Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cybertrust Enters EV SSL Fray

Experts question whether new browser security will make Internet users any safer

Cybertrust today launched its Extended Validation SSL certificate offering, joining VeriSign and other certificate authorities in supporting the new browser security standard. But some experts are still skeptical that the emerging specification will really hinder serious hackers.

EV SSL, developed by a forum of major certification authorities, is designed to reduce phishing and Website spoofing by allowing legitimate sites to be cleared through a security screening process. If a site is certified via EV SSL, its address will show up in green on newer browsers such as Microsoft's IE Version 7, reassuring the user that the site is safe to surf.

Cybertrust is offering an implementation of EV SSL that automatically extends to IE 7 running on Windows XP, making it possible for users with the most current Windows software to see the green IE toolbar when EV SSL is present, just as they do with SSL's lock-and-key icon.

"Cybertrust EV SSL certificates are one of the biggest improvements in the ability of businesses to create trust online, as users receive confirmation of their identity," says Stijn Bijnens, senior VP for identity management at Cybertrust.

Cybertrust's chief rival, VeriSign, unveiled its EV SSL offering last month, but the IE 7 browser recognition wasn't available yet. VeriSign is expected to announce that capability early next month.

One of the first companies to embrace EV SSL was Overstock.com, a large online retailer, which is using VeriSign's implementation. "When customers see the green browser bar and trusted VeriSign Secured Seal on our site, they can be confident that their online transactions are secure," said Jacob Hawkins, senior vice president of marketing at Overstock.com.

But as retailers and certificate authorities hailed the arrival of EV SSL and IE 7 as a major step toward safer Web surfing, some experts were a bit more dubious. One of the most articulate arguments comes from the blog of Mike Sutton, security evangelist at SPI Dynamics, a Web application security provider.

"Overall, EV SSL certificates are based on the assumption that criminals would not qualify or be willing to apply for the certificates. That second assumption can be written off immediately," Sutton writes. "Given that millions of dollars are available to phishers, criminals are already willing to go to great lengths to further their crimes. If criminals will hire hackers to write custom exploits, they'll certainly try to obtain the certificates if it will help 'business.'"

To qualify for an EV SSL certification, an entity must only provide proof of incorporation and a physical business address, Sutton observes.

"This approach mistakenly assumes that a legal entity is somehow a trustworthy entity. Incorporating a company is not a difficult task. It can be done online for a few hundred dollars and it's a paperwork exercise, not a lie detector test," Sutton writes. "Requiring that only legal entities can obtain EV SSL certificates will only deter small time criminals and it will punish legitimate small businesses that would not qualify to receive them."

In the end, Sutton writes, "the two entities that will benefit from EV SSL certificates are CAs [certificate authorities] and criminals. CAs will make more money, as they now have a more expensive product to sell. At the same time, organized and motivated criminals can now obtain a seal of approval to make their operations appear legitimate. End users, on the other hand, will receive a false sense of security which will lead to further confusion about the security provided by SSL certificates."

— Tim Wilson, Site Editor, Dark Reading

  • Cybertrust
  • VeriSign Inc. (Nasdaq: VRSN) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/6/2020
    Ripple20 Threatens Increasingly Connected Medical Devices
    Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
    DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
    Dark Reading Staff 6/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-07
    NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
    PUBLISHED: 2020-07-07
    "HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
    PUBLISHED: 2020-07-07
    "HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
    PUBLISHED: 2020-07-07
    NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
    PUBLISHED: 2020-07-07
    An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).