Tim Callan's SSL Blog

EV certificate compatibility and Firefox 3.5

Thu, 02 Jul 2009 13:13:31 -0800

Hi folks. Sorry for the lack of posts lately. I've been slammed.

Writing today because Firefox 3.5 has broken the download record for a new browser version with over 8 million downloads in a single day. One subject that has been the source online discussion is the fact that the EV certificates for a series of SSL brands (four that I know of) have stopped showing up green in Firefox 3.5.

You can be assured that this problem does not happen with the EV SSL Certificates from VeriSign, thawte, or http://www.geotrust.com/.

I'm back !

Sun, 24 May 2009 05:36:24 -0800

Greece was phenomenal. I want to move there.

Tim on vacation

Fri, 08 May 2009 10:36:18 -0800

Hey everybody,

We're disappearing to an obscure corner of the world for a couple of weeks, and I don't think I'll be blogging. I'll let you know when I'm back in contact.

Protecting against brand damage from online crime

Wed, 29 Apr 2009 11:28:56 -0800

Here's a cool Advertising Age article about how businesses view online crime and brand damage and what they do about it.

Sigh

Tue, 28 Apr 2009 11:32:30 -0800

Well, I didn't win the Best Corporate Security Blog at the Security Blogger Meetup. The winner in my category was Sunbelt Security's corporate blog. I want to personally thank all of you who voted for me. It is a great compliment that you, the readers, view this blog as worthy of such an award. And you're the people whose opinion matters the most.

The Cart Whisperer wins IAC Internet marketing award

Sun, 19 Apr 2009 21:52:44 -0800

Remember the Cart Whisperer, VeriSign's award-winning viral marketing campaign launched last year to educate businesses about the dangers of abandoned shopping carts and what they could do about them? The Cart Whisperer previously has been honored as one of Marketing Sherpa's top ten campaigns of 2008 and screened at the Cannes film festival. Now it has been honored by The Web Marketing Association with an Internet Advertising Competition Award for Outstanding Achievement in Internet Advertising.

Over 100 Japanese banks using EV SSL

Thu, 16 Apr 2009 09:03:58 -0800

Here's today's press release about the near-ubiquity of Extended Validation SSL among Japanese banking institutions.

Gartner reports 40% increase in phishing, over 5 million affected in US in 2008

Tue, 14 Apr 2009 16:15:37 -0800

A new report from Gartner states that the number of phishing incidents rose 39.8% with an average loss per incident of $351. This article summarizes Gartner's recommended response for online businesses,

Gartner recommends that enterprises continue to deploy and improve security solutions that protect accounts and customers against attacks. Enterprises that are custodians of customer accounts should also consider site authentication or assurance to confirm to a customer that he or she is on a legitimate Web site and not a spoof site.

Gartner analyst Avivah Latan goes on to suggest a layered security approach as the best response to phishing.

Speaking next week at Net.Finance

Mon, 13 Apr 2009 09:00:12 -0800

If you're going to Net.Finance in Las Vegas next week, I'm speaking in the main session on Tuesday morning with Jason Dufner of Flagstar Bank. The title of my presentation is Reputation Management: Consumer Trust Is More Than Just Security. I'll be tweeting on how it went.

Introducing Tim Callan's SSL Vlog

Thu, 09 Apr 2009 07:48:59 -0800

I've been doing Tim Callan's SSL Blog for just over three years and have put up over 300 posts. For a while I've been itching to branch out into some other media. Therefore I'm pleased to introduce you to Tim Callan's SSL Vlog. The purpose for the vlog is to better match the medium to the message. Blogs are great for linking and for in-depth discussion of matters the readers already understand. Vlogs allow verbal explanations, which for many people is an easier way to digest concepts that are new to them. Therefore at least at the beginning I intend to use this vlog to lay groundwork about how our e-commerce security infrastructure works and what the big trends are in the ecosystem. Just as I figured out the ins and outs of how I could best use my blog to contribute to the public dialog, I expect to go through a similar process with vlogging.

