Feeds

SSL covers security embarrassments with EV figleaf

Helping you know scammers from Adam

  • alert
  • submit to reddit

Seven Steps to Software Security

Whitepaper SSL has become something of a default 'security' stamp online. So much of a 'default' in fact that Phishers and other scammers now adopt it as a means of validating their scam site. Extended Validation SSL hopes to overcome this problem through stricter application procedures and greater visibility.

The adage ‘buyer beware’ used to be the preserve of second hand car sales and house buying. Then fraudsters started stealing people’s personal details when they went shopping or bank balance checking online. The rotters had started tricking unsuspecting punters into visiting spoof websites in order to nick their PINs and passwords (‘Phishing’). And they have become very good at it, because people still fall for it. Sadly, ‘buyer beware’ became associated with the risk of something nasty happening to your personal details in the online world.

The internet industry attempted to counter the phishing problem by incorporating a security standard called SSL (secure socket layer). However, commercial forces have now all but nullified the identity assurance side of the standard because some certificate authorities (CAs) require very little in the way of identity validation to issue them. Result: you could end up having a secure web session with a fraudster. Brilliant.

The EV (Extended validation) SSL standard introduces much more stringent identity validation steps which a merchant has to go through to become certified. Once on an EV certified site, certain web browsers provide a visual reference (the address bar turns green if you have certain browser settings enabled) to help users more easily identify that they are dealing with a trusted supplier. Simple in principle – but it’s not all as straightforward as it could be.

Why not? Although certificate prices are falling as the new standard takes root, the additional identity assurance processes in place prior to a certificate being granted means more work all round, and ultimately, a higher cost per certificate compared with some current SSL types. A chicken and egg scenario has emerged, with lack of consumer knowledge about the new standard acting as a rate-limiting factor to take-up from online merchants.

It doesn’t help that many merchants already using the standard tend to hide any information about it several layers down on their websites, or that web browser providers have taken aeons to agree on the visual reference. Ultimately perhaps, the buck stops with consumers, who need to start paying more attention. Those who want our cash are legally if not morally obliged to take as much care of us as possible.

But how much are we prepared to leave things open to trust as consumers, or should we be demanding more of our merchants? Yes, this might cost us all a bit more cash, but perhaps we should see this less like a levy and more an insurance policy. After all, it’s us who stand to gain – or indeed lose, should things go wrong.

Download the free whitepaper here. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.