Extended Validation SSL, More Secure or Just a Racket? 205
Nalfeshnee writes "The Register is reporting on the new 'Extended Validation SSL' cert currently being touted by Verisign. Vista and IE7 will be using this but not, apparently, Firefox anytime soon. For this the Verisign Product Marketing Director Tim Callan squarely blames the Firefox dev team for 'not keeping up' with their new technology. However, the whole thing just seems to be a way for Verisign to enjoy ridiculous markup on selling 'more secure' certs."
Color coded? (Score:5, Insightful)
I'm colorblind. Would I ever notice the difference?
Secure? (Score:2, Insightful)
I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?
It's called "open source" (Score:5, Insightful)
They SHOULD be doing this for everyone... (Score:4, Insightful)
I think I remember reading about this either on firefox dev blogs or mailinglists or IRC. IIRC, the upshot was that verisign should be doing "extended validation" type things on all their clients. The validation they have now is really pretty shoddy, shoddy enough that they'd be risking getting kicked out if they weren't so big and so many websites would break. But that's just my memory, which could be bad, you'd have to look into it yourself.
Racket (Score:5, Insightful)
Definitely sounds like a racket to me. If you get the green bar by paying Verisign 150%, how does that differ from today's security certificates? Other than having to pay more money, and only being able to be verified by Verisign, that is. (Doesn't sound racket-y at all. Or was that rickety?) While they make it sound like the Green Bar is an excellent method of knowing that Amazon is really Amazon, I think it's actually a reverse attempt. By getting Amazon to use this spiffy new green bar, Verisign is attempting to legitimize their new technology in the eyes of the consumer. Little will actually change for the consumer, as he already knows when he's surfing Amazon.
The only place it would supposedly help is with Phishing. But since Phishing sites can't get certificates anyway, what does this help? If the lock isn't good enough, just change the URL Bar green for every VERIFIED certificate received. That will have the EXACT same effect.
Charging more to do what they should be doing. (Score:5, Insightful)
Err, excuse me.. isn't the verification of the identity of the applicant of the certificate exactly what the CAs are meant to be doing anyway?
I thought that that is why we had these 'trusted' third-parties, to vouch for the identity of the certificate owner - that is the fundamental basis of PKI and certificates. If they weren't doing that before (which they clearly weren't doing properly), what the hell were they doing?
So, we're paying them extra to get a 'fixed' version of something that they caused to be broken in the first place because they couldn't do their job properly. WHy should paying an extra 50% on top of their fees all of a sudden make us able to trust them now?
Scam... (Score:5, Insightful)
Now we're supposed to get a more "trustworthy" cert and make our address bar green?
Fuck you Verisign.
Tom
Anti-Phishing Technology will make it moot (Score:1, Insightful)
SSL is still good for keeping the data encrypted between client and server. You don't need some super-duper certificate for that.
Anti-phishing blacklists will be what works well for end-users. Being told explicitly that they're on a dangerous website is far more effective than 'hmm, well the location bar is in green!'. They won't even look.
Re:I don't get it (Score:2, Insightful)
It may solve some problems, like having a few guys claiming to be from Microsoft showing up at VeriSign's offices and walking off with a signed SSL key for MS.
This is only one of the many major problems that SSL has, though. I don't see how this can address the problems of international domain names (where glyphs for certain characters can look the same, but aren't). I also doubt that it gives assurances about the security practices of the company (why would a cracker sniff a few credit cards at a time off the wire if they can break into a database and get hundreds of credit cards at once?).
Overall, this seems like a way to make the customer pay again for the CA's own bad practices.
I'm going to guess (Score:4, Insightful)
They could do this now with regular SSL, but they couldn't charge more money... too much competition out there.
The thing is, the encryption of SSL is not at issue; it's just a new product to market.
Re:I don't get it (Score:5, Insightful)
That pretty much sums up this garbage. This is what SSL is supposed to already be, but as anyone who has filed for an SSL certificate already knows the whole thing pretty much works as a handshake... you're who, yes, ok, credit card with that name please, great, here you go.
And what about this "standardized across the industry"... I bought an SSL certificate from a 3rd party because they're in the Firefox/Opera/IE default trust lists, and because they cost $40 a year instead of $400, is this really a new industry standard or is this just Verisign's way of artificially creating a new market now that there's too much competition?
Re:more info (Score:3, Insightful)
I mean, wouldn't it make more sense for Verisign to do the same thing (if they wanted to get some money for insecure certs but still have a more secure cert) to create a new Certification Authority name also run by Verisign that actually does their job, and not require any browser code changes? Or are they just afraid that if they did that, browser vendors might delist Verisign's main CA from their default list of trusted CA's, since that would be admitting that, well, basic Verisign certificates can't be trusted.
