Feeds

SSL covers security embarrassments with EV figleaf

Helping you know scammers from Adam

  • alert
  • submit to reddit

Reducing security risks from open source software

Whitepaper SSL has become something of a default 'security' stamp online. So much of a 'default' in fact that Phishers and other scammers now adopt it as a means of validating their scam site. Extended Validation SSL hopes to overcome this problem through stricter application procedures and greater visibility.

The adage ‘buyer beware’ used to be the preserve of second hand car sales and house buying. Then fraudsters started stealing people’s personal details when they went shopping or bank balance checking online. The rotters had started tricking unsuspecting punters into visiting spoof websites in order to nick their PINs and passwords (‘Phishing’). And they have become very good at it, because people still fall for it. Sadly, ‘buyer beware’ became associated with the risk of something nasty happening to your personal details in the online world.

The internet industry attempted to counter the phishing problem by incorporating a security standard called SSL (secure socket layer). However, commercial forces have now all but nullified the identity assurance side of the standard because some certificate authorities (CAs) require very little in the way of identity validation to issue them. Result: you could end up having a secure web session with a fraudster. Brilliant.

The EV (Extended validation) SSL standard introduces much more stringent identity validation steps which a merchant has to go through to become certified. Once on an EV certified site, certain web browsers provide a visual reference (the address bar turns green if you have certain browser settings enabled) to help users more easily identify that they are dealing with a trusted supplier. Simple in principle – but it’s not all as straightforward as it could be.

Why not? Although certificate prices are falling as the new standard takes root, the additional identity assurance processes in place prior to a certificate being granted means more work all round, and ultimately, a higher cost per certificate compared with some current SSL types. A chicken and egg scenario has emerged, with lack of consumer knowledge about the new standard acting as a rate-limiting factor to take-up from online merchants.

It doesn’t help that many merchants already using the standard tend to hide any information about it several layers down on their websites, or that web browser providers have taken aeons to agree on the visual reference. Ultimately perhaps, the buck stops with consumers, who need to start paying more attention. Those who want our cash are legally if not morally obliged to take as much care of us as possible.

But how much are we prepared to leave things open to trust as consumers, or should we be demanding more of our merchants? Yes, this might cost us all a bit more cash, but perhaps we should see this less like a levy and more an insurance policy. After all, it’s us who stand to gain – or indeed lose, should things go wrong.

Download the free whitepaper here. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.