Tim Callan's SSL Blog

Mozilla Corporation member Deb Richardson gives us this thorough tour of the new trust indicators in Firefox 3. Apparently Firefox will have a five-tiered color scheme, which goes (in decreasing order of trust):

Green - EV SSL Certificate. Complete idenity known, both domain and organization.
Blue - SSL Certificate. Partial identity know. Domain only.
Gray - no information.
Yellow - invalid certificate. Deb's example includes a self-signed certificate.
Red - phishing site.

The careful observer will notice that this scheme is very similar to (though not identical to) IE7's four-tier system of green, "clear" (white), yellow, and red. The meanings of yellow and red are subtly different. In IE7 certificate errors also earn red status, and yellow is reserved for "suspicious" sites. The meanings of green and clear/gray are identical in both browsers.

The seasoned Firefox user may also wonder with yellow becoming an indicator of untrustworthiness, what's happening to the old "gold" color that indicated an SSL session in earlier versions of Firefox. Although I still see gold in the beta I'm running on my desktop (beta 5), I have heard that the "gold" convention will be going away by the time Firefox goes GA.

Posted by Tim at 09:30 AM
Permalink | Comments (0) | TrackBacks (0) | Subscribe

If you're going to AOTA (Authentication and Online Trust Alliance) Summit 2008, be sure to come by and see my panel. You'll never guess the topic. It's Extended Validation SSL! Who would have guessed?

The panel also contains PayPal CISO Michael Barrett (who recently stirred up the Mac community by advising PayPal users not to use Safari due to its lack of anti-phishing measures) and Tom Donlea, executive director of the Merchant Risk Council.

AOTA Summit is a great event. I had to miss it last year, and I'm very excited to be able to get there this year.

Posted by Tim at 02:51 PM
Permalink | Comments (0) | TrackBacks (0) | Subscribe

Okay, you've seen me write about the Cart Whisperer. I already told you about the video introducing the Cart Whisperer and Liberty Fillmore's theory on the evolution of the shopping cart. The third Cart Whisperer video is out as well, sharing more of Liberty Fillmore's home-grown philosophy on abandoned shopping carts.

Now, using no budget and a whole lot of cleverness, my compatriots in VeriSign's VIP (VeriSign Identity Protection) business have created a wonderful video about George and how George uses authentication credentials to remain safe online. It's very entertaining and well worth watching.

Posted by Tim at 11:33 AM
Permalink | Comments (0) | TrackBacks (0) | Subscribe

Beta 2 of Opera 9.5 contains support for Extended Validation SSL.

Posted by Tim at 11:27 AM
Permalink | Comments (0) | TrackBacks (0) | Subscribe

SSL Blog readers are aware that HSBC has deployed EV SSL on its first direct site. Now this new press release details the bank's plans to roll out EV SSL to all its online banking customers.

Barry Jones, Senior Manager of Group IT Security at HSBC is quoted to say,

As e-criminals grow more sophisticated, financial services leaders like HSBC must always remain a step ahead to ensure the security and trust of our customers. Deploying VeriSign Extended Validation SSL Certificates will allow us to send an instantly recognizable signal - the reassuring green bar - to our online banking customers, confirming that any personal information they supply on that page will go directly to HSBC and no one else. In the often unsettling landscape of today's Internet, VeriSign EV SSL protection helps us provide a safe haven for our customers.

Posted by Tim at 02:19 PM
Permalink | Comments (0) | TrackBacks (0) | Subscribe

PayPal CISO Michael Barrett, who stirred up a lot of talk recently by advising his customers not to use the Safari browser, has published a white paper on PayPal's comprehensive approach to combatting phishing.

This white paper discusses mutli-factor authentication credentials and contains a whole section on Extended Validation SSL. The paper defines unsafe browsers as "those browsers which do not have support for blocking phishing sites or for Extended Validation Certificates," and goes on to say, "In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts."

The paper adds,

At PayPal, we are in the process of re-implementing controls which will first warn our customers when logging in to PayPal from those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe - usually the oldest - browsers.

There has been speculation in the press about which browsers PayPal intends to block, especially Safari. I'll try to keep an eye on it, and as things develop, I'll let you know what I see.

Posted by Tim at 10:13 AM
Permalink | Comments (0) | TrackBacks (0) | Subscribe

I'm here at Net.Finance in Scottsdale, Arizona. Yesterday I had my roundtable session, which had healthy attendance from business leaders in the banking and finance sectors. It was a rotating, two-hour session, so I found myself in a series of short conversations about Extended Validation SSL. There were a few questions which came up repeatedly. Since those appear to be of more general interest, I'll list some of them here with my reponses.

