I am supposed to be able to get these new certs with the same technical level of protection, just more paperwork to promise to have but never get checked. So this really just sounds like another scam and maybe setting the bar marginally higher
      • Re:Secure? (Score:5, Informative)

        by TheSpoom (715771) * <slashdot&uberm00,net> on Wednesday October 25, 2006 @11:28PM (#16588526) Homepage Journal
        GoDaddy High Assurance SSL. [godaddy.com]
        Comodo Trusted SSL. [trustlogo.com]
        GeoTrust True BusinessID. [geotrust.com]

        Business identity validation SSL certificates have been around for a long time. The only thing different about VeriSign's offering is that they're partnering with Microsoft to have the bar turn green if their more expensive cert is detected, to the disadvantage of all other SSL providers. This is an attempt by VeriSign to make it effectively necessary for businesses to use their cert so customers won't think that their site is insecure.

        There's so much wrong with this attempt to gain a monopoly without adding anything of value to the market... but par for the course for VeriSign.
        • by jZnat (793348) *
          But the bar is yellow in all other browsers for secure, so a green bar will just confuse users, right?
    • Not cryptographically. The theft of certificates from poorly secured servers, however, seems to be pretty common: and since registering a throwaway domain that looks at first glance like that of a legitimate domain (such as www.register-paypal.com) to obscure the fact that it's a phishing site means that the certificate itself is not very useful to prove that a site is legitimate.

      SSL really needs to be thought of as only an encryption technology, not an authentication technology. The keys have never been ma
  • by truthsearch (249536) on Wednesday October 25, 2006 @05:55PM (#16585246) Homepage Journal
    Hey Verisign, it's called "open source". If you'd like the feature added submit a patch and they'll consider it. Until then the people working on it will finish when they can. Thanks.
    • by Zeinfeld (263942)
      Hey Verisign, it's called "open source". If you'd like the feature added submit a patch and they'll consider it. Until then the people working on it will finish when they can. Thanks.

      The Register was putting word's into Tim's mouth. They are the ones who used the phrase 'dragging their heels', not Tim.

      The Mozilla team have been part of the EV development process from the start.

      The real issue is that IE7 is harder to change once released. So the different deployment strategies make sense.

      • Re: (Score:2, Interesting)

        by mikiN (75494)
        IE7 is harder to change once released

        Say again?

        Since when has there been any difficulty changing IE once released?
        It's just a matter of releasing eleventy-one quadruple bazillion 'security updates' until it is deemed 'just barely functional'...

        Has any major IE update been anything else but the last major version with the last bazillion security patches rolled into it, then dotted with fresh new bloat, eyecandy and bugs?
    • by AEton (654737)
      See, this is why nobody likes the Open Source community: they're so mean and unapproachable.

      Geez, you go and create *one* exciting new technology -- which, sure, only your company supports, but that's a feature! -- and instead of gratefully implementing it for you, those damn longhaired hippies expect you to do the work!

      Hmpf.
  • I don't get it (Score:5, Interesting)

    by Lord Grey (463613) * on Wednesday October 25, 2006 @05:55PM (#16585252)
    I had never heard of "Extended Validation SSL" so I went to Google. Among the hits was something from Thawte, so I went there. It turned out to be a FAQ [thawte.com]. This FAQ contained such gems as:

    4. Why is High Assurance/Extended Validation SSL being implemented?

    Answer:

    Improved online identity assurance, and improved browser representation of online identities, will empower users to better protect themselves against malicious and suspicious activity, which has gradually been eroding user confidence in digital security, including online shopping and banking. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.

    And:

    6. What is the difference between High Assurance/Extended Validation/Enhanced Validation SSL certificates and existing SSL certificates?

    Answer:

    The online identity assurance process is intended to be more comprehensive and standardized across the entire industry. Whereas currently online identity assurance processes vary from CA to CA, the new standards/processes under discussion by the CA Browser Forum, will have to be adhered to by all CAs if they wish to offer High Assurance/Extended Validation SSL certificates. This will encourage greater confidence in CAs as well as the processes that are used to vet and issue digital certificates. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.

