Extended Validation SSL, More Secure or Just a Racket? 205
Nalfeshnee writes "The Register is reporting on the new 'Extended Validation SSL' cert currently being touted by Verisign. Vista and IE7 will be using this but not, apparently, Firefox anytime soon. For this the Verisign Product Marketing Director Tim Callan squarely blames the Firefox dev team for 'not keeping up' with their new technology. However, the whole thing just seems to be a way for Verisign to enjoy ridiculous markup on selling 'more secure' certs."
Re:Color coded? (Score:1, Informative)
more info (Score:1, Informative)
http://www.verisign.com/ssl/ssl-information-center /faq/high-assurance-ssl.html [verisign.com]
This seems to be composed of two parts:
Yes. (Score:4, Informative)
All the brower teams and SSL CAs agreed to this (Score:5, Informative)
The plan was for all the browsers to implement the color bar scheme, based on IE's implementation. There were optimistic announcements by all involved, but no final standard has emerged. VeriSign and other SSL certificate authorities are preparing to start selling these in January. It's not clear to me if Firefox/Mozilla has actually opted out or is just moving more slowly than MSFT in incorporating the changes in the browser. Mozilla tends to be deliberate about SSL-related changes in the browser.
Re:I don't get it (Score:5, Informative)
Right now to get a cert it's a phone call verification or something else that can be done remotely.
For High Assurance CAs, the issuer has to fly a person out to the physical site, take pictures of the site, go inside, take pictures of at least two(?) employees, get names of workers, get signatures, and so on. At least that was the idea last I heard.
Rather than a remote validation, which I guess is easier to forge and easier to issue a mistake to by accident, this requires in person validation and lots of other crap you can't do without actually going there and checking it out. You decide if it's worth it. If not seeing that "special green color" stops just a few customers from using your site, it probably is.
Re:Secure? (Score:3, Informative)
On a related note, I was doing some poking around the other day and noticed this: Three things to be concerned about:
1. It's only a 1024 bit RSA key. That is weak by today's standards.
2. The signature algorithm is 'RSA-MD2'.
3. Attacks against this certificate may only be theoretical today, but Verisign foresaw this, and saw fit to mark the certificate as valid until 2028!
Thank you, Verisign!
Re:I don't get it (Score:3, Informative)
According to their customer rep "Doreen", there's really nothing special about this.
What I got out of the chat session:
Now, I understand that this is pretty low on the totem pole, but still I think it's indicative enough to start throwing around some assumptions.
<assumptions style="raging">
From a technical standpoint, "High Assurance SSL" is functionally the same as vanilla SSL. The only difference is that for supported browsers, the cert holder and issuer will be visible in the URL address bar. (Oh, and you can toggle between them by clicking, whoopee.) The main draw is that it's "more visible!!!".
So functionally, if the FF devs want to counter this ridiculous load of crap, all they have to do is stick the plain old vanilla certs into the URL bar and maybe highlight weird characters to show phishing attempts. Certainly, a whole lot more paperwork isn't going to stop the phishers if they're going to the trouble of getting a cert anyways.
</assumptions>
Smells like a turd, looks like a turd.
Re:SSL and Extended SSL (Score:1, Informative)
Re:Certs are a joke (Score:3, Informative)
I have a screen shot on a computer around here someplace of a browser alert window pointing out the cert domain doesn't match the domain. It was about 2-3 years ago. I can't remember for sure but I think it was www.paypal.com (the cert) didn't match paypal.com (which is what I type in).
The points remain:
1) People don't care if the cert is valid or not or in many cases if it's even signed by a root auhority the browser knows about
2) There are lots of errors in certs the browsers ignore; if they didn't damn few, if any would work.
Re:CACert (Score:4, Informative)
Re:Secure? (Score:5, Informative)
Comodo Trusted SSL. [trustlogo.com]
GeoTrust True BusinessID. [geotrust.com]
Business identity validation SSL certificates have been around for a long time. The only thing different about VeriSign's offering is that they're partnering with Microsoft to have the bar turn green if their more expensive cert is detected, to the disadvantage of all other SSL providers. This is an attempt by VeriSign to make it effectively necessary for businesses to use their cert so customers won't think that their site is insecure.
There's so much wrong with this attempt to gain a monopoly without adding anything of value to the market... but par for the course for VeriSign.
Re:Phishers can and do get certs (Score:3, Informative)
The second link is more problematic, but the solution is simple. If a cert authority can't do proper due dillegence, then remove them from the browser's trusted list until they correct their procedures. They're obviously not trustworthy. Giving Verisign an artificial monopoly on something they should already be doing is not the way to solve the problem!