New E-Commerce Identity Tag Makes Online Debut. A long-promised technology for helping consumers verify the legitimacy of commercial Web sites made its debut on the Internet Friday: Visit online security company Entrust's login page with Microsoft's Internet Explorer 7 Web browser and you'll notice that the address bar has turned from white to green. Entrust's site appears to be the first to feature what are being called "extended validation certificates," a development that is equal parts technology, process and collaboration. It comes in response to an epidemic of phishing attacks, or online scams in which bad guys erect Web sites that impersonate trusted e-commerce and banking sites in order to trick users into revealing personal and financial data. "EV certs," as they're known in the industry, are meant to serve as a more user-friendly version of secure-sockets layer (SSL) certificates, the digital placards long handed out by Entrust and other "certificate authorities" that are meant to signify to consumers that they are on a site that uses encryption technology. The goal is to assure visitors that unauthorized third parties can't intercept user names, passwords, and other sensitive data that consumers enter when shopping or banking online. SSL certs also have been touted as a means of helping consumers verify that they are truly at Ebay.com or some other commercial site, not at some clever fake. The problem is that most consumers don't know how to read the more relevant, technical information contained in an SSL cert. What's more -- the scam artists themselves have even begun purchasing and using SSL certs in an effort to make their sites appear more legitimate. Hence, the idea for EV Certs. Unlike most processes for obtaining a regular SSL -- which are largely automated and often can be issued the same day they are purchased -- issuers of EV certs are supposed to do a lot more background checking into the entity that's requesting an EV cert, a process that can take several weeks. The idea with EV certs is that when you log in to your bank's Web site, you should notice the browser's address bar turning green. If you single click on the lock icon, it will pop up a box that has a bit more information about which certificate authority vouched for the identity of the site. Visitors who aren't convinced can click on a link that brings up the more technical information on the certificate, or a link to IE7's "Help" page that has a long lists of answers that might pop up in the visitor's mind. The benefit from these certs won't be fully realized until a lot more sites implement them, and more importantly until the general public has had a chance to become familiar enough with the certs that they begin to look for them. But here's where it gets a bit tricky. These new and improved EV certs are quite a bit more expensive than SSL certs: Entrust plans to sell its EV certs at $499 apiece per year (and that's its "intro price"), whereas its regular SSL certs sell for about $150 (and you can find SSL certs for much cheaper elsewhere). Verisign, the world's largest and probably most recognizable SSL provider, has set its price for EV certs starting at a hefty $1,300 per year. All of which raises some questions. Where does the small mom-and-pop-shop fit into this brave new world? If the average Web surfer (i.e., IE user) becomes accustomed to seeing green browser bars at Ebay.com, what will they think of Bargainwidgets.com if their login page isn't tinted by the familiar green address bar? Also, what about the bank Web sites, which Security Fix and others have taken to task for confusing average consumers? For years, the banks trained customers to look for the little "padlock icon" in the corner of their Web browser window. Over the past couple of years, however, many of the nation's largest financial institutions have done away with the padlock on their home pages in the name of convenience and costs savings. On a number of banking sites, you don't see that padlock until you click on the "login" link or click on a separate portion of the bank's site. It will be interesting to see whether the banks adapt their policies yet again to accommodate the increased recognition that may be afforded to them through EV certs. Meantime, the folks at Mozilla say they are hard at work on a new version of Firefox that can accommodate EV certs, but it may be some time yet before that becomes a reality (that's based on interviews with them...there may indeed be other browser makers who are ready to roll this out, I just don't know). Of course, it is possible that phishers may figure out a way to fake the green address bar at some point. At any rate, please drop me a line or leave something in the comments section below if -- in the days after reading this post -- your bank or other sites you do business with roll out this technology. [Security Fix]
12:34:26 AM 
|
