Small Businesses Worry About MS Anti-Phishing

prostoalex writes "Ever get that warm feeling of safety, when the anti-phishing toolbar on Microsoft Internet Explorer 7 turns green, telling you it's safe to shop on the site you're visiting? Well, you probably don't, but the millions of Internet users who will soon be running IE7 probably will be paying attention to the anti-phishing warnings. WSJ.com is reporting on how Microsoft is making it tough for small businesses to assure they're treated properly by the anti-phishing algorithm." From the article: "[S]ole proprietorships, general partnerships and individuals won't be eligible for the new, stricter security certificates that Microsoft requires to display the color. There are about 20.6 million sole proprietorships and general partnerships in the U.S... though it isn't clear how many are engaged in e-commerce... 'Are people going to trust the green more than white? Yes, they will,' says Avivah Litan, an analyst at Gartner Inc. and an expert on online payments and fraud. 'All the business is going to go to the greens, it's kind of obvious.'"

WTF? Phising and certs are different issues.

[Whiney+Mac+Fanboy]

'Are people going to trust the green more than white? Yes, they will,' says Avivah Litan, an analyst at Gartner Inc. and an expert on online payments and fraud.

WTF? Shouldn't that read:

'Are people going to notice the green or than white? No, they wont,' says WMF, an analyst at slashdot Inc. and an expert on stupid punditry.

On a slightly different note, I think the submitter has gotten the new expensive secure certs gold-rush/scam confused with the anti-phishing tech. Not surprising 'cause the article melds them together in a rather confusing manner.

Re:WTF? Phising and certs are different issues.

[WilliamSChips]

You even used bad grammar and spelling, like a Slashdot editor!

Re:WTF? Phising and certs are different issues.

[Whiney+Mac+Fanboy]

You even used bad grammar and spelling, like a Slashdot editor!

Yuo say that as if Im capable of something else using!

Re:WTF? Phising and certs are different issues.

I think any comment about IE7's anti-phishing system should note that it sends every website you visit to Microsoft. If you care even an iota about the privacy of your web browsing, you should choose "no" when IE7 asks you to enable its invasive anti-phishing system.

Re:WTF? Phising and certs are different issues.

[thinkliberty]

This can also work 2 ways.

Users favorite deal sites can display an error message to IE7 users that tells them their browser is defective and that in order for them to keep prices low, they will need to upgrade their web browser to Firefox to purchase anything from the site. They can also have a continue anyways button and store a cookie to not display the message again. That way when there is no green bar the users will know it is because they are not using an approved browser.

YAY for Microsoft, let them shoot themselves in the foot.

Re:WTF? Phising and certs are different issues.

[ShieldW0lf]

Now there is a tangable commercial interest in creating phishing sites.

Huge corporations that quietly invest money in polluting the internet with phishing sites that create an environment where "white = tangably untrustworthy" will see returns on their investment because this exists.

There was a business model in polluting the P2P networks so they become inefficient services. Then there were businesses that did it. Now there is a new business model. What comes next, you think?

Re:WTF? Phising and certs are different issues.

[tacocat]

I think you complete misssed the point.

It's a great business model.

If you want to buy stuff from the InterWeb thingy you want to buy from the GREEN because everyone else is EVIL.

If you want to get more business sent your way, you have to purchase the certificates to go GREEN or else you lose money.

So if the businesses buy in to this green craze then it starts to feed into a cyclic frenzy of cornering the purchasing power of the consumers. And everyone pays Microsoft. And that makes it a great business model.

But we all know that Microsoft is pretty much regarded as a joke by more and more people every day. Just not enough quite yet.

Re:WTF? Phising and certs are different issues.

[UncleTogie]

All your postings are belong to us.

Re:WTF? Phising and certs are different issues.

[EdMack]

But yes to Google anti-phish in Mozilla

Re:WTF? Phising and certs are different issues.

Oh, quit whining about your perceived double standard. Just as many people here on Slashdot were upset when Google started doing this, so you really can't claim any particular bias against MS in this case. Sorry.

Re:WTF? Phising and certs are different issues.

[killjoe]

Today I was trying to use a SSH java applet to connect to a server in IE7. IE7 refused to run the applet because it did not recognize the signature. I added the site to my trusted sites list but it still refused to load it. I went into advanced setting and told it to install unsigned activex controls but it still do it. After struggling for a little while longer I installed firefox (this was not my computer) and ran the applet I needed to run. Installing firefox and then installing java took less time then my struggles trying to get IE7 to load an open sourced applet.

All this "protection" in IE7 is there to try and limit which software you run. MS has decided that before they can beat open source they need to winnow the list of companies that deal with it and this is a good first step to do that with. If this same applet was signed by novell I am sure it would run in IE.

Re:WTF? Phising and certs are different issues.

[JonathanR]

A third way, of course, is for the website to open a new browser window, sans IE7 navigation toolbar. The site emulates the navigation toolbar by a web-based frames type arrangement. Now you can present the URL with any colour background you want.

Re:WTF? Phising and certs are different issues.

[solitas]

>> If you care even an iota about the privacy of your web browsing, you should choose "no" when IE7 asks you to enable its invasive anti-phishing system.

Okay, no, wait - you seriously think that just because you click a "no" box that IE7 _still_ won't "rat-you-out to mom"?

Re:WTF? Phising and certs are different issues.

[seeker6182000]

Time to take off the tinfoil had sonny. If IE7 still sent out URLs visited after you told it not to, the lawyers would have a field day, and MS would have a huge PR problem. I am sure this was checked and double checked numerous times to make sure that it didn't happen.

Re:WTF? Phising and certs are different issues.

[kripkenstein]

Time to take off the tinfoil had sonny. If IE7 still sent out URLs visited after you told it not to, the lawyers would have a field day, and MS would have a huge PR problem. I am sure this was checked and double checked numerous times to make sure that it didn't happen.

Sure, because big corporations never make big mistakes. But anyhow, just because it 'doesn't make sense' to you doesn't make it not so. Do you have any evidence? Until you or the grandparent post show some actual facts, I won't believe either one of you.

Re:WTF? Phising and certs are different issues.

[Julian352]

There is no way in IE7 to remove the URL bar from the window. Even a window with no other UI elements must show the URL to prevent such attacks. (Or other phishing problems.)

Re:WTF? Phising and certs are different issues.

[dnc253]

Didn't you know that Microsoft always knows better than you what is safe and what you want to do?

Re:WTF? Phising and certs are different issues.

[marcello_dl]

...sites can display an error message to IE7 users that tells them their browser is defective and that in order for them to keep prices low, they will need to upgrade their web browser to Firefox... Good idea, but i'd say not "defective", but "deliberately denying small businesses the status of legitimate web sites". That's the truth.
BTW, what if somebody got certified somehow, and then hosted a portal for businesses he trusts giving them the green light? I guess certification contract explicitly forbids that in the first 10 lines of the agreement :)

Re:WTF? Phising and certs are different issues.

So, this is what you've done:

1) Make illogical assumption based on data that neither you nor anyone else on /. has access to.

2) Invite people to prove you wrong with data that neither you nor anyone else on /. has access to.

3) Because you are unable to be proved wrong, or incidentally right, deduce that far from being inconclusive that you are in fact correct.

How about: you don't know whether you're right or wrong, so why don't you find some proof of what you're claiming before trying to pass it off as fact?

Re:WTF? Phising and certs are different issues.

[JonathanR]

Does that mean all pop-ups will have a navagator toolbar/url showing?

Re:WTF? Phising and certs are different issues.

[giorgiofr]

It's not like it takes a rocket scientist to sniff your own traffic with Ethereal, buddy. Fire it up and look for yourself if you are so concerned.
What's that you say, you don't even know what Ethereal is?

Re:WTF? Phising and certs are different issues.

[weicco]

Yes, they have URL showing but not the whole navigation bar. I think there was some way to "hack" URL so that it didn't show the whole URL if user didn't click on the URL bar but I'm unsure of this, maybe Secunia knows better.

Re:WTF? Phising and certs are different issues.

There you wanna go today.

Re:WTF? Phising and certs are different issues.

Hold on. Did Microsoft write the JVM that's refusing to run the applet? Umm no. They're not writing JVMs any more. That points more to a fault with Sun's JVM than IE7

Re:WTF? Phising and certs are different issues.

[wkk2]

I'm sure the certificate authorities will notice the difference ($$$). How long before they offer gold and platinum. Hurry up and file the business patent.

Re:WTF? Phising and certs are different issues.

[d3ac0n]

It's Wireshark now.

Re:WTF? Phising and certs are different issues.

[jasen666]

No, IE will not even pass the applet to the JVM if it does not pass the certification test. AND, the same JVM will run the applet just fine in Firefox.
Nice try though.

Re:WTF? Phising and certs are different issues.

[Chrondeath]

Identity theft is a bit more illegal than misnaming files on a P2P network.

Re:WTF? Phising and certs are different issues.

Today I was trying to use a SSH java applet to connect to a server in IE7. IE7 refused to run the applet because it did not recognize the signature. I added the site to my trusted sites list but it still refused to load it. I went into advanced setting and told it to install unsigned activex controls but it still do it.

ActiveX and Java are different technologies. I suspect something is wrong with your Java settings or installation. IE7 does not have Java by default.

My company uses unsigned Java applets in IE7. I know they're unsigned - I wrote them!

Re:WTF? Phising and certs are different issues.

[Dragonslicer]

Sadly, I think that's true in the cases of many users.

Re:WTF? Phising and certs are different issues.

[jc42]

All this "protection" in IE7 is there to try and limit which software you run. MS has decided that before they can beat open source they need to winnow the list of companies that deal with it and this is a good first step to do that with. If this same applet was signed by novell I am sure it would run in IE.

Well, my prediction would be that MS will also have a setup like their "partnering", by which you pay them to be treated as a safe site. This will be understood by the more knowledgeable users, of course, and they will treat the color-coded security level as meaningless. The other 99% of the MS user community won't understand that the ratings are bought and paid for, but they also won't understand the color codes, so they'll be as likely to treat white as safe as green or pink or whatever. The end result will be that the system's sole function will be to restrict what will run on your machine, but it won't have any effect on safety.

Re:WTF? Phising and certs are different issues.

[Casualposter]

A few words: "Class Action Lawsuit" Microsoft as a monopoly is adversely labeling businesses because they don't pay for a certificate and they can do this only because they are a monopoly. And if microsoft is doing this to fight phishing, where is the liability if that protection does not work? I'm sure someone will figure out how to get a green bar without a certificate and a phishing they will go. Meanwhile, the legitimate small business gets labeled "untrustworthy" by Microsoft software. Now THAT is ironic.

Re:WTF? Phising and certs are different issues.

[Raenex]

The thing is, sniffing the wire is no guarantee. IE could collect the data and then send it when you check for a Windows Update. I'm not saying it's likely that Microsoft is covertly spying on you, but it's definitely possible, and very hard to detect. If you want to be extremely paranoid you should browse anonymously via public computers, using a disguise (because of face recognition technology).

What's that? You're afraid of Microsoft getting all your data, tinfoil hatter? What about your ISP? We've seen that the government is willing to install a massive spy network in our infrastructure (see AT&T). McNealy is right, privacy is dead for the average person.

Re:WTF? Phising and certs are different issues.

[ShieldW0lf]

Yep... 20 years from now, when they release the "Blood Phishing" movie and everyone knows what happened, that class action lawsuit is going to tear em a new one. Then we'll all start surfing on "Conflict-Free Browsers" and life will be good.

Re:WTF? Phising and certs are different issues.

[JourneymanMereel]

By default, the anti-phish in Mozilla provided by Google downloads a local copy of the database and checks against that. You have the option of sending every site you visit to Google for evaluation, but saying 'no' to that doesn't completely remove you from being protect (and the default answer to that is 'no').

Re:WTF? Phising and certs are different issues.

[giorgiofr]

Fine. We're all running NSAOS. Microsoft controls the kernel and all the software we run is actually running on top of a deception layer. Hey, it's technically possible and easier than wiretapping ISPs. Also, all routers have a specially crafted firmware that enables IE to punch through firewalls and whatnot.
What's next, MS is in your computer, stealing your internets?

