Network News

X My Profile
View More Activity

New E-Commerce Identity Tag Makes Online Debut

A long-promised technology for helping consumers verify the legitimacy of commercial Web sites made its debut on the Internet Friday: Visit online security company Entrust's login page with Microsoft's Internet Explorer 7 Web browser and you'll notice that the address bar has turned from white to green.

Entrust's site appears to be the first to feature what are being called "extended validation certificates," a development that is equal parts technology, process and collaboration. It comes in response to an epidemic of phishing attacks, or online scams in which bad guys erect Web sites that impersonate trusted e-commerce and banking sites in order to trick users into revealing personal and financial data.

"EV certs," as they're known in the industry, are meant to serve as a more user-friendly version of secure-sockets layer (SSL) certificates, the digital placards long handed out by Entrust and other "certificate authorities" that are meant to signify to consumers that they are on a site that uses encryption technology. The goal is to assure visitors that unauthorized third parties can't intercept user names, passwords, and other sensitive data that consumers enter when shopping or banking online.

SSL certs also have been touted as a means of helping consumers verify that they are truly at or some other commercial site, not at some clever fake. The problem is that most consumers don't know how to read the more relevant, technical information contained in an SSL cert. What's more -- the scam artists themselves have even begun purchasing and using SSL certs in an effort to make their sites appear more legitimate.

Hence, the idea for EV Certs. Unlike most processes for obtaining a regular SSL -- which are largely automated and often can be issued the same day they are purchased -- issuers of EV certs are supposed to do a lot more background checking into the entity that's requesting an EV cert, a process that can take several weeks.

The idea with EV certs is that when you log in to your bank's Web site, you should notice the browser's address bar turning green. If you single click on the lock icon, it will pop up a box that has a bit more information about which certificate authority vouched for the identity of the site. Visitors who aren't convinced can click on a link that brings up the more technical information on the certificate, or a link to IE7's "Help" page that has a long lists of answers that might pop up in the visitor's mind.

The benefit from these certs won't be fully realized until a lot more sites implement them, and more importantly until the general public has had a chance to become familiar enough with the certs that they begin to look for them. But here's where it gets a bit tricky. These new and improved EV certs are quite a bit more expensive than SSL certs: Entrust plans to sell its EV certs at $499 apiece per year (and that's its "intro price"), whereas its regular SSL certs sell for about $150 (and you can find SSL certs for much cheaper elsewhere). Verisign, the world's largest and probably most recognizable SSL provider, has set its price for EV certs starting at a hefty $1,300 per year.

All of which raises some questions. Where does the small mom-and-pop-shop fit into this brave new world? If the average Web surfer (i.e., IE user) becomes accustomed to seeing green browser bars at, what will they think of if their login page isn't tinted by the familiar green address bar?

Also, what about the bank Web sites, which Security Fix and others have taken to task for confusing average consumers? For years, the banks trained customers to look for the little "padlock icon" in the corner of their Web browser window. Over the past couple of years, however, many of the nation's largest financial institutions have done away with the padlock on their home pages in the name of convenience and costs savings. On a number of banking sites, you don't see that padlock until you click on the "login" link or click on a separate portion of the bank's site. It will be interesting to see whether the banks adapt their policies yet again to accommodate the increased recognition that may be afforded to them through EV certs.

Meantime, the folks at Mozilla say they are hard at work on a new version of Firefox that can accommodate EV certs, but it may be some time yet before that becomes a reality (that's based on interviews with them...there may indeed be other browser makers who are ready to roll this out, I just don't know).

Of course, it is possible that phishers may figure out a way to fake the green address bar at some point. At any rate, please drop me a line or leave something in the comments section below if -- in the days after reading this post -- your bank or other sites you do business with roll out this technology.

Update, Jan. 15, 10:45 a.m.: Some readers have written in to say they do not see a green address bar when visiting the Entrust link that I included in the original post. Apparently, this has to do with the fact that IE7 users on Windows XP need updates to their browser's trusted certificate issuer's list. Microsoft is apparently expected at some point to push out a mechanism to force that update, but in the meantime Entrust and other certificate authorities are doing this on a per-visitor basis with an invisible script on their home pages. This blog post by one Entrust's employees explains a little more about the messy, technical mechanics of all this, and this link at Entrust is a good place to start for working out any problems making the green bar appear in IE 7.

It seems that none of this works unless you have Microsoft's anti-phishing filter turned on (to toggle those settings, go to "Tools," "Options," and click on the "Advanced" tab). If after turning the phish filter on you're still not seeing the green bar, visit Entrust's home page, and then try the login page again. You may at this ponit see a green bar, but also see a popup prompt that says "This page contains both secure and nonsecure items. Do you want to display the nonsecure items?" If you click "No," you should continue to see the green bar, but if you click "Yes" it is replaced by the usual white address bar.

None of this was an issue for me because I had visited Entrust's home page prior to visiting their login page. But obviously this whole system is going to be pretty kludgy for most people until Microsoft pushes out an update for IE7/XP users.

By Brian Krebs  |  January 13, 2007; 12:18 PM ET
Categories:  Fraud , From the Bunker , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: The Spammer-as-Hit Man Scam
Next: Note to MySpace Users: Get Better Passwords

No comments have been posted to this entry.

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company