Cybertrust today launched its Extended Validation SSL certificate offering, joining VeriSign and other certificate authorities in supporting the new browser security standard. But some experts are still skeptical that the emerging specification will really hinder serious hackers.
EV SSL, developed by a forum of major certification authorities, is designed to reduce phishing and Website spoofing by allowing legitimate sites to be cleared through a security screening process. If a site is certified via EV SSL, its address will show up in green on newer browsers such as Microsoft's IE Version 7, reassuring the user that the site is safe to surf.
Cybertrust is offering an implementation of EV SSL that automatically extends to IE 7 running on Windows XP, making it possible for users with the most current Windows software to see the green IE toolbar when EV SSL is present, just as they do with SSL's lock-and-key icon.
"Cybertrust EV SSL certificates are one of the biggest improvements in the ability of businesses to create trust online, as users receive confirmation of their identity," says Stijn Bijnens, senior VP for identity management at Cybertrust.
Cybertrust's chief rival, VeriSign, unveiled its EV SSL offering last month, but the IE 7 browser recognition wasn't available yet. VeriSign is expected to announce that capability early next month.
One of the first companies to embrace EV SSL was Overstock.com, a large online retailer, which is using VeriSign's implementation. "When customers see the green browser bar and trusted VeriSign Secured Seal on our site, they can be confident that their online transactions are secure," said Jacob Hawkins, senior vice president of marketing at Overstock.com.
But as retailers and certificate authorities hailed the arrival of EV SSL and IE 7 as a major step toward safer Web surfing, some experts were a bit more dubious. One of the most articulate arguments comes from the blog of Mike Sutton, security evangelist at SPI Dynamics, a Web application security provider.
"Overall, EV SSL certificates are based on the assumption that criminals would not qualify or be willing to apply for the certificates. That second assumption can be written off immediately," Sutton writes. "Given that millions of dollars are available to phishers, criminals are already willing to go to great lengths to further their crimes. If criminals will hire hackers to write custom exploits, they'll certainly try to obtain the certificates if it will help 'business.'"
To qualify for an EV SSL certification, an entity must only provide proof of incorporation and a physical business address, Sutton observes.
"This approach mistakenly assumes that a legal entity is somehow a trustworthy entity. Incorporating a company is not a difficult task. It can be done online for a few hundred dollars and it's a paperwork exercise, not a lie detector test," Sutton writes. "Requiring that only legal entities can obtain EV SSL certificates will only deter small time criminals and it will punish legitimate small businesses that would not qualify to receive them."
In the end, Sutton writes, "the two entities that will benefit from EV SSL certificates are CAs [certificate authorities] and criminals. CAs will make more money, as they now have a more expensive product to sell. At the same time, organized and motivated criminals can now obtain a seal of approval to make their operations appear legitimate. End users, on the other hand, will receive a false sense of security which will lead to further confusion about the security provided by SSL certificates."
Tim Wilson, Site Editor, Dark Reading