Re:WTF? Phising and certs are different issues.

[Raenex]

Remember, I didn't say it was likely that Microsoft was covertly spying on you, just that if they were it wouldn't necessarily be easy to detect. Though after the AT&T scandal, the widescale bank monitoring, Carnivore, Crypto Ag, etc., it wouldn't suprise me in the least if the US government didn't have some backdoors deep down. Once hardware enforced DRM is the reality, you'll never be able to know.

On top of that there's always the threat of jailtime for revealing these programs, so the few that know about them may not want to blow the whistle. If you have reason to be paranoid then you should be, is all I'm saying.

Re:WTF? Phising and certs are different issues.

[solitas]

Yah - go ahead and fully read a EULA or two sometime and see all the stuff written in there that people don't read.

They _can_ have buried in there: "click all the buttons you want to and we'll still 'taste' all your cookies, rummage-around through your 'temporary internet files' folder, look at your saved information, diddle your sister and her best friend, and snoop your emailer's addressbook; if we want to because if you didn't READ this fifteen-screen-long block of three-point text before you clicked and agreed to it, then that's YOUR problem."

I'm not saying that kind of stuff is in anybody's EULA _now_; but it _could_ be done by a "major software manufacturer" in the future and all the sheep that don't know any better, or don't WANT to be bothered to LEARN any better, will keep right on supporting that OS rather than doing the intelligent thing that Linux/OSX/etc. users have done.

Re:WTF? Phising and certs are different issues.

[giorgiofr]

Ok, ok, there's a reason I use SSL or SSH when I can, maybe secure email too, TrueCrypt for sensitive stuff... you get the idea. As you say, one must be *reasonable* though. Wild claims that IE is spying on me and I dare you to prove otherwise *and* you cannot prove it because of a variant on the brain-in-a-vat theory are not reasonable. Not that YOU said so, it was the GP.

Re:WTF? Phising and certs are different issues.

[Raenex]

I agree, GP was unreasonable. I think we can also agree security is a bitch :)

going to have come up with a better way

[yagu]

Microsoft may think they've solved a problem and maybe they have, but this could be creating a bigger problem, though as usual it'll be no skin off of Microsoft's nose.

Microsoft's stance (FTA):

Microsoft says green shouldn't be considered a seal of approval, but rather a sign that the site owner is a legitimate business.

It may not be formal logic (all farmers wear overalls, therefor if I wear overalls.... (hint: I am not a farmer)), but most internet users are going to make the simple logical leap and assume that not "green" implies not legitimate.

It's easy for Microsoft to skate... they don't live the existence of normal business - it's a shame they have so much input into what others' business rules look like. This probably isn't fair. There has to be a legitimate way to become legitimate.

Re:going to have come up with a better way

[coolgeek]

I think there will be an obstruction of trade class action suit filed against Microsoft for this.

Re:going to have come up with a better way

[tonywong]

So Microsoft has decided that whitelisting companies is a good idea, and everyone else is to be lumped into a greylist and blacklist area? No wonder the individuals in the grey zone are peeved, the association with blacklist websites alone will tank sales.

Re:going to have come up with a better way

[KingPunk]

i work for bank of america's online banking division. and we are all too familiar with the "false postive" of the IE7 Phishing site notification.

usually caused by somebody not noticing that they actually are on the correct site, and just say "hmm, must be a phishing" site. or worse yet.. "this isnt a phishing site, so i'll click it so it doesnt ask me again."
needless to say, its a nightmare, espically for somebody who could potentially lose busisness to this issue.

there must be a check & balance sort of situation available for this.

Re:going to have come up with a better way

[Ucklak]

"it's a shame they have so much input into what others' business rules look like"

Yeah like E-commerce sites hosted with IIS will be favored over Apache hosted sites.

Re:going to have come up with a better way

[iminplaya]

there must be a check & balance sort of situation available for this.

There is. The three branches of economy are:

1) Seller
2) Buyer
3) Money

All must agree to complete the transaction. And guess what? The buyer has all the marbles. If the seller wants the buyers money, he must convince him to give it up. The problem is that the buyers are too easy. If you want to keep shoddy (shady) products off the streets, don't buy them. It doesn't get much simpler than that. Don't argue with the seller, do what you can to educate the buyers. If they don't go along, well, then you're SOL. There is no doubt that buyers can control the market.

Re:going to have come up with a better way

[zotz]

"There are about 20.6 million sole proprietorships and general partnerships in the U.S..."

Well, if the article get things right, these 20.6 million businesses now have one more reason to drop MS completely. I figure if that begins, things will change.

all the best,

drew

Re:going to have come up with a better way

[Pensacola+Tiger]

Actually, I think that there are 20.6 million lawsuits waiting to be filed against Microsoft. I admit that I'm not a proponent of excessive litigation, but in this case I am in favor of it.

Re:going to have come up with a better way

[mandelbr0t]

Then don't call it a "logical leap". You're deliberatly confusing the argument. The formal logic is more or less: If the conditional is true, it does not imply that the converse (i.e.not white == not legitimate) is true. There's a special term used in formal logic to describe the situation where the converse is true, known as iff (if and only if). That's the "logical leap". Use something else to describe your moronic reasoning.

mandelbr0t

Re:going to have come up with a better way

[tinkertim]

>> Actually, I think that there are 20.6 million lawsuits waiting to be filed against Microsoft. I admit that I'm
>> not a proponent of excessive litigation, but in this case I am in favor of it.

I agree, a legal (litigation) based denial of service attack against MS is entirely warranted. Microsoft is trying to make themselves an authority on something they have absolutely no business being involved in. Their scope is to provide an operating system, and secure that operating system.

Things beyond that should not be part of (or optional during) the installation of that operating system. This doesn't mean that they can't offer tools that 'protect people from Internet muggings' , however, these tools should be a component offered OUTSIDE of the initial OS installation, or installation of any package available in their OS.

IE installs as *part of* Windows, even though its not really part of Windows, its an application that runs *under* windows. If you're going to bundle IE with windows, you can't bundle these extra tools with IE.

If they want to do this (bundle it with IE) , then IE needs to be a component people elect to download and install, or install from supplemental media (another CD) included with Windows. Or, they could simply make this new gimmick as an optional download or install from a separate set of cabinets.

In short, they're just asking for it this time.. and I hope they 'get it' in more sense of the phrase than one.

Re:going to have come up with a better way

[calciphus]

What makes you think you can sue MS? You can't sue Google (successfully) just because your page gets blocked by them, even though they are arguably obstructing trade on your site. You can't sue VeriSign for not giving you a free certificate, even though some people won't shop at non-VeriSign secured sites.

Really, I'd hope people don't sue for this. If your sole source of income relies on a system you can't control, then you have a bad business model, plain and simple. Be it Google, or Microsoft, or VeriSign.

Plus...do you really want to make it EASIER to phish? That's just more junk mail in your inbox, because it'll continue to work.

Re:going to have come up with a better way

[Lehk228]

actually the difference is that with google they choose to list you or not, with the anti-phishing bar MS is directly communicating to the user that you are less than legitimate

Re:going to have come up with a better way

[drsmithy]

Things beyond that should not be part of (or optional during) the installation of that operating system.

You appear to be advocating the academic definition of "operating system" should be the only one. Given that such a definition would preclude "operating systems" including such basic functionality as shells (GUI, CLI, or otherwise) out of the box, how much of a market do you think there's going to be for such "operating systems" ?

The term "operating system" hasn't meant what you want it to mean in the marketplace for decades (generously assuming it ever has). IE has as much justification for being in a default Windows install as bash does in a default Linux installation. The market has overwhelmingly indicated that it wants its operating systems to include more than a kernel and some hardware drivers as standard. Get over it.

Re:going to have come up with a better way

[aardvarkjoe]

Microsoft is trying to make themselves an authority on something they have absolutely no business being involved in. Their scope is to provide an operating system, and secure that operating system.

Microsoft's scope is anywhere that they see a need and people are willing to pay for. If I choose to believe that Microsoft's whitelist really represents reputable sites, I should be allowed to do so.

Re:going to have come up with a better way

[tinkertim]

>> Get over it.

I'm fully over it, actually never found myself under it :) I have an all Penguin company. But I must continue to whine relentlessly over things that I have absolutely no control over .. to do otherwise would be , well, boring.

Its still a low down dirty market grab putting themselevs quietly in a position of authority they have no business assuming, any way you cut it. We can debate the roots of a definition, but the fact remains that this is going to cost some mom and pops a few conversions.

That's sad.

Re:going to have come up with a better way

[Rix]

Really, I'd hope people don't sue for this. If your sole source of income relies on a system you can't control, then you have a bad business model, plain and simple. Be it Google, or Microsoft, or VeriSign.

What about the public road system, or utilities such as power or running water? Given that Microsoft has a monopoly, it's fair to lump them in that class.

Re:going to have come up with a better way

This is probably the one and only comment you should make from this article. Good Job!

captcha = cracking

Re:going to have come up with a better way

Exactly - companies like Google facing lawsuits because some idiot doesn't understand SEO and/or did something to get blacklisted. The difference between a Google blacklisting and IE7 showing a site as untrusted is that even if its the legitimate site for something like Youtube or FedoraProject, or Ubuntu - just because MS screwed up with anything pre-IE7 so that users ended up at pron.conyourass when they wanted Bank of America - and so now they've made IE7 paranoid, and such sites that were (according to IE) legitimate in ver6 are now going to be listed as textbook scam sites (as far as the average joe is concerned)...

Re:going to have come up with a better way

[jc42]

Microsoft's scope is anywhere that they see a need and people are willing to pay for. If I choose to believe that Microsoft's whitelist really represents reputable sites, I should be allowed to do so.

Sure, you're free to believe whatever you like. But in most jurisdictions, there are laws about things like libel and slander. I'd think that such laws might be easily used in this case.

If I were to start up my own business that published ratings of other businesses' honesty based on whether they've paid me for a rating, I'd be in court real fast. In some jurisdictions, I'd might be in jail, too.

It'll be interesting to see whether Microsoft is powerful enough to get away with such public libel without any punishment.

Re:going to have come up with a better way

[calciphus]

Microsoft doesn't have a monopoly on browsers. Right now, IE makes up little more than 50% in all the flavors it comes in, with IE7 barely pulling 7% (as of the end of November, the most recent stats I could find).

http://www.w3schools.com/browsers/browsers_stats.a sp

50% is not a monopoly, sorry. And public roads and power companies are VASTLY different, given that the government (be it state, federal, or local) maintains public roads. And do you really want the government to have MORE control over the internet? What about the rest of the world, which the US government has no business policing?

Re:going to have come up with a better way

[aardvarkjoe]

But in most jurisdictions, there are laws about things like libel and slander. I'd think that such laws might be easily used in this case.

You think that it's libel or slander to publish a list of businesses that you think are trustworthy? I challenge you to come up with a single court decision that would support that. I really doubt that you can find one.

Re:going to have come up with a better way

[jc42]

Well, if you google for "business slander libel disparagement" right now, you get just under 40,000 hits. About half seem to be lawyers advertising their services, implying that a lot of lawyers are finding this a lucrative business. Another 1/3 seems to be articles about the laws on the topic. Scattered among them are references to court cases.

Of course, there's a good chance that most of them are settled out of court. But a lot of legal folks seem to take the subject quite seriously.

Re:going to have come up with a better way

[aardvarkjoe]

Yes, I know that libel is illegal, and that people and businesses are sued over it quite frequently. They tend to win the cases rather less frequently, as most nations tend to place a rather large burden of proof on the person who claims to have been libeled. However, I repeat my statement:

You think that it's libel or slander to publish a list of businesses that you think are trustworthy? I challenge you to come up with a single court decision that would support that.

I would like to see any evidence that publishing a list of businesses you think are trustworthy could conceivably be considered libel, not that libel is illegal. Libel is generally considered to be false statements that are presented as fact which harm the reputation of the person or organization being libeled. I really don't see how that could apply, and that's why I would like to see either a court decision or a specific section of the law that would apply.

