'Supercerts' Aim to Highlight Legit Web Sites
Over the past couple of years, dozens of companies have rolled out technologies designed to help computer users and companies better spot "phishing" scams -- Web sites that try to trick people into giving away financial and personal data. But what about helping users tell for certain that when their browser tells them that they are at, say, BankofAmerica.com, that they're really at the bank's official Web site and not at some scam site?
Today, pretty much any Web site owner can plunk down between $150 to $400 and purchase a secure sockets layer (SSL) certificate, a technology designed not only to protect the integrity of data submitted by customers but also to give visitors a modicum of assurance that the site takes their security seriously. By clicking on the little padlock icon in the browser that accompanies all SSL certified sites, visitors also can gain more assurances that the SSL holder is a legitimate company and that it at least has been vetted by a certification authority to some degree.
The problem is that hardly anyone knows to check the data included in SSL certs, and even then making sense of it all is probably beyond the grasp of the average computer user. In addition, phishers increasingly are buying and incorporating SSL certs to make their scam sites appear more legitimate. Worse still, the checks that the certificate authorities currently do to verify that those seeking SSL certs have a legitimate claim to the Web site name listed on the requested cert are largely automated and not terribly hard to fool. In February, Security Fix wrote about a phishing scam that had applied for and received an SSL cert for an actual credit union in Utah.
CA/Browserforum aims to create a market for a kind of "supercert" known as "extended validation" SSL certificates. EVSSL certs would cost quite a bit more but in theory also include more rigorous vetting of the identity and legitimacy of any requesting entity. More importantly, by working with browser makers Microsoft, Mozilla, Opera Software and KDE, the two groups can agree on standardized methods for modifying the display of the visitor's browser Window in more obvious ways to let users know when they are at the legitimate site of a super-cert holder. For example, the browser could be made to turn green around the address bar when the user visits what the browser recognizes as the real Bank of America site.
Bruce Schneier, a cryptography expert and chief technology officer for Counterpane Internet Security, applauded the goals of the CA/Browserforum, calling the current SSL cert validation process "laughable."
"It's a serious problem that people on the 'Net don't know the difference between a real Web site and a clever fake," Schneier said. "I think laying this infrastructure could be useful along with other things in the browser to make it more obvious," when users are at a legitimate site, he said. "This is a big problem, and this is a piece of the solution, not the solution by itself."
November 8, 2006; 3:02 PM ET
Save & Share: Previous: Microsoft Warns of More "Zero-Day" Exploits
Next: Report: Phishers Hooking Fewer (But Fatter) Victims
The comments to this entry are closed.