    Is it my imagination, or is this new Extended Validation SSL thing, in the end, just a bunch of paperwork? I may simply be missing the point. If someone can point to a better description of this thing that makes sense, please do so.
    • Re: (Score:2, Insightful)

      by hardburn (141468)

      It may solve some problems, like having a few guys claiming to be from Microsoft showing up at VeriSign's offices and walking off with a signed SSL key for MS.

      This is only one of the many major problems that SSL has, though. I don't see how this can address the problems of international domain names (where glyphs for certain characters can look the same, but aren't). I also doubt that it gives assurances about the security practices of the company (why would a cracker sniff a few credit cards at a time of

      • Re:I don't get it (Score:5, Insightful)

        by skiflyer (716312) on Wednesday October 25, 2006 @06:15PM (#16585506)
        Overall, this seems like a way to make the customer pay again for the CA's own bad practices.

        That pretty much sums up this garbage. This is what SSL is supposed to already be, but as anyone who has filed for an SSL certificate already knows the whole thing pretty much works as a handshake... you're who, yes, ok, credit card with that name please, great, here you go.

        And what about this "standardized across the industry"... I bought an SSL certificate from a 3rd party because they're in the Firefox/Opera/IE default trust lists, and because they cost $40 a year instead of $400, is this really a new industry standard or is this just Verisign's way of artificially creating a new market now that there's too much competition?
    • I'm going to guess (Score:4, Insightful)

      by tkrotchko (124118) * on Wednesday October 25, 2006 @06:09PM (#16585436) Homepage
      I'm guessing the certificate security itself isn't changed. What they're saying is they're just going to do more research on a company before they hand out certificates. Right now you fill in a form, fax it in, and *presto* you get certs. Now, I guess someone will actually call and check before issuing.

      They could do this now with regular SSL, but they couldn't charge more money... too much competition out there.

      The thing is, the encryption of SSL is not at issue; it's just a new product to market.
    • Re:I don't get it (Score:5, Informative)

      by Anonymous Coward on Wednesday October 25, 2006 @06:35PM (#16585716)
      I used to work at a certain SSL place, so here's what I could gather.

      Right now to get a cert it's a phone call verification or something else that can be done remotely.

      For High Assurance CAs, the issuer has to fly a person out to the physical site, take pictures of the site, go inside, take pictures of at least two(?) employees, get names of workers, get signatures, and so on. At least that was the idea last I heard.

      Rather than a remote validation, which I guess is easier to forge and easier to issue a mistake to by accident, this requires in person validation and lots of other crap you can't do without actually going there and checking it out. You decide if it's worth it. If not seeing that "special green color" stops just a few customers from using your site, it probably is.
      • They're not doing that for the "extra 50%" price mentioned in the article. They're either doing much less or charging much more.
      • Either way, the certificates will remain easy to steal due to the poor system security of many websites. Having an expensive Verisign certificate with extra special verification, at 3 times the price, does no good if some cracker has a rootkit on your sales-people's machines and succeeds in ripping the certificates out of your improperly secured webserver that they had access to because they push changes to it regularly, or have access to the backup system to pull the keys off the backup tapes, or there's a
    • Re: (Score:3, Informative)

      I went to verisign to get some facts direct. They have a "live chat" feature that pops up when you go to the faq.
      According to their customer rep "Doreen", there's really nothing special about this.
      What I got out of the chat session:
      • The encryption is the same, or possibly the same, but probably not better.
      • So far other CAs are not onboard with this (but "expected to follow suit" whoopee.)
      • The only informational resources they give their people are the faq page and the MS blog.
      • Doreen freely admits to knowing le
    • by ocbwilg (259828)
      Is it my imagination, or is this new Extended Validation SSL thing, in the end, just a bunch of paperwork? I may simply be missing the point. If someone can point to a better description of this thing that makes sense, please do so.

      No, you've got it about right. The only difference is the amount of verification being done on the back end.