Yeah, they will.

[FishWithAHammer]

Gartner's a bunch of hacks, sure, but they've got a point. "Green means good" is something that is easily hammered into the heads of the l^Husers who'll be dumb enough to use IE7. Unless they've got a really good reason to buy from a site that isn't "Microsoft Approved," they won't.

I doubt it'll be a huge difference, but it'll be noticeable.

Re:Yeah, they will.

[geekoid]

Green means good is pretty standard. Don't go berating the users for making that jump.

Don't confuse ignorance with stupidity. There is a world of difference.

Re:Yeah, they will.

[FishWithAHammer]

Sure, there's a difference. But many people I've shown Firefox to (yes, anecdotal, but I've heard too many similar reports to discount it) have said "but it's not Internet Explorer, so I don't want it."

Those are the aforementioned lusers, and the ones who I was referring to.

Re:Yeah, they will.

[westlake]

"Green means good" is something that is easily hammered into the heads of the l^Husers who'll be dumb enough to use IE7.

"Green means good" when you are running McAfee SiteAdvisor for Firefox.

The solution for small business will be to market through a strong co-op or an established corporate partner like Amazon or eBay. The benefits are obvious and a phishing filter can't do much more than push things along a little faster.

Re:Yeah, they will.

[John+Hasler]

> The solution for small business will be to market through a strong co-op or
> an established corporate partner like Amazon or eBay. The benefits are obvious

Yes. Control. Amazon and Ebay can suck off most of the profits and prevent the small businesses from growing into competitors.

Re:Yeah, they will.

[McNihil]

I believe the signal for GO is Red in China. Stop is Green... I may be completely wrong here though because I am basing it on an anecdote.

I do know that all their screws are left threaded though.

Re:Yeah, they will.

[1u3hr]

I believe the signal for GO is Red in China. Stop is Green... I may be completely wrong here though because I am basing it on an anecdote.

Yes, you are completely wrong.

I do know that all their screws are left threaded though.

No. Have a look at your hardware stoer. Where are 90% of the products made?

Are you a troll, or just an idiot?

Re:Yeah, they will.

No. In China they just go whatever colour it is as long as it seems convenient (they think they won't die or get caught).

Re:Yeah, they will.

Have a look at your hardware stoer. Where are 90% of the products made?

That has nothing to do with what they actually use in China. For example, they use the metric system, yet still manage to produce imperial/US customary goods for the US market.

I'm not trying to dispute which way their screws are actually threaded, but your reasoning is faulty. I wouldn't go around calling people names if I were you.

Re:Yeah, they will.

[1u3hr]

That has nothing to do with what they actually use in China.

Since many consumer appliances are effectively non-repairable, they use whatever parts are convenient. Have a look at any cheap appaince and you'll find all the screws are RH. And by the way, I LIVE IN CHINA. I've never seen LH threaded anything, except perhaps the usual exceptions like gas pipes and some bicycle parts. Why on earth do you (or the original poster, if that's not you) think LH threads are used here?

Re:Yeah, they will.

[Hooya]

most gauges, tape measures, etc are also made in china. but they have inches on 'em. doesn't mean they use inches/feet in china.

it very well may be that they don't use left threaded screws. but concluding that because they make right threaded screws they must also use right threaded screws is jumping to conclusions.

Re:Yeah, they will.

[1u3hr]

it very well may be that they don't use left threaded screws. but concluding that because they make right threaded screws they must also use right threaded screws is jumping to conclusions.

I live in China. I was trying to think of some evidence you could actually see short of catching a plane. And while a box of loose screws would obviously be made to whatever spec the customer wanted, internal screws for consumer appliances, which is what I meant, not loose screws, would be whatever was available to the factory and cheapest -- having been involved with export, cost is everything. Why would they increase costs by using a different kind of screw that has no inherent benefits? Historically, China's heavy inudstry was based on Russain technology, which in turn was copied mostly from Europe. More recently, Japanese, based on US standards, though fortuantely mostly metricated.

I still fail to understand why anyone would imagine LH screws would be standard in China.

PS. Chinese vaginas aren't sloped sideways either.

Re:Yeah, they will.

[Ilgaz]

There could be people deliberately choosing IE 7 over Firefox or other options, there is no meaning to offend them via calling them dumb.

In fact, that kind of support to Firefox (especially firefox!) makes people not to take it serious especially on corporate use.

BTW, I use Omniweb on OS X, should be called dumb for buying a browser?

Re:Yeah, they will.

[CmdrGravy]

When applied to my tongue green = bad and red = good and that the same for many kinds of meat also.

Re:Yeah, they will.

[d3ac0n]

PS. Chinese vaginas aren't sloped sideways either.

What? Next you'll be telling me that Chinese women only have 2 breasts instead of three. They do? Darn. There go my reasons to visit China. Well, I'm off to the Mars colony instead then!

Re:Yeah, they will.

[McNihil]

OK when I was a kid I used to dissasemble a whole lot of hardware products that was "Made in China" and "Made in Hong Kong" and to my recollection EVERYTHING was backwards and especially the threads. This has "obviously" changed.

The anecdote with Green/Red light I actually got from a native Chinese and could have been a sarcastic remark on how they felt about their country. But I have been in places where political agendas have made far more changes to how things are done than it should be.

Re:Yeah, they will.

[1u3hr]

and to my recollection EVERYTHING was backwards and especially the threads. This has "obviously" changed.

If you recollect correctly, that's interesting. Would like to see it documented though. It certainly isn't the case now.

The anecdote with Green/Red light

A little digging found this note at the NYT: "... the meaning of a red traffic light in China. It means stop. During the Cultural Revolution 30 years ago, an effort was made to change the meaning to ''go,'' but the idea did not take hold."

However, it seems a bit urban legendish to me, I've yet to find any first hand references. If it happeend at all it was very short lived. More likely it was a metaphor that someone took literally.

Re:Yeah, they will.

[FishWithAHammer]

I bought Opera, so I wouldn't say so.

I've yet to see one remotely good reason to use Exploiter, though.

Re:Yeah, they will.

[MeNeXT]

The benefits are obvious

Yes you are right. No benefits at all. There is absolutely no guarantee from Microsoft. Microsoft assumes no responsibility.

This would be so easy to circumvent that I just can't believe how much energy is being place on this. Here is one silly example. Create a page which brings up a popup window without the browsers tool bars, which has the same look and feel as the navigation tool bars of the browser. Display the green bar the same way as seen on a legitimate site. It does not have to be perfect...most people will NOT see the difference. How many times have you seen someone entering URL's in Google/MSN/Yahoo's search. I haven't put much energy in this, just thinking out loud.

We need to first stop this attitude that when you purchase a computer you still don't own it. First and foremost the owner should have absolute control over the system. Pop-ups, pop-under and all that should have been an option for the owner of the system not for a Webmaster. In order to keep this conversation short I'm not going to go into many details.

There needs to be liability if a product does not perform as advertised. The developer, manufacturer, service provider needs to be held accountable. I mean seriously how can you own an SSL certificate without the authorities knowing who you are? Wasn't that what SSL certification was all about or was that just marketing?

Smart enough to notice that green toolbar

[namityadav]

I hope a user smart enough to notice and use the phishing feature of IE, would be smart enough to use Firefox instead

Re:Smart enough to notice that green toolbar

Or perhaps smart enough not to fall for a phishing scam?

Re:Smart enough to notice that green toolbar

[mottie]

it's pretty hard not to notice it. when you start IE7 for the first time it asks you if you want to turn it on, and yes is the default. it's not hidden away in an obscure menu system or anything like that.

extortion

[brenddie]

This feels like extortion. If you dont pay up you wont get any bussiness. I know this shouldnt be but people are dumb and will believe anything. Just wait till we get the "turn-address-bar-green-exploit" and then the fun starts.

Re:extortion

[yagu]

This isn't even a problem of "paying up".... the small one-person companies don't even qualify to get certified for the green status... no amount of money will anoint them. This is where is starts to be unfair.

Re:extortion

Are the small businesses having to pay microsoft for the certification? No, its the certificate authorities like verisign that get paid, ergo not extortion.

Re:extortion

[Kelson]

Are the small businesses having to pay microsoft for the certification? No, its the certificate authorities like verisign that get paid, ergo not extortion.

So if I insist that someone give my friend money, or I'll threaten their ability to do business, it's not extortion because I'm not the one getting paid?

I'll have to remember that one!

Re:extortion

[fire_missionary]

So... if microsoft is the 'lackey' to the verisign, or whoever, who would be the 'boss'

leads me to think that if you 'do a favor' for a mob leader, you are in the right because you are not getting paid for it.

lets take this further... remember WWII? all those german soldiers that were 'just following orders'? hmm... they were in the right.

and further...

If i kill your children because you stole money from my friend, then im free to go because im not getting paid.

i could go further... but then it'd become a tl;dr article.

I love anonymous cowards.

On second thought... im just crazy and id kill your children if you flipped me off... heh. must have brainz

Re:extortion

[McNihil]

Not only is it unfair but it promulgates the thinking that big corporations are more trustworthy than the common man. Yeah right corps are... what a load of....

Oversize Catch

I wonder if Microsoft considers people reselling their old copies of XP and 98 to be phishing?

Or doing anything Microsoft doesn't agree with?

Otherwise there could be a big resale market when Vista comes out?

Given the fact

[gillbates]

That even Microsoft itself has allowed its security certificates to lapse in the past, I don't think this is going to mean much. As soon as the address bar goes white when getting updates from microsoft.com, people will start to ignore it.

Besides, the user sophisticated enough to notice the difference probably won't care - by now, he's already got a set of favorite bargain sites, and when their address bar stays white, he'll just assume they're too cheap to buy the MS cert. After all, how *do* they undercut the competition?

And I'm guessing that most people - if they notice at all - will not be any more cautious. After all, that's what they bought anti-virus for, right? I'd be willing to bet that the average user believes AV software protects them from everything bad that could happen when using a computer.

Re:Given the fact

[Amazing+Quantum+Man]

That even Microsoft itself has allowed its security certificates to lapse in the past

Hell, Microsoft has allowed some of its major domain names to lapse.... hotmail.co.uk and passport.com

Re:Given the fact

[Todd+Knarr]

Actually I think the bigger problem is that Microsoft and Verisign in the past have allowed a completely valid, high-grade signing certificate with Microsoft's own corporate identity to be issued to crackers (see http://www.pcworld.com/article/id,45284-page,1/art icle.html or the more authoritative http://www.microsoft.com/technet/security/bulletin /MS01-017.mspx for details). Note that a class-3 code-signing certificate was one of the more secure grades Verisign issues, it's not their standard e-mail-address-only ones. So how long until the bad guys start getting their own EV-SSL certificates and make the whole scheme not merely useless but advantageous to the phishers?

Countdown

[DrYak]

Countdown to the phisher finding a way to subvert the system and obtain legitimate certs to green-light their scam sites :
4... 3... 2... 1...

Re:Countdown

[RodgerDodger]

Exactly. The only certain effect here is that the scammers will find a way to either create or emulate the green light.

Re:Countdown

[StikyPad]

"A way" already exists, and it's called XSS, or Cross-Site Scripting. It's all a matter of how secure any given "green light" site is, which means the "green light" is borderline worthless, from an anti-phishing standpoint anyway. There are even vulnerabilities which do not require any social engineering, such as a vulnerability in the user reviews section of a business's website, or something similar.

So really, like the padlock "secure" icon (which tells you only that you're on a an encrypted connection, and is meaningless if the target site has been compromised), it's just presenting a false sense of security, while at the same time giving small businesses a small stain on their reputation.

How does the Phishing thing work?

[Jarjarthejedi]

Okay, as someone who doesn't typically use IE7 I honestly have no idea how this thing works, and my tests (going to amazon.com) didn't reveal any green or anything with the phishing thing turned on. I noticed that the article talked about the filter as though a new certificate was required, yet when I looked up how it worked it seemed like the filter actually evaluated each page on the spot and used heuristics to determine if it looked suspicious or not.

