Feeds

SSL covers security embarrassments with EV figleaf

Helping you know scammers from Adam

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Whitepaper SSL has become something of a default 'security' stamp online. So much of a 'default' in fact that Phishers and other scammers now adopt it as a means of validating their scam site. Extended Validation SSL hopes to overcome this problem through stricter application procedures and greater visibility.

The adage ‘buyer beware’ used to be the preserve of second hand car sales and house buying. Then fraudsters started stealing people’s personal details when they went shopping or bank balance checking online. The rotters had started tricking unsuspecting punters into visiting spoof websites in order to nick their PINs and passwords (‘Phishing’). And they have become very good at it, because people still fall for it. Sadly, ‘buyer beware’ became associated with the risk of something nasty happening to your personal details in the online world.

The internet industry attempted to counter the phishing problem by incorporating a security standard called SSL (secure socket layer). However, commercial forces have now all but nullified the identity assurance side of the standard because some certificate authorities (CAs) require very little in the way of identity validation to issue them. Result: you could end up having a secure web session with a fraudster. Brilliant.

The EV (Extended validation) SSL standard introduces much more stringent identity validation steps which a merchant has to go through to become certified. Once on an EV certified site, certain web browsers provide a visual reference (the address bar turns green if you have certain browser settings enabled) to help users more easily identify that they are dealing with a trusted supplier. Simple in principle – but it’s not all as straightforward as it could be.

Why not? Although certificate prices are falling as the new standard takes root, the additional identity assurance processes in place prior to a certificate being granted means more work all round, and ultimately, a higher cost per certificate compared with some current SSL types. A chicken and egg scenario has emerged, with lack of consumer knowledge about the new standard acting as a rate-limiting factor to take-up from online merchants.

It doesn’t help that many merchants already using the standard tend to hide any information about it several layers down on their websites, or that web browser providers have taken aeons to agree on the visual reference. Ultimately perhaps, the buck stops with consumers, who need to start paying more attention. Those who want our cash are legally if not morally obliged to take as much care of us as possible.

But how much are we prepared to leave things open to trust as consumers, or should we be demanding more of our merchants? Yes, this might cost us all a bit more cash, but perhaps we should see this less like a levy and more an insurance policy. After all, it’s us who stand to gain – or indeed lose, should things go wrong.

Download the free whitepaper here. ®

Security for virtualized datacentres

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.