Slashdot Mirror
Extended Validation SSL, More Secure or Just a Racket?
Nalfeshnee writes "The Register is reporting on the new 'Extended Validation SSL' cert currently being touted by Verisign. Vista and IE7 will be using this but not, apparently, Firefox anytime soon. For this the Verisign Product Marketing Director Tim Callan squarely blames the Firefox dev team for 'not keeping up' with their new technology. However, the whole thing just seems to be a way for Verisign to enjoy ridiculous markup on selling 'more secure' certs."
I'm colorblind. Would I ever notice the difference?
Has anyone found an effective way of cracking regular SSL? Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?
I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?
Hey Verisign, it's called "open source". If you'd like the feature added submit a patch and they'll consider it. Until then the people working on it will finish when they can. Thanks.
Developers: We can use your help.
I think I remember reading about this either on firefox dev blogs or mailinglists or IRC. IIRC, the upshot was that verisign should be doing "extended validation" type things on all their clients. The validation they have now is really pretty shoddy, shoddy enough that they'd be risking getting kicked out if they weren't so big and so many websites would break. But that's just my memory, which could be bad, you'd have to look into it yourself.
There are 11 types of people in the world: those who can count in binary, and those who can't.
Definitely sounds like a racket to me. If you get the green bar by paying Verisign 150%, how does that differ from today's security certificates? Other than having to pay more money, and only being able to be verified by Verisign, that is. (Doesn't sound racket-y at all. Or was that rickety?) While they make it sound like the Green Bar is an excellent method of knowing that Amazon is really Amazon, I think it's actually a reverse attempt. By getting Amazon to use this spiffy new green bar, Verisign is attempting to legitimize their new technology in the eyes of the consumer. Little will actually change for the consumer, as he already knows when he's surfing Amazon.
The only place it would supposedly help is with Phishing. But since Phishing sites can't get certificates anyway, what does this help? If the lock isn't good enough, just change the URL Bar green for every VERIFIED certificate received. That will have the EXACT same effect.
Javascript + Nintendo DSi = DSiCade
[Fuck Beta]
o0t!
Err, excuse me.. isn't the verification of the identity of the applicant of the certificate exactly what the CAs are meant to be doing anyway?
I thought that that is why we had these 'trusted' third-parties, to vouch for the identity of the certificate owner - that is the fundamental basis of PKI and certificates. If they weren't doing that before (which they clearly weren't doing properly), what the hell were they doing?
So, we're paying them extra to get a 'fixed' version of something that they caused to be broken in the first place because they couldn't do their job properly. WHy should paying an extra 50% on top of their fees all of a sudden make us able to trust them now?
This is coming from the people who stole DNS, and sell certificates for hundreds of dollars which take milliseconds to make....
Now we're supposed to get a more "trustworthy" cert and make our address bar green?
Fuck you Verisign.
Tom
Someday, I'll have a real sig.
IE 7 will have different icons on the location bar to indicate that a site has the "higher" level of "security" (translation: "bought the new certificate").
I'm guessing the certificate security itself isn't changed. What they're saying is they're just going to do more research on a company before they hand out certificates. Right now you fill in a form, fax it in, and *presto* you get certs. Now, I guess someone will actually call and check before issuing.
They could do this now with regular SSL, but they couldn't charge more money... too much competition out there.
The thing is, the encryption of SSL is not at issue; it's just a new product to market.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
So, Verisign realizest that their practices are insecure and broken, but instead of fixing their practices and being a good CA, they are instead creating a new kind of "we actually did our job" certificate that requires new code for browsers to recognize?
I mean, wouldn't it make more sense for Verisign to do the same thing (if they wanted to get some money for insecure certs but still have a more secure cert) to create a new Certification Authority name also run by Verisign that actually does their job, and not require any browser code changes? Or are they just afraid that if they did that, browser vendors might delist Verisign's main CA from their default list of trusted CA's, since that would be admitting that, well, basic Verisign certificates can't be trusted.
Seems to me this is an unnecessary technical change to a business practices problem at Verisign.
The plan was for all the browsers to implement the color bar scheme, based on IE's implementation. There were optimistic announcements by all involved, but no final standard has emerged. VeriSign and other SSL certificate authorities are preparing to start selling these in January. It's not clear to me if Firefox/Mozilla has actually opted out or is just moving more slowly than MSFT in incorporating the changes in the browser. Mozilla tends to be deliberate about SSL-related changes in the browser.