Now then I know MS is going to get some major bashings here, because most /. users seem to have that built into their genome, but I wonder if perhaps the article is a bit biased. Does anyone know whether or not a new certificate is required to get a green rating? MS's information seems to say green means IE doesn't think it's phishing, this article seems to say that green means it has a new certificate, who's right?

Re:How does the Phishing thing work?

[Kelson]

Actually there's two issues -- site verification and anti-phishing -- which are getting mashed together because they act on a similar concept (how much can I trust this site?) and display through the color in the address bar.

White is the default state, and says nothing about the site.
Red is when the site matches a blacklist of known phishing sites. (If you have the antiphishing turned on, it will check with MS each time you load a new page.)
Green is when the site uses one of these new SSL certificates which provides additional data and (supposedly) has a tougher approval process in which the certificate authority does an actual background check on the company instead of just making sure they have a working phone number. One hopes a blacklist hit will trump this.

A secure site that uses a standard SSL cert and is not a known phisher will have a white location bar.

Re:How does the Phishing thing work?

[Vengeance_au]

Nice summary of the article (which did drift a bit...) but I wonder where this continued adherance to red = bad green = good comes from? 7-10% of all males are red/green colour blind - red/green on traffic lights is fine, as you have positional information to assist. The URL bar in green or red will look identical to those with colour blindness. And while on the topic, why display the "known phishing" site at all - why not completely block the site and redirect to a guide-to-avoiding phishing, or something? What am I missing???

Re:How does the Phishing thing work?

Pretty much all that you're missing is that whenever there's a state other than the default white, the address bar gets an extra box of alertiness, and the whole page turns into a warning (see here). This happens for certificate errors as well, which definately beats the click-through warnings that most browsers display in such a case.

Re:How does the Phishing thing work?

[Kelson]

Sorry, I forgot to mention that it does block access to a "red" site with an "are you sure you want to visit this?" warning. The initial design of the phishing filter is described on IEBlog. Some details have probably changed since then, but that's the basic way it works in the final version.

Re:How does the Phishing thing work?

[alexo]

I wonder where this continued adherance to red = bad green = good comes from? 7-10% of all males are red/green colour blind

That's OK, since about 4% don't distinguish between good and bad either.

Re:How does the Phishing thing work?

[Lonewolf666]

Red is when the site matches a blacklist of known phishing sites. (If you have the antiphishing turned on, it will check with MS each time you load a new page.)
So if I have antiphishing turned on, Microsoft will get a pretty complete view of my surfing habits?
One more reason to stay with SeaMonkey... as long as I'm still on Windows anyway (give me a WINE that works perfectly, and I'm gone).

damned if they do, damned if they don't

[Darkon]

If you make certificates too easy to obtain then every phisher and his dog will just buy one and create a false impression of legitimacy. If you try too hard to restrict them to bona fide companies then you risk shutting out the mom and pop outfits. What's the answer?

Anyone what approach Firefox takes compared to IE7 here?

Re:damned if they do, damned if they don't

[The-Ixian]

Not being integrated into the OS at a low level is a big plus

Re:damned if they do, damned if they don't

[mrchaotica]

What's the answer?

Don't bother implementing any kind of "anti-phishing" crap and let the buyer be responsible for his own damn self for a change!

Re:damned if they do, damned if they don't

[Kelson]

If you make certificates too easy to obtain then every phisher and his dog will just buy one and create a false impression of legitimacy. If you try too hard to restrict them to bona fide companies then you risk shutting out the mom and pop outfits. What's the answer?

Don't overload the certificate concept. If you make it clear that all an SSL cert means is that no one is listening in on the conversation between your browser and the website (assuming your machine and the server aren't compromised themselves) then the easy cert doesn't create that false impression.

Anyone what approach Firefox takes compared to IE7 here?

AFAIK, Firefox does not treat EV SSL certs differently from normal SSL certs. This may change, particularly if Microsoft can convince end-users that "greenlighting" EV SSL certs is a good thing, at which point people will start complaining about Firefox being insecure because it doesn't turn the address bar green.

Re:damned if they do, damned if they don't

[jt2377]

that's like saying school is not responsible for your kids and yet million of working mom and dad will take the first blow at teachers and the school for their perfect littel angle's fuckup.

you Sir need a nice pie of STFU!

Re:damned if they do, damned if they don't

Maybe the parents should gain a modicum of personal responsibility...

Re:damned if they do, damned if they don't

[Macthorpe]

How about a slice?

In cases where the evidence is obvious, it's a parent's fault if they send their child to a whorehouse instead of a school, and it's also someone's fault if they sent their credit card details to a random scammer instead of an online store. It's up to you to make sure what you are doing is safe and secure before anybody else's. Only after you've done all you can to ensure your safety can you even consider blaming somebody else for your 'fuckup'.

People who blame schools for their unruly kids and the internet for their own stupidity are fools regardless of situation.

Re:damned if they do, damned if they don't

[asylumx]

Yeah that wont get you sued. While we're at it, why not leave prescription medicine and steak knives where three year olds can reach them.

Re:damned if they do, damned if they don't

[mrchaotica]

I'd say exactly the same thing to those incompetant, negligent parents! I'm an equal-oppertunity bastard.

Sole Proprietorship

[mandelbr0t]

The Forum excluded sole proprietorships, general partnerships and individuals because its members couldn't agree on criteria for validating them effectively, something some members said can be difficult.

From TFA, this is the reasoning behind the stocking saleswoman's problems. Now, I tend to disagree that it's difficult to find criteria for validating a Proprietorship, since I've formed one myself. While getting the trade certificate and license to collect tax are easy, obtaining a valid small business bank account is not. I'm thinking that those 3 taken as a whole should be enough information to determine whether the Proprietorship in question exists and is doing legitimate business, at least here in Canada.

I don't think Microsoft screwed up here, incredibly enough. They've released a new product based on standards (of all things!). It doesn't erroneously display this woman's site in yellow or red, and it will correctly display it in green when the forum which determined the new certificate standard makes it available to Proprietorships. The article accuses Microsoft of tilting the online commerce playing field heavily toward big business again, but this isn't really Microsoft's fault. I agree that the new certificate standard should have included everyone from the get-go, but you can't fault Microsoft for building this useful feature on the latest standard.

mandelbr0t

Re:Sole Proprietorship

[John+Hasler]

> While getting the trade certificate...

Not required in the US.

> ...and license to collect tax...

Not every US state has sales tax (and in those that do many goods and services are exempt).

> ...obtaining a valid small business bank account is not.

There is nothing especially special about a "small business bank account" here.

Re:Sole Proprietorship

While getting the trade certificate and license to collect tax are easy, obtaining a valid small business bank account is not.

Funny, I found creating a small business bank account as easy as handing over the minimum deposit. Figuring out all the licenses and tax papers was the confusing part for me.

Re:Sole Proprietorship

Same here. Just bring in your paperwork/reciepts from forming your LLC/LLP/INC/etc., and throw in the minimum deposit (mine was 500$) and your set. Getting the official paperwork was definately harder.

Re:Sole Proprietorship

There is nothing especially special about a "small business bank account" here.

Additionally, there's nothing special about business accounts at all that could be verified "from the outside". A letter of a bank that a given account belongs to a business is easily forged.

Oh ohhh

[maxrate]

I smell class action lawsuit! (for real, I'm not joking!) - this is a BIG deal.

That being said, I really think the SSL authorities should REALLY check out who they are giving certs too.

Re:Oh ohhh

You mean like they have been paid to do, but don't? Certification is just a scam, they make credit card liability max out at $50 for a reason.

Gartner are idiots, so relax

[roca]

Users will quickly learn to ignore the status bar color just like they've learned to ignore all other security warnings (thanks to expired certificates and other false negatives we throw in their face every day).

Re:Gartner are idiots, so relax

False positives, maybe?

Re:Gartner are idiots, so relax

[roca]

Yeah, I guess.

Extortion or opportunity

pay up or form a rival gang to hack the green bar

bonding

[TheSHAD0W]

I agree with Microsoft, actually; it can be difficult to take what looks like a perfectly legitimate business and guarantee that they aren't actually sniffing for your personal information. But only labeling large businesses as "safe" will indeed put serious burdens on smaller companies.

Perhaps Microsoft could allow for companies who wish to "go green" to purchase a certain amount insurance from established bonding companies assuring shoppers that their information won't go awry. Bonding companies know how best to deal with this sort of risk; they would subject their client companies to audits, making sure servers were secure and weren't caching the wrong sort of data.

Spend the extra time and setup your biz correctly!

[Silicon_Knight]

I'm a small businses owner, and guess what, I would have ZERO problems with this "green bar" policy.

Reason? I made damn sure that I'm incorporated as either a limited liability company (L.L.C) (www.3dprints4less.com - not up yet) or a S-corporation (www.seattleprototypes.com).

In this day and age of litigation, there is NO reason why if you're going into businses you should even consider sole proprietarship or general partnership agreement. IANAL, but go pick up any of the Nolo self-help books (recomemnded by lawyer friends) and they make it clear: The LLC and corp status is a bit more paperwork to upkeep, but offers MUCH better protection for the business owners. As a sole proprietarship, you are personally liable - down to your last nickel in your bank account, if your business incurs any liabilities. As a general partnership, you would be personally held liable for not only your business's liabilities, but the action of your partners well (if your partner racks up a debt, skips town, and the creditor have easy access to you - guess who's in the hot seat).

Not to mention, there's huge benifits you can get tax wise, from being a corporation or LLC. Corporate tax rates are a heck of a lot lower for one!

So, Aunt Joy making custom stockings, please, go pick up a self help book and get your business setup properly. This way some slimebag ambulance chaser can't sue you out of the house you're growing old in when some irresponsible parent let their kid chew off a bit of the stocking and the kid chokes on it.

-=- Terence

Hmmmmm

[segedunum]

Sounds like an extortion racket to me. Another day, another Microsoft money making scheme all from the monopoly which Microsoft has on browsers which comes from their desktop OS monopoly.

And Bill Gates said there was no way to make money from security. Kind of lets you know why Microsoft eventually took security seriously.

Green hack

[flyingfsck]

So how long till the first hack that turns IE green?

Doh!

Re:Green hack

[rjdegraaf]

What about a window without an address bar, but with an image which looks like an address bar.

Re:Green hack

You, (sir/ma'am), are a genius...

Re:Green hack

yure givin classfyed infurmashun to terrist hakkars ya commy

Re:Green hack

[bane2571]

Brilliant idea, and it would work great with IE6 but IE7 now forces URLs to show from what I've seen, actually quite a good idea I've never understood why browsers basicly allow users to be shut out of a majority of their control and information.

Well...

[kosmosik]

Well this is quite easy issue. For MSIE that is MS that says what site is OK or no. So there is convicted monopoly laveraging it's monopoly again trying to protect me (and by the way doing their own business with filters).

On the other side is Fx or Opera using third party blacklists (since they do browsers not other stuff like lists).

So the difference between MSIE+MS filters is that both come from the same monopoly. Fx or Opera use third party data (assuming that is not the same benefit for them) for filtering *bad* websites.

Re:Well...

[Xaria]

RTFA - it's not MS issuing the certs. They're merely supporting an existing type of certificate that has increased verification before it is issued. Stop the Microsoft bashing. They've done something right here. Sure, it sucks that small businesses can't get the certificates, but in that case it's the certificate companies they should be suing not Microsoft.

The Subject of my post is

If the bar turns green for Sony, Amazon, Microsoft, LexusNexus, etc., then I know not to trust it. Once you try white, you take another bite.

Re:The Subject of my post is

Once you try white, you take another bite.

That raises another question; Will there be yellow and black bars as well?

Really?

That's how you make your buying decisions? For me when making a purchase I try to make some attempt to understand who I'm dealing with. This doesn't prevent that. It simply gives consumers one more tool. A device to allow them to allocate their attentions with more judiciously. Odds are if I'm dealing with dave53.com/cart.cgi? they've probably got something going on that isn't more convieniently and reliably available elsewhere. Maybe it's a prior relationship that they've carefully cultivated (something small business are very good at). The green-ness or white-ness of IE 7 won't be playing much of a role in my decision to go forward.