      Realistically, the SSL Certificate has very little to do with the encryption. All it is saying is that "some organization presented us with this public encryption ke
  • by dolphinling (720774) on Wednesday October 25, 2006 @05:58PM (#16585274) Homepage Journal

    I think I remember reading about this either on firefox dev blogs or mailinglists or IRC. IIRC, the upshot was that verisign should be doing "extended validation" type things on all their clients. The validation they have now is really pretty shoddy, shoddy enough that they'd be risking getting kicked out if they weren't so big and so many websites would break. But that's just my memory, which could be bad, you'd have to look into it yourself.

    • From your .sig:
      There are 11 types of people in the world: those who can count in binary, and those who can't.
      ... and the 3rd type would be? ... it would appear that you are a member of the latter set. You see 11 binary is 3. You want to say: there are 10 types of people in the world ...

      Peace ...
      • Wooosh!
      • The (binary) 11 types of people are: Those who can count, and those who can't.

        • The (binary) 11 types of people are: Those who can count, and those who can't.
          ... and again ... NO , that would be the binary 10 types of people. You did identify the third type for me inadvertantly however. There are those who think they can count in binary, but just cannot quite pull it off :-)
  • Racket (Score:5, Insightful)

    by AKAImBatman (238306) * <<moc.liamg> <ta> <namtabmiaka>> on Wednesday October 25, 2006 @05:58PM (#16585282) Homepage Journal
    More Secure or Just a Racket?

    Definitely sounds like a racket to me. If you get the green bar by paying Verisign 150%, how does that differ from today's security certificates? Other than having to pay more money, and only being able to be verified by Verisign, that is. (Doesn't sound racket-y at all. Or was that rickety?) While they make it sound like the Green Bar is an excellent method of knowing that Amazon is really Amazon, I think it's actually a reverse attempt. By getting Amazon to use this spiffy new green bar, Verisign is attempting to legitimize their new technology in the eyes of the consumer. Little will actually change for the consumer, as he already knows when he's surfing Amazon.

    The only place it would supposedly help is with Phishing. But since Phishing sites can't get certificates anyway, what does this help? If the lock isn't good enough, just change the URL Bar green for every VERIFIED certificate received. That will have the EXACT same effect.
    • by khasim (1285) <brandioch.conner@gmail.com> on Wednesday October 25, 2006 @06:25PM (#16585604)
      #1. In order to issue the new certificates, the Certificate Authorities (CA's) will be "required" to follow "industry standard" practices in "verifying" whomever applies for a new certificate.

      #2. This additional "verification" is what will cost the additional money.

      #3. Any business that does not pay the additional fees to be "verified" by "industry standard" practices will be ... the same as they are today.

      #4. Phishing depends upon a person making a single error in judgment, one time. This will not stop phishing.

      This will not stop anything. This is stupid. You're paying EXTRA to have someone do the verification they were supposed to be doing already. Imagine trying to run a business like that.

      Boss - "I paid you last week, but you barely did any work. I'm going to fire you."

      Employee - "If you give me a 50% raise, I'll perform the work to industry standards."

      Boss - "Okay, that sounds like a good deal to me."
      • by woolio (927141)
        This is stupid. You're paying EXTRA to have someone do the verification they were supposed to be doing already.

        ROTFL...

        You mean like pay a mailing/shipping company insurance for them to do their own job?

        Or paying extra for an extended warranty? (To guard against stuff that shouldn't be crappy in the first place)

        Or paying a credit card company EXTRA MONEY for them to taken YOUR PAYMENT "express" ?

        Or paying extra money for a "Service Plan" to get "updates" to bug-ridden software?

        Or paying a monthly fee for a
      • You're paying EXTRA to have someone do the verification they were supposed to be doing already.

        Same as with those "tubes" err "pipes" - telcos want you to pay more so that they can actualy deliver the speeds they alredy sold you.

        Sorry for bringing this subject up again. :)

    • by CerebusUS (21051)
      But since Phishing sites can't get certificates anyway, what does this help?

      Actually, I don't think phishing sites have much trouble getting certs. Several SSL providers merely check that you own the domain the cert is registered to. If I'm the registrant of amaz0n.com, I'll approve the ssl purchase and have a cert. It tells you absolutely nothing about whether you can trust the person running the website you've connected to.