RichM
Data Center Knowledge
#1. In order to issue the new certificates, the Certificate Authorities (CA's) will be "required" to follow "industry standard" practices in "verifying" whomever applies for a new certificate.
... the same as they are today.
#2. This additional "verification" is what will cost the additional money.
#3. Any business that does not pay the additional fees to be "verified" by "industry standard" practices will be
#4. Phishing depends upon a person making a single error in judgment, one time. This will not stop phishing.
This will not stop anything. This is stupid. You're paying EXTRA to have someone do the verification they were supposed to be doing already. Imagine trying to run a business like that.
Boss - "I paid you last week, but you barely did any work. I'm going to fire you."
Employee - "If you give me a 50% raise, I'll perform the work to industry standards."
Boss - "Okay, that sounds like a good deal to me."
Verison is involved.
Everything Verisign does is a racket.
Therefore, it's a racket.
Q.E.D.
To spur "enterprise Linux," Big Bang, the distributed two-phase commit.
shoving their shoddy DOS ... down your throat ... abusing their monopoly
Right! Because DOS was definitely the only O/S upon which big business was doing business, say, back in the 1980's.
And then there were those enormous numbers of consumers using DOS instead of Apple II machines or Ataris or Amigas... Shoved down their throats? Come on. If you're going to rant about MS market share, at least skip over the part when it was anything but a sure thing, before all of the other platform makers wheezed and missed the opportunity to take over the business desktop market (when they already owned the back office corporate computing market!) when it was anything but settled in one popular direction.
Don't disappoint your bird dog. Go to the range.
In a world where even PayPal can't get it right (and nobody cares) what does it matter?
"Oh, it's an https site. It's encrypted. Cool". Next.
Some time when you're really bored look at the low level ssl stuff (with openssl or something) and notice all the errors. The browsers ignore so many of these I think it's all a big joke.
Need Mercedes parts ?
Has anyone actually been able to find the specification for "high assurance" certificates? Apparently this is being closely held. The spec comes from something called the "CA Browser Forum", which is invitation-only and doesn't seem to have a web site. A standard was supposed to be issued in August, but apparently agreement wasn't reached until a meeting in September. There are many press releases, but no hard data.
So that's why it's not in Mozilla.
It's actually a good idea. Early in the history of SSL, getting a certificate required presenting appropriate business identification info to the certificate issuer. The problem is that some issuers (GoDaddy comes to mind) started issuing "domain only" SSL certificates; the only verification is that the domain can get email. Then, instead of revoking GoDaddy's root certificate for this, the other cert issuers copied GoDaddy's approach. Now anybody can get a meaningless certificate with a meaningless Relying Party Agreement.
The way it's supposed to work is that the certificate issuer bears financial responsibility for misidentification of the certificate owner. Some certificates from Verisign have a Relying Party Agreement that does provide a financial guarantee to the party relying on the certificate - $100 for a class 1 cert, $5000 for a class 2 cert, and $100,000 for a class 3 cert. Most of the other issuers have relying party agreements which promise nothing and deliver less.
So what's happening is that, soon, you'll be able to tell the difference between the crap certificates and the good ones. Before you buy. The idea is that if you put your credit card into a site that showed a green toolbar in IE, and it wasn't really the company it should have been, you can collect from the certificate issuer. This puts certificate issuers on the hook for phishing losses.
Unfortunately, the rules and the Relying Party Agreements for the new certificates haven't yet appeared, so we can't tell if the rules are tough enough to make this work. Since they're being drafted by the certificate issuers, there will probably be some loophole that lets them off the hook.
Honestly, I believe that there should be a WC3 conference to contribute a single CA that makes its way onto all browsers. Give the WC3 CA site an automated system for generating certs, including an open API and then combine DNS registration protocals with the CA gen protocals. Publicly open the API, and charge small, if anything. This service is an easy one to implement. The real issue is getting browsers to add it to its automatically trusted CA list. I can create SSL at home, but I can't get browsers to add my home web onto the trusted CA list by default.
Development notes at http://devscribbles.blogspot.com
I mean... since they don't do any verification anyway... and the customer service is terrible... why does it cost hundreds of dollars?
However, they feel just as dumb as everyone else after they've been suckered into paying an extra $1000 for a Verisign Super-duper Whiz-Bang Mega-Ultra Cert.