A device that automatically recommends people be more aware of who they're dealing with isn't a bad thing so long as it's accurate. It's not like banks serving small businesses can't get into the act offering services to vouch for their clients. The only people this can significantly hurt are business which were doomed to fail in anycase, and scammers. Both groups will probably only be impacted modestly in any event.

Re:Really?

[troll+-1]

The only people this can significantly hurt are business which were doomed to fail in anycase, and scammers.

But doesn't TFA say that many of the people that will be doomed to fail are legitimate businesses like Aunt Joy Christmas stockings? Though Microsoft will claim they're not. She won't be green. She'll lose business. It's small businesses that will hurt.

Re:Really?

TFA says some bullshit. The people looking for Auntie's Christmas stockings don't have anywhere else to go. Presumably they're they're looking for her because they don't want something made in a Chinese prison camp. If the latter was what they wanted they would have gone to Wal*Mart and been back already. No legitimate business which had a chance of succeeding will be materially harmed. No one bought a Christmas stocking from her previously because they mistakenly believed she was a giant multinational conglomerate. In fact doubtless many of her customers were looking for the EXACT opposite. They found in her someone they estimated was worth taking a chance on. What Microsoft's anti-phishing tool does in NO WAY interferes with that. She won't be green, she likely will not be able to estimate how much business she lost with any accuracy or precision. She may claim Microsoft stole her business and count it as "lost sales" in a way very similar the music industry does with "piracy". The only difference is there won't be digital copies of her stockings hiding on people's computers.

When evaluating "trust" the green-ness of IE isn't very primary to the process. This is a problem that has been with man since he started drilling holes in seashells, all Microsoft did was add another tool to give IE users more information about who they're dealing with. It's not particularly specific, but that doesn't preclude it from being a useful method to prompt people to focus their attentions. Consumers with information and choices isn't bad. If her stockings are so expensive, shoddy, ugly, and unreliably available that even a little bit more information in the hands of potential customers is threatening to her business, it was a doomed venture which was wasting people's time anyway.

She reminds me of my insane neighbor who when a tree from her property hit MY house was upset I could find her public tax records on-line. The horrors! I was saved a trip, conspiracy! Saving people time and allowing them to make better considered decision is the very essence of creating wealth.

Re:Really?

[Anonymous+Brave+Guy]

That's how you make your buying decisions?

Personally, no, but it is how a lot of people are likely to make decisions. That's the point.

A device that automatically recommends people be more aware of who they're dealing with isn't a bad thing so long as it's accurate.

Fortunately, our experience with RBLs shows that they never make mistakes, and small businesses never get seriously hurt by them.

It's not like banks serving small businesses can't get into the act offering services to vouch for their clients.

Ah, a good, old-fashioned protection racket. I'm so glad they're still alive and well, even in these high-tech times.

The only people this can significantly hurt are business which were doomed to fail in anycase, and scammers.

Yes, because small businesses are never successful unless they're scammers.

Re:Really?

[max+born]

You claim the article contains bullshit and state:

[N]o one bought a Christmas stocking from her previously because they mistakenly believed she was a giant multinational conglomerate...

yet you offer no reason or evidence and completely fail to support your arguments. How about you tell us why you're right and the WSJ is wrong.

Re:Really?

No one makes decisions like that. No one. Not even people who fall for Nigerian money scams. The only people who imagine people making decisions like that are the idiots who assume they're smarter than everyone. They're not. They're just more practiced at being conceited.

Fortunately this isn't a blacklist of any kind. It's at most a measure of a companies established identity, and participation with Microsoft. Which in and of itself isn't even necessarily a good thing.

As for creating an opportunity for lenders, and bankers to offer services to their clients, yeah it has the potential for a protection racket in the same way free checking does. To say nothing of Chambers of commerce (also protection rackets) and the BBB (a protection racket no doubt).

No, small businesses are successful because they offer something maybe worth paying for. Something maybe worth seeking, something maybe worth finding. Something that maybe withstands the scrutiny of a well considered descision. All this does is give the buyer a little more information, quickly, and effortlessly. If you're against it, you're just against people being able to make better choices with information that's made freely and convienently available to them. Can't get much more fascist than your point of view. By contrast Microsoft is tackling a thorny troublesome problem in a way that is nearly without cost to all but them. A problem that demands addressing. And they're doing it by telling people more about who they think they're dealing with. Not a lot, a little, and with barely any effort on the part of the user.

Re:Really?

[mwvdlee]

The only people this can significantly hurt are business which were doomed to fail in anycase, and scammers.

I have a small business, legally registered, which is a sole proprietorship. Even though my business is legal and even though I'm personally legally responsible for the business I cannot get this green bar.

I can pay the money for it (even though this starts to smell like a scam itself; pay the money for the certificate or you'll be blacklisted) and would if I could, but simply because they haven't defined rules to verify my type of business (which would be easy; My business is registered, has a clean tax-record and I can provide any identification they'd need).

So now MY business will not get on the whitelist because THEY fail to even set the rules by which I could get on the whitelist.

I seriously think MS should hold out on displaying the bars until sufficient rules are in place that allow all legal businesses equal recognition as such.

Re:Really?

[AGMW]

The green-ness or white-ness of IE 7 won't be playing much of a role in my decision to go forward.

I think the problem here is that most internet users are not quite as savvy as you or I, or indeed as the average Slashdot reader, and they almost certainly will look upon GREEN as meaning Good, and not-GREEN as therefore BAD. This is likely to reduce sales to non-GREEN websites and that doesn't seem fair!

The other issue of MicroSnoop also seeing all the websites that are visited is a secondary, and perhaps equally important, issue from the privacy standpoint.

What I'd like to know is who voted for MicroSleuth to be the guardian of all that is right and good on the Internet, and isn't it rather odd that they, of all people, should be undertaking this role!

Re:Really?

[HuguesT]

Re: your sig

> Throughout human history, the greatest threat to life and liberty has been not terrorism, but the power of the state.

I submit the humble personal automobile. Since about 1950, it has killed about 40,000 people a year in the USA alone.

That's more than 10x 9/11 each and every year, and way more than WWII since 1945. Only about 400,000 Americans died in that war.

Terrorism is so overrated.

Re:Really?

[ElleyKitten]

She could also file the paperwork to make her business an S-Corp. My husband and I sell T-Shirts out of our home and we have an S-Corp. Not that hard.

Re:Really?

[asylumx]

Seems to me that Aunt Joy Christmas Stockings would probably go through another checkout service such as google checkout or yahoo's storefronts... or even ebay... I'm just guessing, but I'd imagine all three of those, and any other similar, major transaction services, will have valid certificates.

Re:Really?

[Jtheletter]

The people looking for Auntie's Christmas stockings don't have anywhere else to go. Presumably they're they're looking for her because they don't want something made in a Chinese prison camp. If the latter was what they wanted they would have gone to Wal*Mart and been back already. No legitimate business which had a chance of succeeding will be materially harmed.

It's like you have no grasp of how people use the internet. People didn't jsut sit down and type in "www.auntiesstockings.com", they most likmely went to their search engine of choice and searched for something like 'holiday stockings crafts homemade' and got a bunch of hits for sites with those keywords. Then they see "Auntie's Christmas Stockings" and decide to give the site a try. As soon as they get there however the bar doesn't turn green, so they decide it's not a legitimate business and click Back on the browser and buy from a different site.

The point is not that previous customers are going to suddenly stop trusting a site they've already done business with (although that is a possibility). The point is that new users coming to a site for the first time, who use the IE7 green color as the sole indicator of trust, will immediately distrust the site when they don't see that green. It has nothing to do with the quality of the products or anythign else, no green bar will mean they assume it's a scam.

I agree that giving the user more info is a good thing, but the problem is MS has not provided adequate means for small legitimate businesses to display the same level of 'trust' as a major corporation. MS needs to provide a streamlined and straightforward way for ALL legitimate businesses to properly utilize this extra feature, by not doing that MS is essentially raising an artifical barrier to competition because of the lack of knowledge by the vast majority of the web using public. And the catch-22 is, if Joe Sixpack were savvy enough to properly use the anti-phishing notifications from IE7 then he probably wouldn't need to be protected from phishing/scam sites in the first place.

Re:Really?

Assuming they used google, they would at least look at the site. As all of the previous customers had done. Perhaps many of them investigating it carefully before deciding to buy. The only people who would even plausibly make a decision along the lines, "Green? OK Buy here, who cares about anything else." are the same people who send money to Nigeria, or are victimized by countless other scams. More likely she gets a lot of customers from word of mouth, repeat business, and write-ups in periodicals. Your version of events is simply insane. The prespective customers still had to evaluate the merits of the stockings site before Microsoft's modest attempt to address a real problem, they still have the exact same burden that they always had when considering to do business with them. NOTHING has changed, save the color. Call me when Wal*Mart steals her designs and begins producing them with Malaysian child labor (my guess is next year).

People in general are not drooling idiots. Microsoft doesn't need to provide anything. They chose to attempt to begin to solve a very real problem in their customers lives. Their method, I must confess, I find pretty elegant, should it prove difficult to forge. That it isn't fully complete and bullet proof for world wide deployment and every situation isn't particularly damning. As it is they've laid a new keystone, free, for a new standard of service. A service banks can offer for their customers. A service trade associations, chambers of commerce, and the BBB can likewise offer. Now they might not use the internal API calls, but that's not really important. Hell, google can add something similar into their tool bar. Firefox can get with IBM to build something similar into their widely evangelized browser. Harvard Business school (or any public university) could even produce something that would blowup like Youtube that any monkey could add to a site. Services that help people trust more quickly and wisely. Nothing is ever wrong with that. That the standard in this case might become "free", well that's worthy of a Guiness. What I find so amusing is that the standard for Microsoft is that their solution be a) All encompassing (which is an insane unattainable standard) b) work flawlessly (see a). Anything less than that and they should be sued and sanctioned.

If the WSJ gave such a damn about small businesses (they don't), why is it they aren't championing national healthcare? Healthcare being one of the greatest obsticals to small businesses. Unlike this issue, that actually would prevent many business from going under. But it'd probably do a real number on the stocks of big insurers.

Re:Spend the extra time and setup your biz correct

[Ashtead]

But is Microsoft the right one to enforce this? Even if sole proprietorship or general partnership might be inadvisable, it isn't illegal, and Microsoft or anyone else who is not the government has absolutely no jurisdiction and no mandate to make it so.

Something seems definitely out of bounds here...

Re:Spend the extra time and setup your biz correct

[mOdQuArK!]

So how much are you willing to pay to get your "green" cert from MS?

Phishing sites as third party blacklist?

Can someone please explain why there aren't any third party blacklists to warn about phishing, like there are for spam filters? And if there are, where can we go to find them?

Re:Spend the extra time and setup your biz correct

Well, as long as it works for you, I guess there's no problem.

Heh... watch the MSFT lawyers...

[NotQuiteReal]

as they demonstrate browsing the web with FireFox - Look, your honor, there are not green/white/yellow/red indicators!

DING DING DING

You win the Obvious Outcome Award, congratulations.

The moral of the story....

[mormop]

If you run a small business put a heading saying "Best viewed with Mozilla Firefox or Opera" and put "Get Firefox" and "Get Opera" buttons at the top. You can also add a bit text explaining that while the page will work in IE, it'll be improved by the other two.

You could always add a bit of blurb on how dodgy IE is if you want to rub salt in.

Re:The moral of the story....

[LordEd]

If you're a small business and place Firefox/Opera buttons on your site, you are distracting your customer base from the purpose of visiting your site (buying products and services)

Re:The moral of the story....

[mormop]

If your average, not understand IT user pays attention to MS Anti-Phishing tool you may already have lost them when the address bar stays white.

Real smart!

[BCW2]

Lets not give small businesses a green bar. Of course small business generates 60+% of sales in the U. S. annually, but we don't care if we alienate them. Typical MS attitude. How they got so powerful and remain so clueless amazes me.

