'Supercerts' Aim to Highlight Legit Web Sites
Over the past couple of years, dozens of companies have rolled out technologies designed to help computer users and companies better spot "phishing" scams -- Web sites that try to trick people into giving away financial and personal data. But what about helping users tell for certain that when their browser tells them that they are at, say, BankofAmerica.com, that they're really at the bank's official Web site and not at some scam site?
That's precisely the aim of CA/Browserforum, a security effort by the major Web browser makers and certificate authorities, or companies who sell and issue Web site security certificates.
Today, pretty much any Web site owner can plunk down between $150 to $400 and purchase a secure sockets layer (SSL) certificate, a technology designed not only to protect the integrity of data submitted by customers but also to give visitors a modicum of assurance that the site takes their security seriously. By clicking on the little padlock icon in the browser that accompanies all SSL certified sites, visitors also can gain more assurances that the SSL holder is a legitimate company and that it at least has been vetted by a certification authority to some degree.
The problem is that hardly anyone knows to check the data included in SSL certs, and even then making sense of it all is probably beyond the grasp of the average computer user. In addition, phishers increasingly are buying and incorporating SSL certs to make their scam sites appear more legitimate. Worse still, the checks that the certificate authorities currently do to verify that those seeking SSL certs have a legitimate claim to the Web site name listed on the requested cert are largely automated and not terribly hard to fool. In February, Security Fix wrote about a phishing scam that had applied for and received an SSL cert for an actual credit union in Utah.
CA/Browserforum aims to create a market for a kind of "supercert" known as "extended validation" SSL certificates. EVSSL certs would cost quite a bit more but in theory also include more rigorous vetting of the identity and legitimacy of any requesting entity. More importantly, by working with browser makers Microsoft, Mozilla, Opera Software and KDE, the two groups can agree on standardized methods for modifying the display of the visitor's browser Window in more obvious ways to let users know when they are at the legitimate site of a super-cert holder. For example, the browser could be made to turn green around the address bar when the user visits what the browser recognizes as the real Bank of America site.
Bruce Schneier, a cryptography expert and chief technology officer for Counterpane Internet Security, applauded the goals of the CA/Browserforum, calling the current SSL cert validation process "laughable."
"It's a serious problem that people on the 'Net don't know the difference between a real Web site and a clever fake," Schneier said. "I think laying this infrastructure could be useful along with other things in the browser to make it more obvious," when users are at a legitimate site, he said. "This is a big problem, and this is a piece of the solution, not the solution by itself."
By Brian Krebs |
November 8, 2006; 3:02 PM ET
Fraud
, Misc.
Previous: Microsoft Warns of More "Zero-Day" Exploits |
Next: Report: Phishers Hooking Fewer (But Fatter) Victims
Posted by: da | November 8, 2006 3:37 PM
The Certificate Authorities have to be sitting back and having a good laugh about now.
Now that they have completely fubar'ed SSL certificate issuance so badly, so much so that SSL certs with different trust levels are indistinguishable in the browser, we have to invent a "new" system of issuing trusted SSL certificates, to put back the trust that was there to begin with.
Having been involved with SSL and SSL certs since "the beginning", SSL certs, if they had been issued properly, would have completely eliminated most phishing today.
I remember when RSA (aka VeriSign), had only 1 (one) SSL certificate trust level. Yes, it cost a lot of money, and took as long as a week to get, but you where actually able to trust it!! You knew when the browser validated the cert, that it was a real company that properly owned that domain, because VeriSign did all the checks and balances.
Then, somewhere along the way, the CA's totally destroyed the system by issuing SSL certs with different trust levels (i.e. quickie certs that don't even guarantee the cert holder owns the domain name), leaving the browser with no way to distinguish these different SSL certs.
So, now the CA's that broke the system are going to make even more money fixing it, pointing fingers at everyone but themselves as the root ;) of the problem.
Posted by: HA-Ha | November 8, 2006 5:36 PM
The problem with the current SSL certs is that they have had to serve 2 purposes - 1) Secure communications 2) Verify identity of the remote site.
The marketplace has forced the current situation because 75% of the SSL applications only need #1 to prevent wire sniffing. 99.999% of users never look at the Cert to try to validate it.
Posted by: Webbie | November 8, 2006 6:38 PM
The CAs have in the past been lax in imposing appropriate checks. Nonetheless, it is better than nothing, but most people don't know, even in the case of Fx, that the yellow bar means secure. The real problem is not that the sight doesn't tell you it is safe, it is that people don't know to ask. Therefore, an apparent BofA site that looks the same will work on a significant part of the pop. SSL trust levels aren't even an issue for them, because they just know know it is important.
I use spoofstick and siteadvisor as independent checks, but again, I have to do extra work (check the readouts). Only if browsers can somehow automatically determine and flag (say make the screen red if they see a problem) will this work any better than SSL.
Posted by: DBH | November 9, 2006 9:55 AM
Your cert prices are off by an order of magnitude. You can get a cheap cert for twenty bucks.
Posted by: dveditz | November 9, 2006 5:17 PM
dveditz - the $20 SSL you quote is the cause of the problem. Some vendors, like GeoTrust and others, stopped doing checks on the corporate information .. and issued non-validated certificates which were indistinguishable in the current browsers from properly validated certificates. With this project you get consistent validation as well as improved display of the certificate information (ie the owner of the website) in the browser.
Posted by: Port 443 | November 10, 2006 7:04 AM
By and large most CAs do check the business identity of online businesses requesting SSL's. The reaon these new certs are needed is becaase lack of standards in the GUI display allowed a few CAs to issue non vetted ssl. And becuase of these certs - phising spiked! It is good that CAs are self policing to rid the market of those cheap (yes $20) non vetted certs. They are useless to establish trust which is the point of SSLs anyway. After all, what's the point of encrypting if you don't know the identity (or legitimacy) of who you are encrpyting with? These new certs close that loophole that a few CAs exploited. And that's good for everyone!
Posted by: ruchi | November 10, 2006 8:44 AM
The comments to this entry are closed.
After years of selling snake oil, the CA's suddenly admit their product is nearly useless. Their solution? To sell another product, for more money, that purports to do what certs were supposed to do in the first place.
The fact that people can easily get fraudulent certificates is evidence of the incompetence of the certificate authorities.
While the goal may sound reasonable, the solution just ends up making these ineffective unscrupulous CA's more money.
There must be another way.
DA