I'm also tweeting, so follow me there. Again, I have a different vision for this medium. I often have immediate observations I want to make but don't have time to write up a full blog post or am not at a computer or both. I'm tweeting from my phone, so I can capture those immediate opportunities as they arrive. Again, I reserve the right to change my vision for this medium as time progresses.

Thanks for voting for me

Mon, 06 Apr 2009 08:47:15 -0800

Readers of The SSL Blog, you have spoken. Today the Security Bloggers Meetup announced the finalists for its Social Security Awards for best security blog in a variety of categories. I am a finalist in the Best Corporate Blog category, and my fellow VeriSign blogger Branden Williams is a finalist in the Most Entertaining Security Blog category for his Security Convergence blog.

iPhone supports Extended Validation SSL

Sat, 04 Apr 2009 10:04:22 -0800

I've been waiting for it to happen, and here we are. Apple officially wins the smartphone race for Extended Validation SSL support. That's because Mobile Safari now has Extended Validation SSL support. On the heels of Internet Explorer's adoption of EV support in January 2007, the desktop saw a wave of browsers adding in support. With over 60% of mobile browser usage, iPhone is the pacesetter in this market. I hope Apple has broken the ice for mobile devices to do the same thing.

Over 75% of clients EV aware

Fri, 03 Apr 2009 08:48:02 -0800

With the release of Safari 4 and the ongoing adoption of current versions of other browsers, the number of client systems using EV-compatible browsers has exceeded 75%.

Vote for me

Thu, 19 Mar 2009 10:48:14 -0800

I participate in the Security Bloggers Meet-Up at the RSA Security Conference. This year we're having a contest for best blogs, and if you read The SSL Blog, I'd love to solicit your vote. I'm running for Best Corporate Security Blog. Some good reasons to vote for me (apart from the timely, frequent, and informative posts) is the fact that I write SSL poetry and that I'm funny.

It couldn't be easier.

1) Go to the awards voting page (http://www.socialsecurityawards.com/).

2) Read the instructions if you feel like it and then hit Next.

3) Fill in all three fields in the Corporate Security Blog entry as follows:
Blog name - Tim Callan's SSL Blog
Blog URL (homepage) - www.verisign.com/ssl-blog
Reason - He writes SSL poetry.

4) Click the Done button.

5) Relax. Take a load off. You deserve it.

March Madness. Sure, why not?

Tue, 17 Mar 2009 16:12:34 -0800

I've written in the past about how phishers and other online scammers are attaching themselves to topical items like tax season and holiday shopping. Well, now it looks like March Madness is the latest victim.

That makes all the sense in the world. These fraudsters are trying to trick Internet users into giving away information or giving malware access to their systems. Originally it was a matter of spoofing someone's PayPal or bank account. As the users have gotten wiser (although these workhorse counterfeits are still happening in huge numbers) the attackers have constantly sought green fields. One consistent technique is to take the prospective victim out of the context in which he is looking for a scam. Your bank account is too suspicious? No problem. How about your utility bill or your favorite e-commerce site or your wireless phone service? Account lockout is too obvious? Okay, we can go with March Madness or tax filing or election fundraising or Halloween. We saw them with Katrina and Rita. We saw them with the tsunami.

This trend I'm sure will continue. We will continue to see tailored exploits using whatever is in the news this month.

The solution of course is to definitively know who is operating any given site. If all consumers were looking out for this information and if all sites were using something like EV SSL today, these techniques wouldn't work any more. Instead they're rife. They're growing.

So what do we need to do? It's really up to the sites. Over 70% of client systems on the Internet are enabled for EV today. That's a very high figure. While site adoption has grown very quickly as well, it's far behind client systems. Those organizations that make the rules for the sites can help drive this process. They can take their cue from the IRS and require EV on sites that ask consumers for information or that ask them to download applications, updates, or codecs.