...online banking technology to more than 100 banks, including Wachovia, JP Morgan Chase and Capitol One. Right now, people have to click on the padlock to get more information about who the certificate belongs to.
Global financial institutions lost at least $400m in 2004 due to phishing schemes, according to Financial Insights, part of analyst company IDC. Online threats have also instilled fear in consumers. Nearly half of US voters in a survey said fear of identity theft was keeping them from conducting business online, the Cyber Security Industry Alliance reported in June.
Browsers are part of the certification problem. Certificates are regarded as equal by the applications, irrespective of the credentials and practices of the certification authority. All sites with an SSL certificate get the same padlock display.
"Web browsers have not been able to deal with the different kinds of certificates, which meant that it did not matter how strong the verification was by the certification authority, and some took advantage of that," Gartner analyst John Pescatore said.
When the padlock was first invented by Netscape in the early days of the Web, it stood for a secured connection with an identified Web site. That changed when some certification authorities started lowering their verification standards and discounting certificates, said Judy Shapiro, vice president of marketing at Comodo.
"Browsers did an end-run around this. Nobody expected anyone to delete what was a key part of the certificate issuance process, which was the business verification," she said. "Browsers were unprepared to display high assurance and low assurance certificates in a different way."
But that is set to change next year, with Microsoft planning to release Internet Explorer 7 and makers of other Web browsers also contemplating changes in the way their applications handle SSL certificates.
The move by browser makers is partly why certification authorities such as VeriSign, Comodo, GeoTrust and Cybertrust are banding together in the CA Forum to come up with an industry wide agreement on a new, highly verified certificate. The group has met informally to work on standard guidelines for issuing such certificates three times this year, in New York, Boston and Montreal, representatives from member companies said.
"The certification authorities and browser vendors are coming together to identify what a high-assurance certificate should do," said Spiros Theodossiou, a product manager at VeriSign, the largest certificate authority. "We're trying to define a standard so that consumers can know that the Web site that they are on actually belongs to that organisation."
Such a standard is lacking right now, and certificate vendors each have varying rules. For example, to get a certificate that carries the VeriSign name, an applicant must prove it is a registered business and that it has a right to use a specific Internet domain. VeriSign also verifies if the employee buying the certificate is allowed to do so. Digital certificate provider GeoTrust, uses an automated verification system, and VeriSign's Thawte unit offers certificates that only require a confirmation via email.
The high-assurance certificates will go beyond what certificates do today, said Chris Bailey, the chief technology officer at GeoTrust. "They strongly bind the domain name of a Web site to an organisation. They also strongly confirm the authority of a requestor to act on behalf of an organisation, and they confirm that the business is real," he said.
The certificate authorities are working to make the vetting process for the new high-assurance certificates objective and consistent across...
For more, click here...
Talkback
This is ridiculous. Certificate Authorities are just looking to supplement an already lucrative business model which uses a flawed methodology.
The problem, when you add crypto to any computer security problem, is that the crypto works - shifting the failure point to the users. That is why "phishing" is the problem, and not cracking.
Users do not understand, by and large, what the padlock means and why. using different colors will not change that. All the CAs are doing is spinning the fact that their service methods DON'T WORK as evidence that they need to do it MORE, so they can justify charging more money.
All web site operators really need is a way to encrypt transactions without the browser complaining to the end user. Third parties can vouch "yup, you're YOU" all day long, using the strongest mathematics in the world - but if you're a crook, you're a crook, and there's NO WAY anybody's going to find out until the damage is done.
In much the same way antivirus vendors have a conflict of interest with virus writers, commercial CAs have a conflict of interest with phishers. Spending more money on verifying identity and telling users that it's actually trustworthiness is not the answer - it's the REAL crime.
Improving padlocks is no answer at all, the key problem always has been and always will be fundamentally flawed procedures and software. Flaws in procedures are apparent at all levels, and the majority of software that users have has more holes than a garden seive.
This new development strikes me as simply another money grabbing exercise.