Re:Real smart!

[Ucklak]

The small business owners could revert to the old 1997 methodology where they can display a logo "Site works best with Firefox" AND make a buck on the download instead of those older "Works best with IE" logos.

Re:Spend the extra time and setup your biz correct

[Silicon_Knight]

RTFA.

You don't get a "green" cert. You get an EV-SSL, or, Extended Verification SSL. It's not like MS invented something horrible to extort money out of people. FYI, Firefox and Opera implements anti-phishing toolbars as well.

http://www.digicert.com/ev-ssl-certification.htm

And, guess what? cost of the EV-SSL, along with payments to banks, credit card processors, etc... are just a part of the cost of doing business.

-=- Terence

Re:Spend the extra time and setup your biz correct

[NineNine]

Microsoft isn't enforcing, or mandating anything. They're just making best-guess suggestions. At this point, anything like this will only help users. I agree with the parent. If you can't get your shit together enough to form a simple LLC, then I know that I wouldn't spend money with you.

Re:Spend the extra time and setup your biz correct

[pll178]

Have you ever heard of a "close corporation" or "piercing the corporate veil?" Call up one of your lawyer friends and ask them how safe you really are...

Re:Spend the extra time and setup your biz correct

[Dunbal]

Call up one of your lawyer friends and ask them how safe you really are...

      Of course, the Cayman Islands, Jersey and Switzerland help a lot...

Re:Spend the extra time and setup your biz correct

[The+Living+Fractal]

But is Microsoft the right one to enforce this? Even if sole proprietorship or general partnership might be inadvisable, it isn't illegal, and Microsoft or anyone else who is not the government has absolutely no jurisdiction and no mandate to make it so.

Something seems definitely out of bounds here...

What, like the fact that it's a free market and whoever provides the 'safest' service has a leg up? (notice safest is in quotes) Seems pretty normal to me. What exactly is out of bounds about this? And, by out of bounds I hope you literally mean illegal, because everything else is considered in bounds. I personally don't even think it's unethical. It's just business.

And nobody is enforcing the creation of LLCs. Like someone else has said already, plenty of people will come to ignore the green bar altogether. And like another person said, how long do you think it will take for this to get completely hacked to allow phishing sites themselves to be green-bar? If anything, I predict it's a 'feature' that won't last very long. False senses of security are worse than having no sense of security. As soon as word gets out that the green bar was hacked it loses all credibility. You get right back to word-of-mouth and reviews/testimonials from trusted sources to get information about what websites are good and bad and you trust no others. It's that simple.

TLF

Only Microsoft says who is green.

[AHuxley]

In Capitalist West Microsoft talks of treated properly by algorithm. In Soviet Union Helsinki Accords also talks of rights for you!

target non-IE users

[fermion]

If IE is going to put a firm at a competitive disadvantage, the logical thing to do is target non-IE users, and, perhaps, run a non MS shop, that is if MS does not believe you are trustworthy.

Look at the demographics. Who are these non-IE users. Well, many of them are mac users with enough expendable income to buy a mac. Many are *nix users who like do it yourself projects. The independent minded window user cannot be ignored either.

It seems to me that many firms go under because they are all chasing the same market, and certainly the unsophisticated IE user is a good mark that is easily hoodwinked, so who can blame those that wish to separate this pitiful creature from his or her money. But why ignore the 10-30% of the customers that will not be effected by the possibly biased MS certification process? To me, if a firm can get some good cred on the boards, I will order from them even if they do not have the rock lowest price. This is much more valuable to me that the firms ability to pay MS to put a pretty color on IE.

Re:Spend the extra time and setup your biz correct

[Bitsy+Boffin]

Hey mate, the world doesn't end at the US borders. In other parts of the world being a sole trader is common and accepted you need do nothing to "get in business", no forms to fill, nothing to apply for, you just wake up one morning and start "in business". It is a legal structure for a business, why treat it any less legitimately than another.

Why is this unfair?

[raehl]

If you can't get a certificate as a sole proprietorship, INCORPORATE! Problem solved.

Nobody is making anyone run their business as a sole proprietorship. And this day in this sue-happy age, there's plenty of other reasons incorporation is a good idea.

Re:Why is this unfair?

[lordkuri]

Bullshit. Why should I be forced to spend more money when a Sole Proprietorship is JUST AS LEGITIMATE as a Corporation. Matter of fact, a lot of people tend to think that a sole prop. is *more* legitimate, from years of dicking from most major corporations.

Re:Why is this unfair?

[raehl]

Bullshit. Why should I be forced to spend more money when a Sole Proprietorship is JUST AS LEGITIMATE as a Corporation.

Why should I be forced to pay someone to create a website and rent a server when a brick-and-mortar storefront is JUST AS LEGITIMATE as a web storefront?

Fact is, you're not. Nobody is forcing you to spend money to incorporate. But just like if you want to sell on the internet, you need to pay for a website, if you want a certifying authority to certify your identity, then you need to meet the requirements for being certified. Nobody is FORCING you to do it, but if you're not willing to prove your identity by getting incorporated, then the certifying authority isn't willing to certify your identity either.

This isn't about whether a sole proprietorship is JUST AS LEGITIMATE as a corporation, whatever 'just as legitimate' means. It's about having a standard of what it means to have a certified business identity. Corporations have state records about who they are, and who their registered agents are. Sole proprietorships do not. If, as a sole proprietorship, you claim you are "Al's Used Cars", how do I know that you're actually Al's Used Cars? Just because you say you are? What's to prevent some other person from coming along and saying THEY are Al's Used Cars? As a certifying authority, how do I tell which one of you is the real Al's Used Cars and which one of you is full of it?

With Corporations, if someone comes to me and says they are Apple Computer, I can go to the state records office and find out who the registered agent for Apple Computer is and make sure I'm dealing with the real Apple Computer.

Getting a certificate of identity requires having a verifiable identity. As a business, the only way to have a verifiable identity is to incorporate.

So why should you be forced to pay more money? Because if you don't, you don't have a business identity to verify, and thus can't get a green address bar. And you don't deserve one.

Re:Why is this unfair?

[Reverberant]

If you can't get a certificate as a sole proprietorship, INCORPORATE! Problem solved. [...] And this day in this sue-happy age, there's plenty of other reasons incorporation is a good idea.

Sole proprietor here. As someone who has spent a lot of time and energy looking at sole proprietorship vs llc vs s-corp incorporation, let me just mention that (contrary to popular belief) incorporation isn't some magic bullet that completely shields business owners/officers from liability - just ask Ken Lay. Incorporation does help shield business owners from the incompetence/misconduct of other employees. Of course this doesn't matter in one-person companies where (by definition) all the business decisions are made by the business owners.

Incorporation does, in theory, separate business assets from personal assets. However, in our "sue-happy" environment, there is a very easy way to get around this separation: simply sue the business *and* the owner.

There are scenarios when it makes sense to incorporate: lower tax rates (only worth it for six-figure revenues by my calcs), if you have employees, if you have multiple locations, if you're trying to establish a Chinese wall for separate-but-related business, etc.

Incorporating in my case (1-person business) would mean hiring a lawyer and accountant to file the annual state forms, draw up the stock agreement, and file the taxes in return for a few hundred dollars in tax savings and pretty much no liability protection. I found it was much cheaper to buy gen liability and E&O insurance (needed anyway for certain gov't contracts I have), and remain a sole proprietor. I imagine that this is true for hundreds (if not thousands) of other businesses across the US.

Re:Why is this unfair?

[Reverberant]

As a business, the only way to have a verifiable identity is to incorporate.

Not true. Sole proprietorships usually (if not always) require registration with the city/town where located. Small business, DBE and MBE programs can also be used to verify identities - DBE/MBE programs in particular are probably more reliable than incorporation in terms of verification since these programs require site visits by the applicable state agency.

Finally, let's not forget federally-sanctioned groups like Dun & Bradstreet who provide business verification services for all types of businesses.

Re:Why is this unfair?

[symbolic]

Corporations have state records about who they are, and who their registered agents are.

And yet, we still have Enron...which some think was only the tip of the iceberg.

Re:Why is this unfair?

[butlerdi]

Why should people have to incorporate. It is expensive, forces the individual to file tons of papers, report earnings, pay for nominee directors and potentially create double taxation problems. In Germany for example a GMBH also requires around 50,000 euros and still provides limited protection for many years. Same in US and most of Europe in terms of limited protection. This is just unfair and I hope that people reject it as vocally as possible.

Re:Why is this unfair?

[lordkuri]

Corporations have state records about who they are, and who their registered agents are. Sole proprietorships do not.

Evidently you've never actually registered a Sole Proprietorship. You most certainly *do* have to verify your identity, and file forms with a government agency (in Illinois, it's the county clerk's office), and these records are generally just as availiable on a website as corporation's records are. I'll admit that some counties don't have online access to the records yet, but there are some states that don't either.

As a business, the only way to have a verifiable identity is to incorporate.

See above.

Because if you don't, you don't have a business identity to verify

Again, see above.

Re:Why is this unfair?

That might be O.K in the US, where incorporating is as simple as filing some paperwork, but in other countries it doesn't work like that. Here in the UK you'd have to set up a full blown limited liability company, which would require heaps of paperwork and a minimum of six people to form a board of directors who must then meet annually (At a minimum). It's hardly a low cost alternative to sole proprietorship or a partnership.

Re:Why is this unfair?

[ObitMan]

As a business, the only way to have a verifiable identity is to incorporate.

You are so full of shit that it must dribble out your ears.

As a business owner who's been registered with the State of Illinois for the past 15yrs as a Sole Proprietor I can tell you there's plenty of state records verifying that I run a business at my place of business.

If you had said, In my country/state/shithole the only way to have a verifiable identity is to incorporate, you would have come off less of an ass.

Re:Why is this unfair?

here in the UK Sole Proprieters have a 300 year history and gave us many of our best companies over the years, why should MS have the right to deny them a fair income!!!

Re:Why is this unfair?

[vertinox]

If you can't get a certificate as a sole proprietorship, INCORPORATE! Problem solved.

Considering it only takes a few hundred bucks to get an LLC (I've got one for my personal business), who is to say a Phisher can't do the same?

Re:Why is this unfair?

[albanac]

Fact is, you're not. Nobody is forcing you to spend money to incorporate. But just like if you want to sell on the internet, you need to pay for a website, if you want a certifying authority to certify your identity, then you need to meet the requirements for being certified. Nobody is FORCING you to do it, but if you're not willing to prove your identity by getting incorporated, then the certifying authority isn't willing to certify your identity either.

The principle is well-taken, and your example is certainly okay, but there is a real-world interference in the theoretical system here. It's advertising, otherwise known as raising the awareness of the marketplace.

The corporate entities doing this are in business to increase share-holder value, not to recognise the needs of a changing market place. There is no benefit to them in advertising to the public a complex message (ie. one with three variables): it's in their interest to advertise a very simple one: Green is okay, Anything else is an evil black-hat hacker.

People en masse respond to extremely clear, unambiguous saturation advertising (you need only look at the political success of the Republican party, or if you're a student of history look at the epochal presedential debate between JFK and Nixon, and the different ways that was perceived by the radio and the television audiences, to see that this is true and has been for at least two generations now). So in this case, they're going to get exactly that, and it isn't going to deal adequately with the grey areas.

So, in the real world, the kind of consumer who makes up the mass of the online shopping market is going to receive a simple message: Green is good, Other stuff ain't. Which is all very well and good, but it carries an unspoken correlatory message: businesses of above a certain size are good, businesses below that size are not. And that can be argued to be a sub-optimal economic outcome, regardless of political beliefs and opinons of specific companies. In a capitalist, quasi-free market economy, obstructing the availability of supply to demand diminishes the efficiency of the system, and that is sub-optimal.

~cHris

Re:Why is this unfair?

[raehl]

They can prove their identity, but why would you want to prove your identity is 'phishers are us'?

The important part is the phisher can't get a certificate saying they're Bank of America.

