« What does SSL have to do with bird flu? | Main | Web trust marks extensively covered in Internet Retailer »

A new kind of SSL Certificate is on the way

We're on the verge of the most significant development in SSL since the origin of the technology ten years ago. I'm not speaking in hyperbole, either. 2006 will see the widespread adoption of a brand new kind of SSL Certificate. And those among us who download and install the latest browsers will learn to look at SSL-protected Web pages in a whole new way.

I'm talking about the new standard for SSL Certificates that will go into production later this year. The code name is High Assurance, although the final name is not decided. Today I'll call them High Assurance. This new standard is currently in development among a consortium of Certificate Authorities and browser manufacturers in which VeriSign and Microsoft have taken leadership roles. The new standard will result in another kind of SSL Certificate in addition to the certificates we see today. Web sites will be able to purchase and deploy this new certificate type, and browsers will behave in a different and more positive way when these certificates are present.

You see, the trouble has to do with authentication. SSL Certificates as originally conceived all were to be authenticated quite well before they were issued for use on Web sites. Unfortunately in recent years a new sort of certificate has emerged, what we call a domain-authenticated SSL Certificate. This sort of certificate goes through almost no authentication before issuance. The reason that's a problem is the rise of another online trend --phishing. As phishing has increased dramatically, visitors to e-commerce sites, online banks, and the like have begun to look for the presence of an SSL Certificate as a sign that they're attached to the real site.

It happens, however, that phishers have been successful in obtaining domain-authenticated SSL Certificates to use on their fraud sites in order to fool more people into giving up confidential information. All documented cases of phishers using commercial SSL Certificates have been with domain-authenticated certificates, even though the actual sites they're counterfeiting have used organizationally authenticated certificates.

If it's gotten a little confusing at this point, let me state it plainly. The criminals who counterfeit online business sites in order to steal your money have found a soft target, a way to make their fraudulent sites appear in the browsers to be the genuine sites. That way is domain-authenticated certificates. And the only reason it works is because the low-security certificates (domain-authenticated) look exactly like the high-security ones (organizationally authenticated). This confusion has been exploited by the bad guys, and the people who shop or bank or file their taxes online have decreased their willingness to do so because they're afraid the bad guys are going to victimize them.

That's where High Assurance SSL Certificates come in. These certificates will look different to the browsers, and the browsers will be able to display them differently as a result. I expect Internet Explorer 7.0 to be the first browser taking advantage of this functionality with others following suit. Internet Explorer will show an old-fashioned SSL Certificate in much the same way it does today. But a High Assurance certificate will get very different treatment. In this case the browser will actually turn the address bar green, a very clear indication that this is a different kind of site you're attached to right now. Also, the name of the organization running this site and the name of the CA who issued the certificate will appear in the address bar adjacent to the actual domain you've visited. These cues will make it easy for any site visitor using this browser to tell the difference between High Assurance and traditional SSL Certificates.

The reason this new interface matters is that High Assurance certificates will be held up to a uniformly high standard of authentication, an authentication level that has never been fooled by a phisher or other cybercriminal. If every Internet user in the world had a browser that recognized the difference between High Assurance SSL Certificates and traditional ones and if every legitimate site used a High Assurance certificate, then phishing as we know it today would essentially be eliminated. Of course, adoption of both these browsers and these certificates will take some time. Nonetheless, this initiative is an exciting development in fighting phishing.

I'll keep you informed as this standard comes together. Keep an eye on this blog for the latest information on how it's progressing.

Posted by Tim Callan on March 28, 2006 2:07 PM

Comments

***If every Internet user in the world had a browser that recognized the difference between High Assurance SSL Certificates and traditional ones and if every legitimate site used a High Assurance certificate, then phishing as we know it today would essentially be eliminated***

If every computer user was just not using Windows, internet would be safer and there would be less viruses.

Why not just make domain-auth'ed certificates not valid any more?

Posted by: adasdasd | August 27, 2006 8:53 AM

I don't think the first statement warrants serious response. If the poster wants not to use Windows on his desktop system, I recommend he refrain from doing so. There are other options available to him.

The second statement is the one I'll engage with. "Why not make domain auth certificates invalid?" The answer it too long for this context. I'll blog it a top-level posting.

Posted by: Tim Callan | September 12, 2006 4:49 PM

I am curious as to why there is a need to develop a High Assurance standard beyond the organizational authentication that has always existed, especially if the authentication process is nearly the same? Instead of having three levels of certificates (domain, organizational, and High Assurance), why do browsers not just make the distinction between the first two (i.e., have the address bar go green for the organizational but not the domain-based)?

Thanks for the very informative, well-written post.

Posted by: Jamie | November 15, 2006 5:55 AM

Hello,

The High Assurance SSL Certificate is the new EV SSL?

Posted by: Jefferson - Certificado Digital | April 29, 2008 12:14 PM

Yes, what was originally code named High Assurance SSL is officially called Extended Validation SSL.

Posted by: Tim Callan | May 2, 2008 8:23 AM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


ABOUT SSL CERTIFICATES

Search


Categories

Browsers | Firefox | Internet Explorer 7 | Internet Explorer 8 | Opera | Safari | Cart whisperer | Code signing | Debian | Encryption strength | Events | Extended Validation SSL | GeoTrust | Malware | Phishing | Recommended sites | Resellers | Revocation | Security seals | Unprotected Web forms | VeriSign Identity Protection | Windows Vista | CardSpace | poetry |

Archives

July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006

Recent Posts

Six new real-world measurements of EV's effectiveness (plus one more)
More widespread EV deployment on JP Morgan Chase
Tim's in Japan
Lotta discussion around DNS flaws right now
VeriSign extends free reissuance policy
Aetna goes live with EV SSL
The list of EV compatible browsers expands considerably
Greetings from the AOTA Summit
See me speak at Discover YouTube
Massive Japanese EV banking deployment

Comments

We encourage comments and look forward to hearing from you. All comments posted to this blog will be moderated. Please note that VeriSign may, in our sole discretion, remove comments if they are off topic or inappropriate.
Powered by
Movable Type 4.12
Disclaimer: Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of VeriSign.
VeriSign Legal Notices