      I'm guessing this is going to end up a lot like the "Made for Windows" certifica
    • I mean... since they don't do any verification anyway... and the customer service is terrible... why does it cost hundreds of dollars?
      • by itwerx (165526)
        I mean... since they don't do any verification anyway... and the customer service is terrible... why does it cost hundreds of dollars?

        Because their business plan looks like this:

        Step 1 - Profit!
      • Re: (Score:3, Informative)

        by AKAImBatman (238306) *
        In the first link, they're self-signed certs that trigger the "Stop the World, something's wrong!" message. If consumers are ignoring this already, I'm afraid that a "green bar" isn't going to be much more effective.

        The second link is more problematic, but the solution is simple. If a cert authority can't do proper due dillegence, then remove them from the browser's trusted list until they correct their procedures. They're obviously not trustworthy. Giving Verisign an artificial monopoly on something they s
  • by TubeSteak (669689) on Wednesday October 25, 2006 @05:58PM (#16585290) Journal
    The padlock encryption symbol used by browsers has been effectively meaningless for some time, and consumer paranoia surrounding fraud remains a barrier to using online commerce for many.

    In response, the verification industry in the form of the CA browser forum has come up with extended validation SSL, where the certificate really is a guarantee of kosher status. Honest.
    Thank you The Register for saying what I was thinking.
    • The padlock encryption symbol used by browsers has been effectively meaningless for some time, and consumer paranoia surrounding fraud remains a barrier to using online commerce for many.

      Silly us, we should haver been using two padlock symbols the whole time.
  • by datajack (17285) on Wednesday October 25, 2006 @06:03PM (#16585340)
    The online identity assurance process is intended to be more comprehensive and standardized across the entire industry. Whereas currently online identity assurance processes vary from CA to CA, the new standards/processes under discussion by the CA Browser Forum, will have to be adhered to by all CAs if they wish to offer High Assurance/Extended Validation SSL certificates. This will encourage greater confidence in CAs as well as the processes that are used to vet and issue digital certificates. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.


    Err, excuse me.. isn't the verification of the identity of the applicant of the certificate exactly what the CAs are meant to be doing anyway?

    I thought that that is why we had these 'trusted' third-parties, to vouch for the identity of the certificate owner - that is the fundamental basis of PKI and certificates. If they weren't doing that before (which they clearly weren't doing properly), what the hell were they doing?

    So, we're paying them extra to get a 'fixed' version of something that they caused to be broken in the first place because they couldn't do their job properly. WHy should paying an extra 50% on top of their fees all of a sudden make us able to trust them now?
    • by skiflyer (716312)
      Couldn't agree more, posted a similar concept a little higher up... but reading it in your words makes me wonder, is there a class action lawsuit in the near future for standard SSL users?
    • by RAMMS+EIN (578166)
      ``Err, excuse me.. isn't the verification of the identity of the applicant of the certificate exactly what the CAs are meant to be doing anyway?''

      Yes. And the fact that there is apparently a need for "more comprehensive" identity checking means Verisign haven't been doing their jobs.

      ``If they weren't doing that before (which they clearly weren't doing properly), what the hell were they doing?''

      Playing monopolist. Charging ridiculous amounts of money for simple records in databases. Claiming to run a trustwo
    • What were the doing? Verifying identities of course! By means of making you enter a phone number and then enter the code on the screen when it's called, or making you scan and email a utility bill! YES! These are actually two different methods I've used buying certs before.

      So you are indeed correct, there has been no reason to trust a cert before, but they haven't actually fixed anything either ;)

      So the verification is crap, but who cares, Joe User never checks the certs anyway, and probably dosen't noti
      • Well, this is true, but don't most people don't treat the cert as anything other than an indication that the connection is encrypted? I mean, you could just put your self generated cert on your site, and most people would click "accept this cert permanently" just like they do when e.g. hotmail or other sites sometimes have the same problem.

        If browsers prominently displayed

        "Firefox considers Verisign reliable (ha!), and Verisign certifies that this site belongs to 'Joe Bloggs, 123 main St, sslville'"

        or

        "you y
      • I've never had the nerve to try this but the phone call would make a really funny transcript.

        The right way to verify a cert is to phone the establishment the cert is supposed to be for, and have them verify the thumbprint.

