Feeds

SSL covers security embarrassments with EV figleaf

Helping you know scammers from Adam

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Whitepaper SSL has become something of a default 'security' stamp online. So much of a 'default' in fact that Phishers and other scammers now adopt it as a means of validating their scam site. Extended Validation SSL hopes to overcome this problem through stricter application procedures and greater visibility.

The adage ‘buyer beware’ used to be the preserve of second hand car sales and house buying. Then fraudsters started stealing people’s personal details when they went shopping or bank balance checking online. The rotters had started tricking unsuspecting punters into visiting spoof websites in order to nick their PINs and passwords (‘Phishing’). And they have become very good at it, because people still fall for it. Sadly, ‘buyer beware’ became associated with the risk of something nasty happening to your personal details in the online world.

The internet industry attempted to counter the phishing problem by incorporating a security standard called SSL (secure socket layer). However, commercial forces have now all but nullified the identity assurance side of the standard because some certificate authorities (CAs) require very little in the way of identity validation to issue them. Result: you could end up having a secure web session with a fraudster. Brilliant.

The EV (Extended validation) SSL standard introduces much more stringent identity validation steps which a merchant has to go through to become certified. Once on an EV certified site, certain web browsers provide a visual reference (the address bar turns green if you have certain browser settings enabled) to help users more easily identify that they are dealing with a trusted supplier. Simple in principle – but it’s not all as straightforward as it could be.

Why not? Although certificate prices are falling as the new standard takes root, the additional identity assurance processes in place prior to a certificate being granted means more work all round, and ultimately, a higher cost per certificate compared with some current SSL types. A chicken and egg scenario has emerged, with lack of consumer knowledge about the new standard acting as a rate-limiting factor to take-up from online merchants.

It doesn’t help that many merchants already using the standard tend to hide any information about it several layers down on their websites, or that web browser providers have taken aeons to agree on the visual reference. Ultimately perhaps, the buck stops with consumers, who need to start paying more attention. Those who want our cash are legally if not morally obliged to take as much care of us as possible.

But how much are we prepared to leave things open to trust as consumers, or should we be demanding more of our merchants? Yes, this might cost us all a bit more cash, but perhaps we should see this less like a levy and more an insurance policy. After all, it’s us who stand to gain – or indeed lose, should things go wrong.

Download the free whitepaper here. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.