Read the full content »

Posted by Tim at 09:51 AM
Permalink | Comments (0) | TrackBacks (0) | Subscribe

SSL Blog readers will know that I believe the presence of the VeriSign Secured Seal causes site visitors to be more likely to complete transactions. The idea appeals to my reason. Extensive research indicates that consumers are afraid of online security and that they opt out of transactions in response. The VeriSign Secured Seal is widely recognized as an indicator of premium security on a site. Therefore it follows that site visitors will be less reluctant to proceed when the VeriSign Secured Seal is present.

It's also supported by anecdotal evidence. I can't count the number of people who have told me that they like to see the seal on a site before they put in confidential information. Nor the number of site owners who have told me that they believe their own customers expect to see the seal and reward them for including it.

However, in terms of hard measured results, I have only had a single data point to go in. As you may know, European online travel giant Opodo compared sales with and without the VeriSign Secured Seal present and found a 10% uplift in sales. 10% is a lot of sales, and that's an eye-opening statistic. It's also the only statistic we had.

Until now.

We recently discovered that online retailer VirtualSheetMusic.com has measured the results of both the VeriSign Secured Seal and Extended Validation SSL on its site traffic. The results are astounding. VirtualSheetMusic.com does exactly what its name implies. It is an online store that allows you to select and download classical sheet music. In an A/B split test, VirtualSheetMusic compared purchasing behaviors among its customer base where the only difference was that one set of customers saw the VeriSign Secured Seal and the other set did not. The online retailer saw a 31% increase in sales where the seal was displayed over where it was not. VirtualSheetMusic then went on to measure the effect of EV on site visitors using compatible browsers, and the company found a 13% increase due to that improvement as well.

Said president and founder Fabrizio Ferrari, "VeriSign is the leader, the best known name in transaction security and Web site authenticity. I don't know why everyone doesn't use VeriSign."

Here is a full write up of VirtualSheetMusic.com and its results with the VeriSign Secured Seal and EV SSL. Here is our recent press release on the same topic.

Posted by Tim at 07:21 PM
Permalink | Comments (0) | TrackBacks (0) | Subscribe

A few days ago I told you that VeriSign had been nominated in SC Magazine's Best Security Company category. Well, the awards were announced last night, and VeriSign won.

Editor Illena Armstrong has this to say, "VeriSign represents one of the industry's leading lights. Moving into 2008, our judges recognize that companies such as VeriSign are helping them meet evolving security challenges."

Posted by Tim at 04:36 PM
Permalink | Comments (0) | TrackBacks (0) | Subscribe

If you're going to the Net.Finance show this year in Scottsdale from April 14 to 17, make sure you visit our booth. I will be leading a round table event on Monday called Maximizing Online Transactions through Trust Indicators. Over 70 attendees have signed up to participate. If you're going to Net.Finance, make sure you come by my table, or send me an e-mail and we can arrange a meeting.

Posted by Tim at 07:50 AM
Permalink | Comments (0) | TrackBacks (0) | Subscribe

Ordinarily I write about SSL, but today I want to hit one an adjacent technology space that VeriSign is in, identity authentication credentials. Today VeriSign announced that it would give away up to 5000 free credentials each to new organizations that join the VIP network.

VIP stands for VeriSign Identity Protection, and the service offers authentication credentials in various forms like tokens, credit card form factor, and mobile devices. What's special about VIP, however, is that all participants are part of the same network. That means if you get a VIP token from PayPal, for example, you can also use it to log in to your Australia Post account. The same token. That's advantageous to users, who only have to carry around a single credential to authenticate themselves on may different sites. And it's advantageous to network members, who can utilize the credentails that already exist in customers' pockets.

Now with this offer to give away up to 5000 credentials per organization, it's a great time for new organizations to join the network. That's good for those organizations because they can get into the VIP network cheap. And it's good for the present VIP members, who will automatically add more credential-carrying members to their bases.

If you're going to RSA and this topic is interesting to you, stop by our booth to find out more details. We'll be there all week.

Posted by Tim at 10:53 AM
Permalink | Comments (0) | TrackBacks (0) | Subscribe

The headline says it all. VeriSign has been nominated by SC Magazine as Best Security Company for its 2008 awards. We'll learn what happens next week at the RSA conference.

Posted by Tim at 01:40 PM
Permalink | Comments (0) | TrackBacks (0) | Subscribe