As noted in The Register, Verisign teams up with Microsoft to enhance the user experience of Internet Explorer 7 when browsing SSL-protected sites. Verisign will sell High Assurance certificates to sites that pass a more stringent identity verification than is currently the norm. When it encounters such a certificate, IE 7 will turn the address bar green in addition to displaying the usual padlock. A Phishing Filter (Philter?) turns the address bar red when the user accesses a known phishing site.
While I hope that they include enough visual cues for the red/green colorblind among us, I don’t dislike this idea. Is it a scam? Not necessarily. Details about what a High Assurance or Extended Validation certificate actually comprises are scarce, but it’ll probably take the form of a certificate attribute that Verisign will set on these mo’ expensive, mo’ better certificates. Such an attribute can be set by any CA, parsed by any browser and can be ignored by the enormous installed base of credit card wielding, revenue generating users of older browsers. Whether or not a company drinks the Microsoft/Verisign Kool-aid, they hopefully won’t stand for breaking backwards compatibility. On the other side, it’s the responsibility of the Certificate Authorities to only set this attribute on their mo’ better certificates, for which they in turn can charge mo’ money.
This whole thing ties into a new concept of Trust. The situation is not black and white anymore. Trust is the new green. Or yellow, or red. You can get a cheap certificate by proving that you can ping an e-mail back and forth to the CA. This shows them that you have access to e-mail on the domain, which is good enough for them as an (automated) identity verification. Whether said domain is practically undistinguishable from that of an actual business falls outside this check. One would dearly hope that applicants for a High Assurance certificate undergo more scrutiny than that.
Earlier this month at ApacheCon, I attended a very interesting talk by Lisa Dusseault about Federated Identities. As she talked about rate-limiting the creation of centrally verified identities to thwart spammers, she came up with the Fifty Dollar identity. The knowledge that the party you are talking to has a non-trivial sum of money behind their identity record might positively affect the trust you place in that identity. I see much the same happen with this new server-side certificate paradigm: cheap normal certificates you trust a little, and mo’ Green mo’ better certificates you might trust more. So far, browsers have not given us any idea about the quality of a site’s certificate. It’s either trusted, or the browser puts up a slew of scary dialogs. The red/green address bar might bring some nuance to this concept and put a more human face on the concept of the identity of a web site.
Pingback: Microsoft / Verisign SSL Scam at InfoSecPodcast - Your Information Security source.