Summary makes a flawed assumption, MS another

[Dracos]

millions of Internet users who will soon be running IE7

This depends on millions of new Intel machines being purchased after January 30. Febrary and March are the slowest period of the year for any non-essential item, as people are recovering from their holiday spending binges. Retail box sales of Vista will be all but limited to hard core gamers who want DirectX 10 a year before any games actually take advantage of it.

Ok, so IE7 is available on XP if you have SP2 installed. Still not staggering market share if you ask me.

The typical user doesn't notice anything above the top of the page, including the address bar, which is why there's an anti-phishing toolbar in the first place. They'll only notice the color change the first time it happens because a semi-helpful, condescending dialog box will pop up, which the user will check the "do not display again" box, click OK, and continue on their oblivious way without having read the actual message. After that, they'll probably never realize that it changes colors, and if they do, they'll momentarily wonder why, and continue on their merry way.

If something is routinely ignored, it's not useful because it's not being used. This is just one more thing that users will ignore while they submit their credit card info to http://amazon.com.hahawepwnyou.com/ to buy the latest American Idol greatest hits CD.

MS is widely considered to overdo it with the handholding of Windows users, making everything seem cozy and easy, and then they go and implement this toolbar which only gives the illusion of security, in the hopes that the ignorant masses they've created will pay attention to it.

Not gonna happen. Phishing will continue until people learn to use the Internet, jsut like spam will continue until SMTP is replaced.

Re:Summary makes a flawed assumption, MS another

[MojoStan]

Subject: Summary makes a flawed assumption, MS another

millions of Internet users who will soon be running IE7

I don't think this is a flawed assumption (that millions will soon be using IE7). It seems like an obvious assumption, to me.

This depends on millions of new Intel machines being purchased after January 30. Febrary and March are the slowest period of the year for any non-essential item, as people are recovering from their holiday spending binges. Retail box sales of Vista will be all but limited to hard core gamers who want DirectX 10 a year before any games actually take advantage of it.

Are you assuming that Microsoft's Express Upgrade program, which has been in effect since October 26, will not have a significant effect on Vista installations after January 30? The vast majority of new Windows PCs sold today come with a coupon for free, very cheap, or reduced-price upgrades to Vista. Sure, some coupon owners won't bother to upgrade, but I assume a huge portion of those holiday buyers will upgrade to Vista soon and use the preinstalled IE7.

Ok, so IE7 is available on XP if you have SP2 installed. Still not staggering market share if you ask me.

Even if you don't count Vista users, I assume that Service Pack 2 is installed on a significant majority of Windows XP PCs (anybody have links to stats?). SP2 was released in August 2004, added to the "high-priority" section of Windows Update soon after, and included on all OEM/retail copies of XP soon after. Haven't "millions" of new PCs been sold (with XP2 preinstalled) in the last two years?

Internet Explorer 7 was released in late October 2006 and added to the "high-priority" section of Windows Update in November. W3Schools's Browser Statistics show IE7 with 2.5% in September (when it was still in beta), 3.1% in October, and 7.1% in November (IE6: 49.9%, Firefox: 29.9%).

Despite IE6's flaws, it still has 49.9%. Despite IE7's current flaws (which you commented on), I'd bet my right thumb that millions will be using IE7 by March.

Re:Summary makes a flawed assumption, MS another

"...Phishing will continue until people learn to use the Internet, jsut like spam will continue until SMTP is replaced..."

I thought what you were saying sounded intelligent until I read this line..

how much for green does MS get?

[wardk]

so is this going to be a new profit center?

One thing to say to Microsoft

[Todd+Knarr]

Only one response needed: http://www.microsoft.com/technet/security/bulletin /MS01-017.mspx

This was a class-3 code-signing certificate from Verisign, giving all the correct details for Microsoft but the request was coming from a bunch of crackers. How long, then, until the phishers figure out how to get EV-SSL certificates of their own?

Re:Spend the extra time and setup your biz correct

[Marxist+Hacker+42]

As a sole proprietarship, you are personally liable - down to your last nickel in your bank account, if your business incurs any liabilities.

As a sole proprietor, shouldn't you have enough control over your business to guard against this? And shouldn't you be moral enough to *want* to actually pay your liabilities when you do something wrong?

I've never understood why society allows LLCs and S-corporations to begin with- seems like a huge opportunity for con artists to take advantage of everybody else.

What happens when this is cracked?

[mark-t]

And we know that it's only a matter of time...

And the clincher is that the longer it takes to crack, the worse the ramifications are going to be when it happens.

The Haiku people did this

[alex_guy_CA]

I remember a few years ago, this company licensed a Haiku to put in the email headers. If the Haiku was there, you were automatically white listed in various spam filters. If you used the Haiku without paying the licensed, you could be sued not for spam, but for copyright infringement. I wonder if they still exist. Anyway, small businesses were priced out of the system. If you weren't sending 1,000,000 emails a month, don't bother calling them because you can't afford it. It seemed like such a stupid way to do business in an internet age. I'd pay .05 to make sure an email made it to a client. Oh well.

Re:The Haiku people did this

[Phroggy]

You may be thinking of Habeas.

Small Business

[nurb432]

Is just in the way. what better way to kill them off then FUD them into bankruptcy.

I feel a great disturbance in the force...

[Etherwalk]

> There are about 20.6 million sole proprietorships and general partnerships in the U.S...

As if millions of small businesses owners suddenly cried out for their lawyers.

There's another problem here

[wbean]

We have a Web site where we process orders for other companies. The pages are customized to our customers' look and feel and the credit cards are process against their accounts but all of the transactions take place on our server and use our certificate.

We have no problem getting the new certificates but what company name should appear in the bar? If we put our own name in, we will consfuse the end users who have never heard of us. If we want to use our customers company name, then they each have to get their own certificate and we have to assign separate IP addresses to each of our customers - at the moement we only need one IP.

What a nuisance.

Re:There's another problem here

[Basehart]

"We have no problem getting the new certificates but what company name should appear in the bar?"

As small business owner faced with having to go through all sorts of shit setting up a corp to merely appear nice and trustworthy like a big company such as Enron, I'd quite happily forefeit my fancy logo in favor of your generic "Acme Online Stores message bar.

As for Microsoft, I wish they'd just go away.

Re:There's another problem here

then they each have to get their own certificate and we have to assign separate IP addresses to each of our customers

Here's to hoping that we get an HTTP 2.0 with TLS support, and soon! Then, browsers can request a domain, and begin processing the request for that domain with the encryption certificate appropriate to that domain, and everyone is happy!

Re:There's another problem here

We have a Web site where we process orders for other companies. The pages are customized to our customers' look and feel and the credit cards are process against their accounts but all of the transactions take place on our server and use our certificate.

We have no problem getting the new certificates but what company name should appear in the bar? If we put our own name in, we will consfuse the end users who have never heard of us. If we want to use our customers company name, then they each have to get their own certificate and we have to assign separate IP addresses to each of our customers - at the moement we only need one IP.

But you have the exact same problem already. If the transactions take place on your server and use your certificate, then your server name appears in the address bar, not the customer's name.

Re:Spend the extra time and setup your biz correct

And, guess what? cost of the EV-SSL, along with payments to banks, credit card processors, etc... are just a part of the cost of doing business.

And so we're back to "Nice site you have there, it'd be a shame if we told everyone who visited it you were a scammer." Of course, back when it was the mafia that charged to make sure nothing terrible happened, it was "just a part of the cost of doing business" too.

Have any other artificial barriers to business you'd like to construct while we're at it?

Re:Spend the extra time and setup your biz correct

[CosmeticLobotamy]

So, Aunt Joy making custom stockings, please, go pick up a self help book and get your business setup properly.

I'm sure Aunt Joy would love to, as would I, but neither of us can absorb the $500 filing fee. Stockings just ain't that profitable.

Re:Spend the extra time and setup your biz correct

[Nimey]

Taxes are a reason not to incorporate, at least in my state. A former boss incorporated for self-protection and the need to pay taxes quarterly nearly drove him under, since the computer-repair business can be rather seasonal.

CSS

In other news, Microsoft announced new extentions to CSS which will, according to a company spokeman, allow site owners to enhance the user experience by customising the appearance of the IE7 web browser. "We want site owners to be able to make the browser match the site. For example, webmasters could cause the scroll bars to be a nice yellow or the address bar could be made green."

Re:Spend the extra time and setup your biz correct

[iminplaya]

With all the frivolous litigation going on, about the only way to effectively and economically guard against it is to move offshore.

Re:Spend the extra time and setup your biz correct

[Draknor]

As a sole proprietor, shouldn't you have enough control over your business to guard against this? And shouldn't you be moral enough to *want* to actually pay your liabilities when you do something wrong?

It's just a legal framework -- and no, you can never have "enough control" to guard against this. In a sole proprietorship, you are not legally distinct from your business, so any liabilities against the business can be taken out of your personal accounts. Assuming you are a legitimate business owner trying to make a profit (not just a shell corporation trying to avoid taxes), your biggest risk (I'm guessing) is from frivolous lawsuits. Somebody slips on the sidewalk in front of your storefront and sues your business for gajillion dollars. Assuming they win & your business can't pay up, it comes out of your personal savings account (or other assets). It's the same reason people carry umbrella liability insurance -- because we can't guard against the stupidity & greed of other people.

Re:Spend the extra time and setup your biz correct

[Marxist+Hacker+42]

With all the frivolous litigation going on, about the only way to effectively and economically guard against it is to move offshore.

While I understand the basic concept- the frivolous litigation wouldn't be anything like what it is if businesses operated morally to begin with.

Re:Spend the extra time and setup your biz correct

[Marxist+Hacker+42]

It's just a legal framework -- and no, you can never have "enough control" to guard against this. In a sole proprietorship, you are not legally distinct from your business, so any liabilities against the business can be taken out of your personal accounts. Assuming you are a legitimate business owner trying to make a profit (not just a shell corporation trying to avoid taxes), your biggest risk (I'm guessing) is from frivolous lawsuits.

The reason frivolous lawsuits exist is because business owners attempt to skimp out on their responsibilities to begin with. If you acted morally towards the people coming on to your property there'd be no grounds for a lawsuit.

Somebody slips on the sidewalk in front of your storefront and sues your business for gajillion dollars.

At which point you take pictures of the salt you put down, and there's no way they can win in court. Decided to take a larger profit and forgo putting salt down? Well, that was YOUR mistake.

Assuming they win & your business can't pay up, it comes out of your personal savings account (or other assets).

As well it should, if you were guilty. That's called REPENTANCE for those of us who believe in forgiveness.

It's the same reason people carry umbrella liability insurance -- because we can't guard against the stupidity & greed of other people.

So why not just carry standard property owner liability insurance and be done with it?

Safari

Hey, where's the anti-phishing notification for Safari? Apple certainly does not care about their user base!

Colorblind people?

[McNihil]

How about all color blind people? How will they perceive it? White is more clear than gray. Microsoft didn't think of that did they? Ok so maybe one can change the color that will be displayed.

BUT!

Placing meaning to color is VERY bad.

Re:Colorblind people?

Microsoft did think of that: http://blogs.msdn.com/ie/archive/2005/11/21/495507 .aspx
Did you not look into it?

"# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers
Monday, November 21, 2005 8:26 PM by zz
what's user xp for people who are color blind?

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers
Monday, November 21, 2005 8:33 PM by ieblog
Each state is accompanied by both text and appropriate icons. The state can be read without a need to see the color.

- Al Billings [MSFT] (who is mildly colorblind) "

as a Sole Proprietorship who takes CC payments

[FatherBash]

this doesn't bother me in slightest. Why? My payments are processed through a third party, customers will be redirected for payment processing to my merchant service, where the flag will promptly turn green. Frankly, I don't see how much this will do to prevent fraud. I don't sell goods, but allow customers to pay for my services online, and I can't anticipate them ever seeing white. An e-commerce vendor who did sell goods would simply establish a relationship with a larger eligible company and inform the customer that they will follow a link to complete the transaction at which point their phishing alert will go from white to green.