        Imagine trying that. Just imagine it.
    • It sounds to me like you all have it wrong.

      No CA can be 100% sure you are who you say you are. But there are things they can do to increase their confidence in your identity. Doing these things costs more money of them (and so, of you, the SSL site owner).

      It sounds like Verisign wants to use color codes to demonstrate SSL site users how confident Verisign is in the identitiy of the certificate holder.

      I think this is a fantastic idea.
    • by Kanasta (70274)
      just like how etrust merely certifies that the site has a privacy policy are not that it is good

      I would guess that currently Verisign certificates merely verify that the site has an identity, not necessarily that it is who think it is...

      Next I would propose a certification for certification companies to certify that they actually certify their certificates...
    • by XorNand (517466) *

      I remember years ago when NSI/Verisign was the only game in town and certs cost $300+. It was a *royal* PIA to buy one. It generally entailed several phone conversations with an account rep, faxing them reams of documentation verifying business identity.

      When other CAs got into the game, the increased competition drove down the prices of the certs. Since Verisign wasn't making as much money on them, they couldn't afford the same level of verification and still expect to compete. Eventually the whole process

  • So, a product is proposed by Verisign (the guys who tried to shove their shoddy SiteFinder search engine down your throat by abusing their monopoly) and Microsoft (the guys who have been shoving their shoddy DOS and Windows down your throat for decades by abusing their monopoly).

    You know what? I'm quite sure it's a shoddy product they're trying to shove down people's throat for some reason...
    • shoving their shoddy DOS ... down your throat ... abusing their monopoly

      Right! Because DOS was definitely the only O/S upon which big business was doing business, say, back in the 1980's.

      And then there were those enormous numbers of consumers using DOS instead of Apple II machines or Ataris or Amigas... Shoved down their throats? Come on. If you're going to rant about MS market share, at least skip over the part when it was anything but a sure thing, before all of the other platform makers wheezed an
      • by edwdig (47888)
        The DOS / Windows 3.x days were when MS was at its worst. DOS and Windows each had much better alternatives, but the licensing from MS made it financial suicide to ship a PC with anything else. If a computer manufacturer wanted to ship 1 computer with DOS and/or Windows on it, it had to pay licensing fees for *every* computer they made. There was no negotiating over those terms, it was take it or leave it. That didn't change until the government got involved, at which point all the other players had already
  • Scam... (Score:5, Insightful)

    by tomstdenis (446163) <tomstdenis@@@gmail...com> on Wednesday October 25, 2006 @06:05PM (#16585368) Homepage
    This is coming from the people who stole DNS, and sell certificates for hundreds of dollars which take milliseconds to make....

    Now we're supposed to get a more "trustworthy" cert and make our address bar green?

    Fuck you Verisign.

    Tom
  • The only way to judge whether this is legitimate is to see whether sites that do fraudulent things (get traffic from mistyped domain names, send out "renewal" requests to non-customers, etc) are able to get these certificates. If Verisign is able to make sure that sites that do these things or have a history of doing them can't get certificates, then maybe they'll mean more than current SSL certificates.

    Of course, there are technical issues with a PKI system without trusted root certificates, so it might no
    • by Kelson (129150) *

      The only way to judge whether this is legitimate is to see whether sites that do fraudulent things (get traffic from mistyped domain names, send out "renewal" requests to non-customers, etc) are able to get these certificates.

      I think you're being too subtle [slashdot.org] for this site [slashdot.org]...

    • Nuts...I'm out of mod points!

      The first paragraph of the parent post is, IMHO, both +5 Funny and +5 Insightful.
    • >Of course, there are technical issues with a PKI system without trusted root certificates

      This has always bugged me. It's bugged everyone who's thought about it analytically. Bruce Schneier went and investigated a little, and found interesting things.

      Why do Verisign and others (check your browser's list, see how many names you recognize) get to decide who's been verified and who hasn't? Basically, because their certs are installed in the browser when it ships. Browser makers are supposed to check for aud
  • "More secure or just a racket?"

    C'mon, ScuttleMonkey, are you trying to get a job as a pollster for Karl Rove?

