Monday, July 9, 2007

SSL Security the Verisign Way

My analysis of Verisign's FAQ at http://www.verisign.com/ssl/ssl-information-center/faq/extended-validation-ssl-certificates.html#a1

Indicates that with the EV certificate "advanced" browsers will paint the URL bar green.

Since user's have been trained to ignore the color of the URL bar and phishers can probably paint the URL bar any color they want -- this is useless.

Quoting from their FAQ:
With the EV certificate the CA will: Provide a reasonable assurance to the user of an Internet browser that the website the user is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of Place of Business, Jurisdiction of Incorporation, and Registration Number

In the US this amounts to something like a credit check or D&B report to verify that the applicant for an EV certificate has provided the correct name and address for their entity. Given the 55 million user ids floating around since the TJ Max breach this is not very useful.

Outside the US, Europe and Japan this is pointless. I imagine that if I wanted to form a company named "Cisco LTD" in the Bahamas and register the domain "ciscoltd.com" I could have my copy cat site with an EV cert sometime later this week. I could do this in the States too, I'd just take the precaution of paying cash for a PO box at Mailboxes Etc. first.

Here is the best part from Verisign's EV Cert procedure, here's what they promise that they will not do:
EV Certificates focus only on the identity of the Subject named in the Certificate, and not on the behavior of the Subject. As such, an EV Certificate is not intended to provide any assurances, or otherwise represent or warrant:
  • That the Subject named in the EV Certificate is actively engaged in doing business;
  • That the Subject named in the EV Certificate complies with applicable laws;
  • That the Subject named in the EV Certificate is trustworthy, honest, or reputable in its business dealings; or
  • That it is “safe” to do business with the Subject named in the EV Certificate.
Let's read that carefully. The EV Certificate is not intended to provide any assurances that is "safe" to do business with the Subject named in the EV Certificate.

Tell me again why the EV certificate is good for consumers?
Posted by

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)