To be honest there is a difference between a cert from a real CA and some $10 cert from some outfit that doesn't care anything more about your true identity than whether your credit card payment goes through. Google for "high assurance" vs "low assurance".
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Mozilla.org should get into the SSL certificate reselling business and set the location bar to green when one of the mozilla signed certs is present. Verisign could then have the option of paying a royalty to mozilla.org for each extended certificate if they want green URL bars too.
Sadly, CACert's root certificate is still not included with Mozilla, although a number of distributions include it.
I am TheRaven on Soylent News
...as a Certificate Authority to ensure that any sites they issue certificates to are trustworthy. All PKI systems are based on this kind of trust model. If there is any lack of trust/confidence in online ssl-encrypted commerce, it is their fault. Merely because they have been ignoring their role as a trust arbitrator and giving out certs to anyone, they decide now to actually do their part, charge more, and have Microsoft put a flashy "green for go" interface on it.
Then, of course, you must slam Firefox for "losing the browser war" by not keeping up by making their URLs turn green. You know, (speculation alert) you can probably bet Microsoft patented the green url indicator anyway, locking Firefox out.
"Technology?" Give me a break. They're looking at what authority signed the cert, and if the web browser has been told to dogmatically trust that authority more than others, then it turns something green.
Actually, it's not a bad idea. There are degrees of trust, and showing it to the user is fine. But you bet your ass this is mostly just a cashgrab from Verisign.
Good news. There's a way to do this, that will absolutely embarrass MSIE, making its version of https look completely insecure by comparison, and screw Verisign over, in the process.
Support an OpenPGP-based cert model (perhaps using GNU TLS library, perhaps not). Suddenly, you can have certs that are signed by multiple authorities, including users themselves, and display a whole spectrum of trust metrics. Equifax can make mistakes and issue an incorrect cert to a bank, but can three CAs all make the same mistake, without a conspiracy? And what if you get the bank's fingerprint on your snailmail statements, or there's a sign showing the fingerprint when you walk into it, and thus you can cert it yourself? What if you haven't ever been to the bank (ok, I can't imagine that) but you have 3 friends who have, and you have certified them, and told your computer they are each marginally trusted, and they all certify the bank? Three friends are sure as hell a lot more trustworthy than some faceless corporation named Verisign, whose identification policies you don't even know, whose private key storage policy you don't even know, and in fact doesn't have a single employee you have even met, assuming they have any employees at all and aren't a robot in the basement of a building at the NSA.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It's purely a money-making scam by Verisign (and other CAs). The only thing high-assurance about "high-assurance" certs is the assurance that you'll be charged more money for them. See the Defcon talk Phishing Tips and Techniques - Tackle, Rigging, and How and When to Phish for a discussion of why "high-assurance" certs are worthless except to the companies issuing them.
The Mozilla foundation did not have a good set of criteria for including a cert. Originally they pretty much just used the same ones as IE (pay a big heap of money). Now they do have a set of rules, and the CACert people are trying to prove that they comply with them. It should be done Real Soon Now(TM).
I am TheRaven on Soylent News
This is stupid. You're paying EXTRA to have someone do the verification they were supposed to be doing already.
ROTFL...
You mean like pay a mailing/shipping company insurance for them to do their own job?
Or paying extra for an extended warranty? (To guard against stuff that shouldn't be crappy in the first place)
Or paying a credit card company EXTRA MONEY for them to taken YOUR PAYMENT "express" ?
Or paying extra money for a "Service Plan" to get "updates" to bug-ridden software?
Or paying a monthly fee for ambulance service? WTF?!?!!
Sadly, we do live in interesting times... And its only getting more and more "interesting"!
In the first link, they're self-signed certs that trigger the "Stop the World, something's wrong!" message. If consumers are ignoring this already, I'm afraid that a "green bar" isn't going to be much more effective.
The second link is more problematic, but the solution is simple. If a cert authority can't do proper due dillegence, then remove them from the browser's trusted list until they correct their procedures. They're obviously not trustworthy. Giving Verisign an artificial monopoly on something they should already be doing is not the way to solve the problem!
Javascript + Nintendo DSi = DSiCade
If the extra up-front validation is the main thing, Verisign should be charging a high one-time-fee for undertaking those steps, then charging a low low monthly rate to rest on their laurels and do nothing further. Somehow I doubt that's the price structure they adopted here.