Seems to me this is an unnecessary technical change to a business practices problem at Verisign.
Comment removed (Score:2, Insightful)
The new certificates are double plus super good. (Score:5, Insightful)
#2. This additional "verification" is what will cost the additional money.
#3. Any business that does not pay the additional fees to be "verified" by "industry standard" practices will be
#4. Phishing depends upon a person making a single error in judgment, one time. This will not stop phishing.
This will not stop anything. This is stupid. You're paying EXTRA to have someone do the verification they were supposed to be doing already. Imagine trying to run a business like that.
Boss - "I paid you last week, but you barely did any work. I'm going to fire you."
Employee - "If you give me a 50% raise, I'll perform the work to industry standards."
Boss - "Okay, that sounds like a good deal to me."
racket? (Score:5, Insightful)
Everything Verisign does is a racket.
Therefore, it's a racket.
Q.E.D.
Gaah! Please skip the revisionism. (Score:3, Insightful)
Right! Because DOS was definitely the only O/S upon which big business was doing business, say, back in the 1980's.
And then there were those enormous numbers of consumers using DOS instead of Apple II machines or Ataris or Amigas... Shoved down their throats? Come on. If you're going to rant about MS market share, at least skip over the part when it was anything but a sure thing, before all of the other platform makers wheezed and missed the opportunity to take over the business desktop market (when they already owned the back office corporate computing market!) when it was anything but settled in one popular direction.
Certs are a joke (Score:3, Insightful)
"Oh, it's an https site. It's encrypted. Cool". Next.
Some time when you're really bored look at the low level ssl stuff (with openssl or something) and notice all the errors. The browsers ignore so many of these I think it's all a big joke.
Re:Secure? (Score:1, Insightful)
A certificate is a way of proving who you are by proving that someone whom the other person trusts has verified that you are who you say you are. There are two ways of attacking this concept: You can break the cryptography which is used in that process or you can get a certificate which says you are someone else by pretending to the trusted third that you are someone else. Extended Validation is a (misguided) attempt at preventing attacks of the latter kind. The only job of a CA is to verify identities. If a CA can't guarantee identities, the CA's certificate should no longer be trusted. Instead, EV adds "super trusted" certificates and leaves insufficiently checked identities in the trust hierarchy.
Where's the specification? (Score:5, Insightful)
Has anyone actually been able to find the specification for "high assurance" certificates? Apparently this is being closely held. The spec comes from something called the "CA Browser Forum", which is invitation-only and doesn't seem to have a web site. A standard was supposed to be issued in August, but apparently agreement wasn't reached until a meeting in September. There are many press releases, but no hard data.
So that's why it's not in Mozilla.
It's actually a good idea. Early in the history of SSL, getting a certificate required presenting appropriate business identification info to the certificate issuer. The problem is that some issuers (GoDaddy comes to mind) started issuing "domain only" SSL certificates; the only verification is that the domain can get email. Then, instead of revoking GoDaddy's root certificate for this, the other cert issuers copied GoDaddy's approach. Now anybody can get a meaningless certificate with a meaningless Relying Party Agreement.
The way it's supposed to work is that the certificate issuer bears financial responsibility for misidentification of the certificate owner. Some certificates from Verisign have a Relying Party Agreement [verisign.com] that does provide a financial guarantee to the party relying on the certificate - $100 for a class 1 cert, $5000 for a class 2 cert, and $100,000 for a class 3 cert. Most of the other issuers have relying party agreements which promise nothing and deliver less.
So what's happening is that, soon, you'll be able to tell the difference between the crap certificates and the good ones. Before you buy. The idea is that if you put your credit card into a site that showed a green toolbar in IE, and it wasn't really the company it should have been, you can collect from the certificate issuer. This puts certificate issuers on the hook for phishing losses.
Unfortunately, the rules and the Relying Party Agreements for the new certificates haven't yet appeared, so we can't tell if the rules are tough enough to make this work. Since they're being drafted by the certificate issuers, there will probably be some loophole that lets them off the hook.
Re:Most colorblind people can tell white from gree (Score:3, Insightful)
Sadly, CACert's root certificate is still not included with Mozilla, although a number of distributions include it.
It is Verisign's job (Score:2, Insightful)
Then, of course, you must slam Firefox for "losing the browser war" by not keeping up by making their URLs turn green. You know, (speculation alert) you can probably bet Microsoft patented the green url indicator anyway, locking Firefox out.
It's purely a money-making scam for Verisign (Score:2, Insightful)
what's the price structure? (Score:3, Insightful)
If the extra up-front validation is the main thing, Verisign should be charging a high one-time-fee for undertaking those steps, then charging a low low monthly rate to rest on their laurels and do nothing further. Somehow I doubt that's the price structure they adopted here.