There seems to be a lot of talk about the new “High Assurance SSL Certificates” to be introduced by Verisign. IE7 will be the first browser to support this type of a certificate. From my understanding, High Assurance SSL Certificates have nothing to do with better encryption, but the process an entity must go through before being granted the certificate.
Browsers supporting these types of certificates will visually alert the user of the fact. Here is a IE7 screenshot from Verisign’s FAQ demonstrating how the IE7 address bar will turn green to alert the user that a High Assurance SSL Certificate is in use:
Makes you wonder: What kind of a identity assurance process was Verisign using before this? Does this mean we can’t trust certificates Verisign has issued in the past? Why should we trust their process now? Realizing that Verisign is a business, and the fact that phishing is quite a problem, I am willing to cut the Certificate Authorities some slack and state that this is a good development for security because it will deter phishing attempts that rely on URL obfuscation.
But I do NOT agree that these certificates will ELIMINATE phishing.
Before I go further, let me quote directly from Verisign’s FAQ:
For businesses with a high profile brand, using High Assurance SSL is an effective defense against phishing scams. When customers see the green bar and other displays of trust, they can interact with you online, with confidence.
If every Internet user in the world had a browser that recognized the difference between High Assurance SSL Certificates and traditional ones and if every legitimate site used a High Assurance certificate, then phishing as we know it today would essentially be eliminated.
I’d also like to note that the methodology around these “High Assurance SSL Certificates” heavily counts on the security awareness of the user. In order for this to succeed, there has to be a mass adoption of the standard, along with websites redirecting ALL traffic to SSL to avoid confusion. Example: when you browse to http://www.bankofamerica.com/ (Bank of America), you notice the login form on the left: “Enter Login ID”. This form submits to a HTTPS (SSL enabled) resource, but that is not clear to a user at this point because the initial form is rendered via plain-text HTTP. If Bank of America were to use a High Assurance SSL Certificate, a IE7 user would not see the green address bar until AFTER he or she submits his ID and clicks on Sign In.
In summary, I agree that High Assurance SSL Certificates are a good idea because they will help deter phishing attacks that attempt to obfuscate the URL. But they will not eliminate ALL phishing vectors. Please don’t buy the hype.