Extended Validation SSL, More Secure or Just a Racket?

Nalfeshnee writes "The Register is reporting on the new 'Extended Validation SSL' cert currently being touted by Verisign. Vista and IE7 will be using this but not, apparently, Firefox anytime soon. For this the Verisign Product Marketing Director Tim Callan squarely blames the Firefox dev team for 'not keeping up' with their new technology. However, the whole thing just seems to be a way for Verisign to enjoy ridiculous markup on selling 'more secure' certs."

I don't get it

[Lord+Grey]

I had never heard of "Extended Validation SSL" so I went to Google. Among the hits was something from Thawte, so I went there. It turned out to be a FAQ. This FAQ contained such gems as:

4. Why is High Assurance/Extended Validation SSL being implemented?

Answer:

Improved online identity assurance, and improved browser representation of online identities, will empower users to better protect themselves against malicious and suspicious activity, which has gradually been eroding user confidence in digital security, including online shopping and banking. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.

And:

6. What is the difference between High Assurance/Extended Validation/Enhanced Validation SSL certificates and existing SSL certificates?

Answer:

The online identity assurance process is intended to be more comprehensive and standardized across the entire industry. Whereas currently online identity assurance processes vary from CA to CA, the new standards/processes under discussion by the CA Browser Forum, will have to be adhered to by all CAs if they wish to offer High Assurance/Extended Validation SSL certificates. This will encourage greater confidence in CAs as well as the processes that are used to vet and issue digital certificates. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.

Is it my imagination, or is this new Extended Validation SSL thing, in the end, just a bunch of paperwork? I may simply be missing the point. If someone can point to a better description of this thing that makes sense, please do so.

SSL and Extended SSL

[Kazrael]

Honestly, I believe that there should be a WC3 conference to contribute a single CA that makes its way onto all browsers. Give the WC3 CA site an automated system for generating certs, including an open API and then combine DNS registration protocals with the CA gen protocals. Publicly open the API, and charge small, if anything. This service is an easy one to implement. The real issue is getting browsers to add it to its automatically trusted CA list. I can create SSL at home, but I can't get browsers to add my home web onto the trusted CA list by default.

Current system is already a racket

[rhaas]

I mean... since they don't do any verification anyway... and the customer service is terrible... why does it cost hundreds of dollars?

Re:Secure?

[tyler_larson]

Has anyone found an effective way of cracking regular SSL?

No.

Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?

No.

I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?

No.

SSL (and TLS) aren't encryption algorithms, they're protocol standards. These protocols make use of existing encryption algorithms to secure data. Many of these algorithms have a variable level of complexity, depending on things like key size. Since security (including encyrption) is always a tradeoff of resources versus security, the goal is to tweak the configuration parameters (again, such as key length) to find a level of security such that an attack against the cipher is less profitable an option than the next best choice, such as kidnapping the document's author. Those who require greater security can use turn up the complexity at the expense of using more resources.

As computation capability increases, the complexity of encryption system is increased to compensate, usually by increasing key length. If a flaw is discovered in a given encryption algorithm making it too easy to break, or if the algorithm isn't capable of being expanded to account for better decryption technology (such as DES) then that algorithm is discarded in favor of some stronger replacement. SSL remains the same.

Verisign's "Extended Validation" program has nothing to do with cipher strength, key length, or encryption. Instead, it's indicative of the vetting process that the company had to undergo to get the certificate. To get a certificate for citibank.net, I have to verify that I own that domain. I don't, necessarily, have to verify that I represent Citibank [1]. Under this High Assurance program, Verisign will vouch, not only for the validity of the domain, but also for the validity of the organization owning that domain.

This is a Good Thing, since there currently is only one tier of validation. An SSL certificate is designed to prevent man-in-the-middle attacks, which it does well. What it doesn't protect against (though we act as if it does) is forged identity attacks. Certificates used for financial transactions, for example, should go through a stronger vetting process than certificates used for securing a blog.

[1] In reality, almost all CAs do extended verification when the other party sounds like a high-profile company or financial institution. Nonetheless, Mistakes do happen.

Re:It's called "open source"

[mikiN]

IE7 is harder to change once released

Say again?

Since when has there been any difficulty changing IE once released?
It's just a matter of releasing eleventy-one quadruple bazillion 'security updates' until it is deemed 'just barely functional'...

Has any major IE update been anything else but the last major version with the last bazillion security patches rolled into it, then dotted with fresh new bloat, eyecandy and bugs?

Most colorblind people can tell white from green

[wsanders]

However, they feel just as dumb as everyone else after they've been suckered into paying an extra $1000 for a Verisign Super-duper Whiz-Bang Mega-Ultra Cert.

To be honest there is a difference between a cert from a real CA and some $10 cert from some outfit that doesn't care anything more about your true identity than whether your credit card payment goes through. Google for "high assurance" vs "low assurance".

You want TECHNOLOGY? Ok, here's some.

[Sloppy]

"Technology?" Give me a break. They're looking at what authority signed the cert, and if the web browser has been told to dogmatically trust that authority more than others, then it turns something green.

Actually, it's not a bad idea. There are degrees of trust, and showing it to the user is fine. But you bet your ass this is mostly just a cashgrab from Verisign.

A Firefox implementation of extended validation can only be a matter of time, since the Mozilla Foundation knows in order to compete it cannot afford for its browser to be just as good as IE7; it has to be better.

Good news. There's a way to do this, that will absolutely embarrass MSIE, making its version of https look completely insecure by comparison, and screw Verisign over, in the process.

Support an OpenPGP-based cert model (perhaps using GNU TLS library, perhaps not). Suddenly, you can have certs that are signed by multiple authorities, including users themselves, and display a whole spectrum of trust metrics. Equifax can make mistakes and issue an incorrect cert to a bank, but can three CAs all make the same mistake, without a conspiracy? And what if you get the bank's fingerprint on your snailmail statements, or there's a sign showing the fingerprint when you walk into it, and thus you can cert it yourself? What if you haven't ever been to the bank (ok, I can't imagine that) but you have 3 friends who have, and you have certified them, and told your computer they are each marginally trusted, and they all certify the bank? Three friends are sure as hell a lot more trustworthy than some faceless corporation named Verisign, whose identification policies you don't even know, whose private key storage policy you don't even know, and in fact doesn't have a single employee you have even met, assuming they have any employees at all and aren't a robot in the basement of a building at the NSA.

Sadly its commonplace....

[woolio]

This is stupid. You're paying EXTRA to have someone do the verification they were supposed to be doing already.

ROTFL...

You mean like pay a mailing/shipping company insurance for them to do their own job?

Or paying extra for an extended warranty? (To guard against stuff that shouldn't be crappy in the first place)

Or paying a credit card company EXTRA MONEY for them to taken YOUR PAYMENT "express" ?

Or paying extra money for a "Service Plan" to get "updates" to bug-ridden software?

Or paying a monthly fee for ambulance service? WTF?!?!!

Sadly, we do live in interesting times... And its only getting more and more "interesting"!