Monday, 21. July 2008
PermaLink There's no new standard in SSL
Sorry to contradict you, Michael, but there is no new standard in SSL.

The idea behind Extended Validation or EV SSL is that sites using EV SSL certificates have been subject to rigorous third party investigation and verification prior to the issue of the certificate. Browsers which are aware of EV certificates can be made to behave differently on encountering such a certificate. In the case of Firefox 3, for example, the browser will show a green label, to the left of the address in the browser address bar, with a link to a more detailed trust statement.

Extended Validation SSL is, however, not new technology. It can't be if backward compatibility is to be preserved. That is, if a non-EV aware browser encounters an EV SSL site, it must still treat it the same way as any other SSL site.

The innovation here is not technology, it is process. And that process is flawed in at least two ways.
  1. Trust is diluted

    I remember the first time I applied for an SSL certificate. I had to go to great lengths to demonstrate that I controlled the domain and was authorised to administer it. The certificate issuer checked Dunn and Bradstreet and company registration information too. Although it was expensive and time consuming, I was comfortable with the process reasoning that, if all applicants were subject to the same rigour, this made SSL inherently trustworthy.

    How times change.

    Latterly, it seems, anyone can get an SSL certificate more or less on demand and without any significant checking by the certificate issuer.

    SSL should deliver two things.

    1. It should firstly deliver end to end encryption which, of course, it does.
    2. But it should also deliver trust. That trust stems from the concept of the trusted third party, a role taken by the certificate issuer.

    If we can no longer trust those trusted third parties then one of the two benefits of SSL is lost. EV SSL is simply an attempt to close that particular stable door, though the horse is now long gone.

  2. Users are confused

    Will a new class of SSL certificate make any difference to users?

    If you took that test the other day, then you may recall that one of the questions was to do with SSL. Users taking the test were advised to check for https in the address bar and the padlock icon and that is all.

    If the continuing success of phishing is any guide, it seems that even those simple cues are lost on many users, so expecting them now to distinguish between http, https and https via EV may just be asking a little too much.

    In fact, as EV SSL certificates will only be available to corporates anyway, there will inevitably remain a large number of SSL secured sites that use regular, not EV SSL.

    What's the message to users here? That they should trust EV SSL sites, not trust unsecured sites and only trust non-EV SSL sites when... What?

    How are users to judge who is trustworthy and who is not?

Bruce Schneier summed up that latter point on 21 December 2006.

Of course, if a merchant's bar doesn't turn green it doesn't mean that they're bad. It'll be white, which indicates "no information." There are also yellow and red indications, corresponding to "suspicious" and "known fraudulent site." But small businesses are worried that customers will be afraid to buy from non-green sites.

That's possible, but it's more likely that users will learn that the marker isn't reliable and start to ignore it.

It isn't too late to salvage the reputation of SSL, but EV isn't the way to do it. Users will not accept four different security classifications (trustworthy, no information, suspicious and known fraudulent).

What is needed is a return to proper due diligence by certificate issuers so that trusted third parties may once again be trustworthy.

And the anti-phishing features of IE and Firefox will take care of most of the bad guys.

Category: T'Internet
Technorati:

Comments :

1. Nathan T. Freeman21/07/2008 16:02:18
Homepage: http://nathan.lotus911.com


You know what else is needed? A more thorough evaluation of the top-level certificates on a given computer. It hadn't occurred to me to take a closer look in a while. It's amazing the sort of obscure, unknown entities that I'm effectively trusting for SSL according to my root cert list!



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Popular Categories
Blogs
Coffee and Cats
Computing Systems Fundamentals
DNSBLs
Domino Administration
Domino Whitelist
Dumb and Dumber
Flickr
IPv6
SMTP AUTH
Show n Tell
Software
Spam
Spam Statistics
T'Internet
Trunk Monkeys
Viruses and Worms
Wallace and Gromit
Whitelisting
Wii
Monthly Archive
2008
2008
2008
2008
2008
2008
Full Archive
Other stuff
Anti-Spam Tools
Misc Links
Land banking information
ClustrMaps
Locations of visitors to this page
Contact Me
email - Chris Linfoot
skypeme
Meta
Proudly powered by IBM Lotus Domino 8 Proudly powered by IBM Lotus Domino 8

Subscribe to articles Subscribe to articles feed

Subscribe to comments Subscribe to comments feed

ROR info ROR info


My Amazon wish list Wishlist


Wikio - Top Blogs - Technology
Like what I do?
Then please consider a donation to support the work of Research Autism.

Idea Jam
Planet Lotus
Dilbert