There seems to be a lot of talk about the new “High Assurance SSL Certificates” to be introduced by Verisign. IE7 will be the first browser to support this type of a certificate. From my understanding, High Assurance SSL Certificates have nothing to do with better encryption, but the process an entity must go through before being granted the certificate.
Browsers supporting these types of certificates will visually alert the user of the fact. Here is a IE7 screenshot from Verisign’s FAQ demonstrating how the IE7 address bar will turn green to alert the user that a High Assurance SSL Certificate is in use:
Makes you wonder: What kind of a identity assurance process was Verisign using before this? Does this mean we can’t trust certificates Verisign has issued in the past? Why should we trust their process now? Realizing that Verisign is a business, and the fact that phishing is quite a problem, I am willing to cut the Certificate Authorities some slack and state that this is a good development for security because it will deter phishing attempts that rely on URL obfuscation.
But I do NOT agree that these certificates will ELIMINATE phishing.
Before I go further, let me quote directly from Verisign’s FAQ:
For businesses with a high profile brand, using High Assurance SSL is an effective defense against phishing scams. When customers see the green bar and other displays of trust, they can interact with you online, with confidence.
If every Internet user in the world had a browser that recognized the difference between High Assurance SSL Certificates and traditional ones and if every legitimate site used a High Assurance certificate, then phishing as we know it today would essentially be eliminated.
Phishing as we know it today would essentially be ELIMINATED?! No it wont. Reduced, yes. But eliminated? No. Three words: Cross Site Scripting (XSS). As an example, suppose your website is susceptible to XSS (one of the most common vulnerabilities in web applications today). A High Assurance Certificate will not stop a phisher from sending your customers a URL, which when clicked on will cause YOUR web server to render any HTML or JavaScript chosen by the attacker. In this example, the HTML or JavaScript injected by the attacker can display a login form that will POST the credentials to the attacker. If your website were to use “High Assurance SSL Certificates”, it will make the phishing attempt seem even MORE legitimate given the hype around the service - because in the case of XSS, the rogue HTML is rendered by YOUR (legitimate) web server!
I’d also like to note that the methodology around these “High Assurance SSL Certificates” heavily counts on the security awareness of the user. In order for this to succeed, there has to be a mass adoption of the standard, along with websites redirecting ALL traffic to SSL to avoid confusion. Example: when you browse to http://www.bankofamerica.com/ (Bank of America), you notice the login form on the left: “Enter Login ID”. This form submits to a HTTPS (SSL enabled) resource, but that is not clear to a user at this point because the initial form is rendered via plain-text HTTP. If Bank of America were to use a High Assurance SSL Certificate, a IE7 user would not see the green address bar until AFTER he or she submits his ID and clicks on Sign In.
In summary, I agree that High Assurance SSL Certificates are a good idea because they will help deter phishing attacks that attempt to obfuscate the URL. But they will not eliminate ALL phishing vectors. Please don’t buy the hype.
This is just another way for verisign to charge more than its already very-high rates.
I agree with all of your points. (especially https submits on http pages and xss)
I wonder how difficult it would be to register one of these for bamkofanerica.com. Would their secret assurance policies let me through? ;)
Matthew,
There is no way this is going to eliminate phishing, but it may be a good start. I called Xramp, who is my current SSL provider, to ask them if they were going to be able to issue these and it turns out that they are also one of the companies that will be able to issue these new certificates when they come out. As far as the rates go, they said they will be offering these new High Assurance certificates for less than what VeriSign currently charges for their lowest priced certificates. I've been happy with them so far, so maybe this is just a good time for those who are still buying Verisign certificates to check out other providers. Their website is located at www.xramp.com. I didn't see anything posted yet about the new certificates, but if you call them they can help you. Their staff is friendly and you don't have to wait on hold for very long (I usually get someone within 10-30 seconds.)
Best of luck to you,
Jason
This is a thinly veiled protection racket. You're a sole proprietorship? You will be labeled as a possible phishing site, and lose potential customers. You are a small business? Pay up the $1300.00 per year, or you will be labeled a possible criminal and lose business too.
These certificates offer the business nothing of value. Pure racketeering.
This does little to actively protect the consumer, and once this gets hacked (my guess is sooner than later) it will do nothing to protect consumers. This only works in favor of large corporations.
Another way to look at this is 'Presumed guilty until innocence is bought.'
The green bar goes far beyond fishing. It's advertised as being the end all be all that the store owner has been identified as the store owner.
Small online retailers use every extra penny they have for inventory merchant fees and marketing. Before the new High Assurance certificates all we really needed was an SSL Certificate that assured that our clients data was safe.
However that certificate that has been good enough for several years shows up as yellow, and in some stores that use the lower cost SSL certs it shows up as red. We spend allot of time and money drawing customers to our web site only to have the biggest browser tell customers that we're not an honest company. The customer sees red, or yellow and doubt enters into the transaction. The last thing a small retailer needs is for someone to second guess their purchase at the time of payment.