    "Would you be more likely or less likely to vote for John McCain for president if you knew he had fathered an illegitimate black child?"

  • by miller60 (554835) on Wednesday October 25, 2006 @06:19PM (#16585552) Homepage
    The article is, not surprisingly, VeriSign's version of events. The Extended Validation standard emerged from talks among a consortium of browser makers (the IE team, Mozilla, Opera and Konqueror) and a ghroup of SSL certificate authorities, which includes not only VeriSign but also geoTurst (since bought by VeriSign), Comodo, Entrust and Go Daddy. The group is known as the The CA/Browser Forum, the group of certificate authorities and browser developers that is working with the American Bar Association's Information Security Committee on finalizing an open standard for the validation process, which is to be followed by all participating CAs. So this isn't just a VeriSign issue, but the culmination of an 18-month process.

    The plan was for all the browsers to implement the color bar scheme, based on IE's implementation. There were optimistic announcements by all involved, but no final standard has emerged. VeriSign and other SSL certificate authorities are preparing to start selling these in January. It's not clear to me if Firefox/Mozilla has actually opted out or is just moving more slowly than MSFT in incorporating the changes in the browser. Mozilla tends to be deliberate about SSL-related changes in the browser.

    • by Zeinfeld (263942)
      The article is, not surprisingly, VeriSign's version of events. The Extended Validation standard emerged from talks among a consortium of browser makers (the IE team, Mozilla, Opera and Konqueror) and a ghroup of SSL certificate authorities, which includes not only VeriSign but also geoTurst (since bought by VeriSign), Comodo, Entrust and Go Daddy.

      No the article is the Register's version. Its hard to tell but there is actually a panel session on this at RSA Europe and the other vendors are on the panel.

  • ..."but our Verisign certificate goes up to 11!"
  • One snarl-up for Mozilla may have been working out an alternative to the rest of Microsoft's site-rating system. As well as getting dishing out green address bars, servers at Redmond will blacklist dodgy and suspect sites, which can look forward to red and amber flashing up.

    I don't feel all paranoid about this, and I think the technology is a good concept, but dang, do we want any for profit company to be the one in charge of maintaining these lists? And what's the appeal process, if my online store got l
  • racket? (Score:5, Insightful)

    by nosferatu-man (13652) * <spamdot@homonculus.net> on Wednesday October 25, 2006 @06:26PM (#16585622) Homepage
    Verison is involved.
    Everything Verisign does is a racket.
    Therefore, it's a racket.
    Q.E.D.
  • by Animats (122034) on Wednesday October 25, 2006 @06:35PM (#16585714) Homepage

    Has anyone actually been able to find the specification for "high assurance" certificates? Apparently this is being closely held. The spec comes from something called the "CA Browser Forum", which is invitation-only and doesn't seem to have a web site. A standard was supposed to be issued in August, but apparently agreement wasn't reached until a meeting in September. There are many press releases, but no hard data.

    So that's why it's not in Mozilla.

    It's actually a good idea. Early in the history of SSL, getting a certificate required presenting appropriate business identification info to the certificate issuer. The problem is that some issuers (GoDaddy comes to mind) started issuing "domain only" SSL certificates; the only verification is that the domain can get email. Then, instead of revoking GoDaddy's root certificate for this, the other cert issuers copied GoDaddy's approach. Now anybody can get a meaningless certificate with a meaningless Relying Party Agreement.

    The way it's supposed to work is that the certificate issuer bears financial responsibility for misidentification of the certificate owner. Some certificates from Verisign have a Relying Party Agreement [verisign.com] that does provide a financial guarantee to the party relying on the certificate - $100 for a class 1 cert, $5000 for a class 2 cert, and $100,000 for a class 3 cert. Most of the other issuers have relying party agreements which promise nothing and deliver less.

    So what's happening is that, soon, you'll be able to tell the difference between the crap certificates and the good ones. Before you buy. The idea is that if you put your credit card into a site that showed a green toolbar in IE, and it wasn't really the company it should have been, you can collect from the certificate issuer. This puts certificate issuers on the hook for phishing losses.

