Feeds

SSL covers security embarrassments with EV figleaf

Helping you know scammers from Adam

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Whitepaper SSL has become something of a default 'security' stamp online. So much of a 'default' in fact that Phishers and other scammers now adopt it as a means of validating their scam site. Extended Validation SSL hopes to overcome this problem through stricter application procedures and greater visibility.

The adage ‘buyer beware’ used to be the preserve of second hand car sales and house buying. Then fraudsters started stealing people’s personal details when they went shopping or bank balance checking online. The rotters had started tricking unsuspecting punters into visiting spoof websites in order to nick their PINs and passwords (‘Phishing’). And they have become very good at it, because people still fall for it. Sadly, ‘buyer beware’ became associated with the risk of something nasty happening to your personal details in the online world.

The internet industry attempted to counter the phishing problem by incorporating a security standard called SSL (secure socket layer). However, commercial forces have now all but nullified the identity assurance side of the standard because some certificate authorities (CAs) require very little in the way of identity validation to issue them. Result: you could end up having a secure web session with a fraudster. Brilliant.

The EV (Extended validation) SSL standard introduces much more stringent identity validation steps which a merchant has to go through to become certified. Once on an EV certified site, certain web browsers provide a visual reference (the address bar turns green if you have certain browser settings enabled) to help users more easily identify that they are dealing with a trusted supplier. Simple in principle – but it’s not all as straightforward as it could be.

Why not? Although certificate prices are falling as the new standard takes root, the additional identity assurance processes in place prior to a certificate being granted means more work all round, and ultimately, a higher cost per certificate compared with some current SSL types. A chicken and egg scenario has emerged, with lack of consumer knowledge about the new standard acting as a rate-limiting factor to take-up from online merchants.

It doesn’t help that many merchants already using the standard tend to hide any information about it several layers down on their websites, or that web browser providers have taken aeons to agree on the visual reference. Ultimately perhaps, the buck stops with consumers, who need to start paying more attention. Those who want our cash are legally if not morally obliged to take as much care of us as possible.

But how much are we prepared to leave things open to trust as consumers, or should we be demanding more of our merchants? Yes, this might cost us all a bit more cash, but perhaps we should see this less like a levy and more an insurance policy. After all, it’s us who stand to gain – or indeed lose, should things go wrong.

Download the free whitepaper here. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.