The yellow security padlock in Web browsers, weakened by lax
standards and loose supervision, will get reinforced next year with tougher requirements and browser updates.The browser icon was designed to show that traffic with a Web site is encrypted and that a third party, called a certification authority, has identified the site and vouches for its validity. But in recent years, standards of verification have slipped, undermining the sense of security implied by the padlock.
To solve that problem, a group of companies that issue the SSL certificates are working with major Web browser makers to develop a new type of "high-assurance" certificate. The informal organisation, dubbed the CA Forum, has held three unpublicised meetings this year and plans to meet again next year, representatives from the companies involved told ZDNet UK's sister site CNET News.com.
"We as an industry must look into trust threats," said Melih Abdulhayoglu, chief executive of Comodo, a certification authority based in New Jersey, that set up the first CA Forum meeting. "You want the padlock to be meaningful. At the moment the value is confused because some providers issue certificates willy-nilly."
The planned new security certificates, allied to Web browser changes, are meant to help rebuild trust in the Web and fight phishing in particular.
The lock icon was designed to assure consumers that online transactions, such as banking and shopping, are protected. As such, it's key to Web commerce, a big business — Forrester Research predicts online retail sales in the US will grow from $172bn (£97bn) this year to $329bn (£186bn) in 2010.
The issue has become more urgent with the advent of phishing scams, which use phony Web sites to trick unsuspecting victims into giving up sensitive information. Some phishers have used valid certificates to give their fraudulent sites a sense of legitimacy with a padlock icon.
"The level of identification that certification authorities do today is subject to somewhat broad standards," said Rob Franco, lead program manager for IE security at Microsoft. "In a world where users get phished and sites try to misrepresent themselves, I think it is important to have a new standard with more identity backing."
Significance of the padlock
Today's SSL certificates contain an encryption key, which the
certification authority attests belongs to the organisation noted in
the certificate. Its task is to verify an applicant's credentials, so
that Web site users can trust the information in the certificates.
Initially, all certificate providers performed thorough checks of applicants before they issued a security certificate for a Web site. Several years ago, however, some providers relaxed their background checks in order to offer cheaper certificates, and the rest of the market followed, industry members said. Some companies will supply a certificate based on little more than a valid email address, for example.
"The problem with a basic certificate is that the level of screening is too low, and the validation method at the browser is not easy enough for average user," said Jim Maloney, chief security officer at Corillian, which provides...
For more, click here...
Talkback
This is ridiculous. Certificate Authorities are just looking to supplement an already lucrative business model which uses a flawed methodology.
The problem, when you add crypto to any computer security problem, is that the crypto works - shifting the failure point to the users. That is why "phishing" is the problem, and not cracking.
Users do not understand, by and large, what the padlock means and why. using different colors will not change that. All the CAs are doing is spinning the fact that their service methods DON'T WORK as evidence that they need to do it MORE, so they can justify charging more money.
All web site operators really need is a way to encrypt transactions without the browser complaining to the end user. Third parties can vouch "yup, you're YOU" all day long, using the strongest mathematics in the world - but if you're a crook, you're a crook, and there's NO WAY anybody's going to find out until the damage is done.
In much the same way antivirus vendors have a conflict of interest with virus writers, commercial CAs have a conflict of interest with phishers. Spending more money on verifying identity and telling users that it's actually trustworthiness is not the answer - it's the REAL crime.
Improving padlocks is no answer at all, the key problem always has been and always will be fundamentally flawed procedures and software. Flaws in procedures are apparent at all levels, and the majority of software that users have has more holes than a garden seive.
This new development strikes me as simply another money grabbing exercise.