    Unfortunately, the rules and the Relying Party Agreements for the new certificates haven't yet appeared, so we can't tell if the rules are tough enough to make this work. Since they're being drafted by the certificate issuers, there will probably be some loophole that lets them off the hook.

    • It's actually a good idea. Early in the history of SSL, getting a certificate required presenting appropriate business identification info to the certificate issuer. The problem is that some issuers (GoDaddy comes to mind) started issuing "domain only" SSL certificates; the only verification is that the domain can get email. Then, instead of revoking GoDaddy's root certificate for this, the other cert issuers copied GoDaddy's approach. Now anybody can get a meaningless certificate with a meaningless Relying
      • There should be a mechanism for encrypting web data that doesn't rely on paying a third party for a service only tangentially related to encryption.

        There is. You can still get cheap SSL certificates. But if you're accepting payments, plan on getting one that clearly identifies who you are.

        If you accept payments through a web site without disclosing who you are, you're a criminal. (California Business and Professions code section 17538, other provisions in other jurisdictions.) And soon, browsers are

        • There is. You can still get cheap SSL certificates.

          Bzzzt. Wrong answer. I shouldn't need to pay anyone to encrypt my traffic, even "cheaply". There is no technical reason why I need to.

          If you accept payments through a web site without disclosing who you are, you're a criminal.

          Wrong again. Two out of two, you aren't doing too good here.

          Firstly, I can disclose who I am without paying for a certificate. "Disclosing" does not equal "proving", and even if it did, these certificates prove nothing anywa
          • by Animats (122034)

            If you accept payments through a web site without disclosing who you are, you're a criminal.

            That's the law in California, or if you sell in Calfornia. California Business and Professions code section 17538 provides that:

            (d) A vendor conducting business through the Internet or any other electronic means of communication shall do all of the following when the transaction involves a buyer located in this state:

            (1) Before accepting any payment or processing any debit or credit charge or funds transfer

            • None of which requires an SSL cert, and so isn't germane to this conversation. This conversation isn't about requiring you to disclose your identity, this conversation is about requiring you to purchase an SSL cert. The "disclose your identity" thing was a strawman setup by the grandparent.
          • by hublan (197388)
            Bzzzt. Wrong answer. I shouldn't need to pay anyone to encrypt my traffic, even "cheaply". There is no technical reason why I need to.

            You can issue yourself self-signed certs using any of the fine crypto packages out there. The difference is that the browser isn't simply going to accept it on faith since you're not in its list of automatically trusted certificate authorities. The user will have to manually accept your certificate. If this is strictly to provide encryption for your forum website, they should
            • You can issue yourself self-signed certs using any of the fine crypto packages out there. The difference is that the browser isn't simply going to accept it on faith since you're not in its list of automatically trusted certificate authorities.

              Exactly. But I don't want the browser to tell the user that it's sure I am who I say I am. I want the browser to encrypt the damn data. SSL incorporates two mechanisms, one for authentication (proving you are who you say you are) and one for encryption (making sure
    • Has anyone actually been able to find the specification for "high assurance" certificates?

      I have not, and it strikes me as conspicuous by its absence. Especially since the X.509 standard already contains provisions for a Policy OID for exactly this purpose.

      In fact the Policy extension provides for for a much richer set of purposes than EV has conceived. It would be quite acceptable, for example, to define an "anonymizing" policy or a "voting" policy in which the Certificate Authority has assured that

  • SSL and Extended SSL (Score:2, Interesting)

    by Kazrael (918535)
    Honestly, I believe that there should be a WC3 conference to contribute a single CA that makes its way onto all browsers. Give the WC3 CA site an automated system for generating certs, including an open API and then combine DNS registration protocals with the CA gen protocals. Publicly open the API, and charge small, if anything. This service is an easy one to implement. The real issue is getting browsers to add it to its automatically trusted CA list. I can create SSL at home, but I can't get browsers
  • "See only we are secure"

    phffft
  • by NaCh0 (6124) on Wednesday October 25, 2006 @07:25PM (#16586204)
    Mozilla.org should get into the SSL certificate reselling business and set the location bar to green when one of the mozilla signed certs is present. Verisign could then have the option of paying a royalty to mozilla.org for each extended certificate if they want green URL bars too.
  • Have you audited any of the dozens of CA certificated that ship with your OS?

