Network Computingwww.networkcomputing.com

Browser Certs Can't Force Adherence

Posted by Mike Fratto, Editor on March 14, 2007

Tags: Mike Fratto type: tech tracker,  PKI certificates,  browser security,  digital CA,  digital certificates,  extended validation,  extended validation certificates,  legitimate,  revocation,  Access and Authentication,  Antivirus,  Benchmarks,  Data Networking & Management,  Data Protection,  Database Management Services,  Emerging Security Specifications,  Enclosures,  Hotspots,  Java,  Linux,  Other,  PKI ,  Remote Access Software,  Security Standards,  Security and Privacy,  Servers & Storage,  Smartphones,  Software and Web Development,  Technology,  User Interface,  VPNs ,  WLAN Security,  Web Services Security,  Windows,  Wireless,  browsers

Channel: Data Protection, Networking & Mgmt, Other, Servers & Storage, Wireless

Extended Validation certificates, developed by the CA/Browser Forum, are supposed to ensure that an SSL-enabled Web site is a legal entity and communicate that fact to users and, in doing so, help protect them from phishing and fraud. The CA/Browser Forum is a vendor consortium made up of public CAs, such as Comodo, GoDaddy, RSA and VeriSign, as well as Web browser developers like the KDE Project, Microsoft, the Mozilla Foundation and Opera Software. The use of digital certificates for SSL in browsers is fundamentally flawed, leading to easy confidence games like phishing and fraud. EV certificates are issued to Web sites after the company has been identified as a legal entity using a set of standardized procedures followed by all participating certificate authorities. Unfortunately, EV certificates don't significantly mitigate the problems with digital CAs and don't address the problem of authoritatively identifying a Web site as legitimate. But if EV certificates gather credibility with users, your organization may be forced into applying for one.

Consumers and enterprises alike are rightly concerned with privacy and security when conducting business on the Internet. Without the familiar setup of the brick-and-mortar world, it's difficult for users to judge the validity of Web sites with which they do business.

Extended Validation certificates, developed by the CA/Browser Forum, are intended to allay some of those concerns by certifying sites that are valid business entities.

The CA/Browser Forum's EV certificate guidelines standardize the scrutinization of certificate applicants and require EV CAs (certificate authorities) to pass a "WebTrust for CA" audit. And EV certification is making its way into the mainstream; the CA/Browser Forum's EV guidelines aren't final, but Microsoft's Internet Explorer 7 already supports EV certificates.

However, because of some basic weaknesses in how digital certificates are used on the Web, EV certificates will do little to improve the strength of SSL nor will they signify any meaningful trustworthiness of the site presenting the certificate.