Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Cybertrust Enters EV SSL Fray

Experts question whether new browser security will make Internet users any safer

Cybertrust today launched its Extended Validation SSL certificate offering, joining VeriSign and other certificate authorities in supporting the new browser security standard. But some experts are still skeptical that the emerging specification will really hinder serious hackers.

EV SSL, developed by a forum of major certification authorities, is designed to reduce phishing and Website spoofing by allowing legitimate sites to be cleared through a security screening process. If a site is certified via EV SSL, its address will show up in green on newer browsers such as Microsoft's IE Version 7, reassuring the user that the site is safe to surf.

Cybertrust is offering an implementation of EV SSL that automatically extends to IE 7 running on Windows XP, making it possible for users with the most current Windows software to see the green IE toolbar when EV SSL is present, just as they do with SSL's lock-and-key icon.

"Cybertrust EV SSL certificates are one of the biggest improvements in the ability of businesses to create trust online, as users receive confirmation of their identity," says Stijn Bijnens, senior VP for identity management at Cybertrust.

Cybertrust's chief rival, VeriSign, unveiled its EV SSL offering last month, but the IE 7 browser recognition wasn't available yet. VeriSign is expected to announce that capability early next month.

One of the first companies to embrace EV SSL was Overstock.com, a large online retailer, which is using VeriSign's implementation. "When customers see the green browser bar and trusted VeriSign Secured Seal on our site, they can be confident that their online transactions are secure," said Jacob Hawkins, senior vice president of marketing at Overstock.com.

But as retailers and certificate authorities hailed the arrival of EV SSL and IE 7 as a major step toward safer Web surfing, some experts were a bit more dubious. One of the most articulate arguments comes from the blog of Mike Sutton, security evangelist at SPI Dynamics, a Web application security provider.

"Overall, EV SSL certificates are based on the assumption that criminals would not qualify or be willing to apply for the certificates. That second assumption can be written off immediately," Sutton writes. "Given that millions of dollars are available to phishers, criminals are already willing to go to great lengths to further their crimes. If criminals will hire hackers to write custom exploits, they'll certainly try to obtain the certificates if it will help 'business.'"

To qualify for an EV SSL certification, an entity must only provide proof of incorporation and a physical business address, Sutton observes.

"This approach mistakenly assumes that a legal entity is somehow a trustworthy entity. Incorporating a company is not a difficult task. It can be done online for a few hundred dollars and it's a paperwork exercise, not a lie detector test," Sutton writes. "Requiring that only legal entities can obtain EV SSL certificates will only deter small time criminals and it will punish legitimate small businesses that would not qualify to receive them."

In the end, Sutton writes, "the two entities that will benefit from EV SSL certificates are CAs [certificate authorities] and criminals. CAs will make more money, as they now have a more expensive product to sell. At the same time, organized and motivated criminals can now obtain a seal of approval to make their operations appear legitimate. End users, on the other hand, will receive a false sense of security which will lead to further confusion about the security provided by SSL certificates."

— Tim Wilson, Site Editor, Dark Reading

  • Cybertrust
  • VeriSign Inc. (Nasdaq: VRSN) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Leak Week: Billions of Sensitive Files Exposed Online
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
    Intel Issues Fix for 'Plundervolt' SGX Flaw
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-5252
    PUBLISHED: 2019-12-14
    There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
    CVE-2019-5235
    PUBLISHED: 2019-12-14
    Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
    CVE-2019-5264
    PUBLISHED: 2019-12-13
    There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
    CVE-2019-5277
    PUBLISHED: 2019-12-13
    Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
    CVE-2019-5254
    PUBLISHED: 2019-12-13
    Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...