    Do you fetch a new CRL for each of them whenever you access a site using SSL?
    • by Sloppy (14984)
      Yeah, that's what's so funny. Almost nobody knows jack-shit about any of the CAs. And who knows the least? Exactly the kind of non-nerds/non-paranoids who trust the padlock icon the most.
  • by rhythmx (744978)
    ...as a Certificate Authority to ensure that any sites they issue certificates to are trustworthy. All PKI systems are based on this kind of trust model. If there is any lack of trust/confidence in online ssl-encrypted commerce, it is their fault. Merely because they have been ignoring their role as a trust arbitrator and giving out certs to anyone, they decide now to actually do their part, charge more, and have Microsoft put a flashy "green for go" interface on it.

    Then, of course, you must slam Firefox
  • A Firefox implementation of extended validation can only be a matter of time, since the Mozilla Foundation knows in order to compete it cannot afford for its browser to be just as good as IE7; it has to be better.

    Will someone please inform the author and Verisign that Firefox is BETTER then IE7.

    How often is sensitive information is stolen during transmission? I always hear about hackers stealing information of past customers. So, what does the new SSL has to do with better security?

  • by Sloppy (14984) on Wednesday October 25, 2006 @09:10PM (#16587168) Homepage Journal

    "Technology?" Give me a break. They're looking at what authority signed the cert, and if the web browser has been told to dogmatically trust that authority more than others, then it turns something green.

    Actually, it's not a bad idea. There are degrees of trust, and showing it to the user is fine. But you bet your ass this is mostly just a cashgrab from Verisign.

    A Firefox implementation of extended validation can only be a matter of time, since the Mozilla Foundation knows in order to compete it cannot afford for its browser to be just as good as IE7; it has to be better.

    Good news. There's a way to do this, that will absolutely embarrass MSIE, making its version of https look completely insecure by comparison, and screw Verisign over, in the process.

    Support an OpenPGP-based cert model [gnu.org] (perhaps using GNU TLS library [gnu.org], perhaps not). Suddenly, you can have certs that are signed by multiple authorities, including users themselves, and display a whole spectrum of trust metrics. Equifax can make mistakes and issue an incorrect cert to a bank [washingtonpost.com], but can three CAs all make the same mistake, without a conspiracy? And what if you get the bank's fingerprint on your snailmail statements, or there's a sign showing the fingerprint when you walk into it, and thus you can cert it yourself? What if you haven't ever been to the bank (ok, I can't imagine that) but you have 3 friends who have, and you have certified them, and told your computer they are each marginally trusted, and they all certify the bank? Three friends are sure as hell a lot more trustworthy than some faceless corporation named Verisign, whose identification policies you don't even know, whose private key storage policy you don't even know, and in fact doesn't have a single employee you have even met, assuming they have any employees at all and aren't a robot in the basement of a building at the NSA.

  • It's purely a money-making scam by Verisign (and other CAs). The only thing high-assurance about "high-assurance" certs is the assurance that you'll be charged more money for them. See the Defcon talk Phishing Tips and Techniques - Tackle, Rigging, and How and When to Phish [auckland.ac.nz] for a discussion of why "high-assurance" certs are worthless except to the companies issuing them.
  • Okay, I admittedly have a relatively limited understanding of the technical details, but it's my understanding that the OpenPGP standard does essentially the same thing as the SSL encryption and authentication, but with an explicit "web of trust" model rather than a centralized "Verisign says they're okay" sort of model used by SSL.

    Since Verisign et al don't seem to REALLY be verifying identities any more (unless now you pay extra for the "special" certificates), why keep paying them at all? Wouldn't it b

  • by epine (68316) on Thursday October 26, 2006 @02:31AM (#16589858)

    If the extra up-front validation is the main thing, Verisign should be charging a high one-time-fee for undertaking those steps, then charging a low low monthly rate to rest on their laurels and do nothing further. Somehow I doubt that's the price structure they adopted here.

Your computer account is overdrawn. Please reauthorize.

Working...