This will make simply generate a market for LLC's (read that LIMITED LIABILITY) who can act as clearinghouses for smaller businesses and also...yes, for would be phishers

Re:Spend the extra time and setup your biz correct

[iminplaya]

Well, unfortunately, morality isn't very profitable these days. So don't hold your breath waiting for that to happen. The customers are every bit as corrupt as the businesses they buy from, and they're just as corrupt as the politicians they vote for.

Re:Spend the extra time and setup your biz correct

[greenbird]

In this day and age of litigation, there is NO reason why if you're going into businses you should even consider sole proprietarship or general partnership agreement. IANAL, but go pick up any of the Nolo self-help books (recomemnded by lawyer friends) and they make it clear:

Actually up until 2007, at least in Texas, Nolo and your lawyer friends would have been wrong. In Texas the best way was to form was a Limited Partnership with a LLC as the General Partner. In a Limited Partnership only the General Partner is liable but the owners of the LLC's personal assets are protected. The benefit was that up until 2007 a partnership didn't have to pay any franchise taxes at all. You run all your business through the partnership and pay most out through disbursements while using the LLC for insurance and other things you need a corporation for.

But after years of threatening they finally closed the hole buy eliminating the franchise tax and instituted a tax that's applicable to partnerships.

Using an external payment website is better

Small business should avoid to collect directly credit card information on their web site since they can't buy and manage the needed security measures to handle hackers.

Solution is to link the shopping cart with an external payment system like PayPal.

Re:Spend the extra time and setup your biz correct

[myowntrueself]

because we can't guard against the stupidity & greed of other people.

In the case of the USA, isn't this what the 2nd amendment is supposed to be for? You know, the right to keep and bear arms...

Re:Spend the extra time and setup your biz correct

If you ever want to take outside investment, you may want to consider C-corp instead. It'll save you a lot of hassle later.

Let me get this straight

[Tim+C]

It's late, and I just got back from drinking a lot of wine at my office Christmas party, so maybe I'm missing something, but bear with me and point it out politely, but as I see it we have the following:

1) MS do nothing about phishing, and are lambasted about a lack of security, not addressing the problem, etc

2) MS do something about phishing, and are lambasted about making it harder for unknown/sole traders to set up "trusted" websites

Do I have that right? MS do nothing, get slated, do something, get slated from the other direction? I mean, I hate M$ as much as the next frothing at the mouth Linux fanboi, but this really does strike me as a "can't win" situation for them...

Re:Let me get this straight

The point that you are missing is that there are any number of different ways that M$ could have realized this feature. For instance, as another poster pointed out, Firefox and Opera use a 3rd party to handle blacklisting. There are more than two ways to look at a picture. M$ just chose the route that offered them the greatest control over their users -- the very business practice that people 'lambaste' them for and the one that you don't seem to understand.

Re:Let me get this straight

[drsmithy]

Do I have that right? MS do nothing, get slated, do something, get slated from the other direction?

Yes.

"Welcome to Slashdot, you must be new here."

its the GOVERNMENTs job

[bussdriver]

To run a business in the usa, you file with the secretary of state of your state plus file for a federal employer ID. You do about as much for that as a Cert authorities(CA) has you do.

1. SSL certs are signed by the US government for all biz with an EID
2. SSL certs are signed (again) by the States the corp is in
3. SSL certs (again; optionally) are signed by a 3rd party that is payed to go further than the government to ensure you are legit
4. Governments make incorporation requirements on par with a typical cert authority. My state is at least as good as a CA.

Benefits:

• Cert authorities(CA) can not extort money from us to avoid a little warning dialog
• CAs will have to do more since the gov does the basics
• Browsers can highlight government backed certs (little flag icons or green?)
• Consumers know governments more than they do some CA
• Government has reasonable information on the corp owners
• Consumers know the corp has to file taxes on regular basis (can't be totally fake)
• Consumers know what country or state the corp is involved with, allows them the freedom to support local business
• Costs little in taxes, much of the stuff is there on their computers already, they can offer the whole thing for free as part of the incorporation process.
• Digital certs are more secure than a paper document from the secretary of state
• Makes it easy to find the corp as well as file complaints with the secretary of state which incorporates them
• CAs are forced to improve their services, no need to regulate them

This is well within government bounds, which legally defines corporations, LLC, LLP (partnership,) regulates them, and taxes them. This would be a cheap additional business service that would ultimately protect citizens (which is a fundamental reason for government.)
Perhaps the government learns and uses digital certs on legal documents like birth certificates? (nah, that would be too smart...BTW, I could fake my birth certificate with a copy machine)

Re:its the GOVERNMENTs job

[b0s0z0ku]

To run a business in the usa, you file with the secretary of state of your state plus file for a federal employer ID. You do about as much for that as a Cert authorities(CA) has you do.

In most states, provided you don't have an actual storefront, you don't need to file anything to be a sole proprietorship. The only thing you may need to file in states that have sales tax (not all do!) is an app. for license to collect sales tax. All that takes is a valid address and possibly an SSN#, at least in NY state. I'd feel better if the governments were issuing certificates to actual *people* (with a valid SSN#) rather than corps. The owner of the cert. would be responsible for abuses, and the fee should not exceed some nominal value ($25?).

-b.

So what

[thorkyl]

I use Firefox

Irony

[The+Clockwork+Troll]

The irony of all this, is that the only companies allowed to be deemed "trustworthy" are the corporate entities whose employees are shielded from personal liability.

Re:Spend the extra time and setup your biz correct

[b0s0z0ku]

n this day and age of litigation, there is NO reason why if you're going into businses you should even consider sole proprietarship or general partnership agreement.

Registering as a corporation costs time and money. If you're just starting out, you may not have either to spare. Even $500 can be a big deal for some people, especially those who are young and in transition. Why should be impose one more artificial barrier to the success of the little guy?

That being said, I see a possible service in small business web hosting. For an extra $5/month, offer "green" certificates after talking to the business owner and looking at their site to see if it's legit.

-b.

I can't wait

[plopez]

for the security exploit that allows random phishing sites to turn the tool bar green.

Or worse, turns a legit site red, and then suggest a bogus site to visit instead.

Considering the MS security history, this is very plausible.

Re:Spend the extra time and setup your biz correct

[b0s0z0ku]

In other parts of the world being a sole trader is common and accepted you need do nothing to "get in business", no forms to fill, nothing to apply for, you just wake up one morning and start "in business".

BTDT, in the US. No big deal. The only forms I needed to fill out were tax returns and a sales tax license that allowed me to collect NY State sales tax on sales.

-b.

Re:Spend the extra time and setup your biz correct

[Copid]

The reason frivolous lawsuits exist is because business owners attempt to skimp out on their responsibilities to begin with. If you acted morally towards the people coming on to your property there'd be no grounds for a lawsuit.

I think that you and the rest of us are using different working definitions for the word "frivolous."

Re:Spend the extra time and setup your biz correct

[Copid]

And, guess what? cost of the EV-SSL, along with payments to banks, credit card processors, etc... are just a part of the cost of doing business.

Well, they're a cost that provides no tangible service or benefit. So they're more like an artificial and arbitrary barrier to entry whereby we transfer extra money to Verisign for... well... because Verisign deserves our money more than we do. If the only "benefit" a product provides is to protect you from the negative side effects of that product's existence, it's not really a product. It's more like extortion.

A little More Info from Thawte

[bobdown2001]

This info was taken from here.

Unincorporated partnerships, associations, sole proprietorships and individuals are currently not eligible for Extended Validation Certificates; however, this limitation will be addressed in the next major revision of the standard.

So this means that they are only locked out in the first version of the standard, and it's likely to change in the future.

Re:A little More Info from Thawte

[topham]

Which makes even less sense.

"We recognize you have a legitimate business interest and we acknowledge that we are going to make semi-knowledgable customers of yours reluctant to buy from you, for now. But after we've demonstrated to you that your business will fail without our certificates we'll consider selling them to you for a substantial profit."

You are totally backwards.

[raehl]

the small one-person companies don't even qualify to get certified for the green status

Did you even read the article?

Small, one-person COMPANIES DO qualify, as long as they are incorporated!

It's PROPRIETORSHIPS that don't qualify.

See the difference?

Whether you can get a certificate or not has NOTHING TO DO WITH THE SIZE OF YOUR COMPANY!

This does not harm small business. It may harm unincorporated business. As I already suggested, the solution to this is to take an hour and incorporate.

Forcing FF on someone is just as bad as forcing IE

Users favorite deal sites can display an error message to IE7 users that tells them their browser is defective and that in order for them to keep prices low, they will need to upgrade their web browser to Firefox to purchase anything from the site. They can also have a continue anyways button and store a cookie to not display the message again. That way when there is no green bar the users will know it is because they are not using an approved browser. If it were the other way around, and a site was lying to it's users to get them to use IE, we would see such action as despicable. But because it's against the evil MS it's OK? Any decent site will not deceive their users like that, nor will they force a browser on them. Isn't that going against everything that open source stands for - free choice and openness?

What's the big problem with phishing?

[b0s0z0ku]

I've bought plenty of stuff online, and I've never been burned. For sites that look dodgy, just transfer the payment through PayPal or something of the sort so your CC# isn't given out directly to the company. Only buy stuff on a credit card with a limit - they can't charge more than the limit to the card without the bank closing the card and notifying you. As far as phishing e-mails go, check the frickin' URL before you give out your data. If you're too stupid to do that and/or respond to e-mails that are obviously written in Engrish, then I'm surprised you aren't too stupid to keep breathing. Sheesh!

BTW, keep in mind that plenty of the dodgier brick-and-mortar stores can gank your CC # as well. And if you've made purchases in 50 stores in the last month, no one's gonna know which store was responsible for it.

-b. -b.

Re:What's the big problem with phishing?

[dbcad7]

Well, with most credit cards, your pretty protected against fraudulent charges as it is, but that's pretty good advice.

I also have a rule I follow.. I don't buy anything from any site that I can't get in contact with, by phone, email, and snail mail.. I want all three.. My thought is that if they can't trust me with that information, I can't trust them with my money.

Re:What's the big problem with phishing?

[b0s0z0ku]

Well, with most credit cards, your pretty protected against fraudulent charges as it is, but that's pretty good advice

By "with a limit", I meant a CC that's not attached to a bank account, like a CheckCard. With a CheckCard, dishonest people could conceivably bleed your account dry and then some. If you had $20k on account, that would suck. Painfully.

-b.

You mean the Little Lock isn't OK?

[JoeCommodore]

I read an article in a local newspaper (some real small-town techie column) warning holiday shoppers to make sure whatever site you go to has a "little lock" (or https addres) to ensure that the site is secure.

I figure some people will belive the green bar just as much. Maybe thinking that other browsers are not as secure becoause they don't have a color bar like IE does.

Small Business Can't Afford These Anyway

[miller60]

VeriSign is charging $1,299 a year for extended validation certificates, and I wonder how many small businesses would be willing to fork over that amount for the benefits of EV SSL. Other certificate authorities will eventually offer these as well, and charge less.

Several CAs, including Digicert, are seeking to have the standard revised to include small businesses. I don't believe the CA/Browser Forum has finalized the standard yet, as there were some holdouts last I checked.

can anyone provide me with working examples?

[netnerd.caffinated]

i can't seem to get any e-commerce sites (including mircosoft's) to get a 'green bar' i have anti-phishing turned on. can anyone provide working examples?

Re:Spend the extra time and setup your biz correct

[dcollins]

"IANAL, but go pick up any of the Nolo self-help books (recomemnded by lawyer friends) and they make it clear: The LLC and corp status is a bit more paperwork to upkeep, but offers MUCH better protection for the business owners."

I'll take you up on that, since I just happen to have Nolo's "Music Law: How to Run Your Band's Business (4th Ed.)", right here on my desk. On page 2/2 I find this:

"By default, most bands qualify as partnerships - an informal business entity that's easy to form and manage. Since your band is likely to be a partnership, most of this chapter is geared towards creating a band partnership agreement (a 'BPA')."

Huh, how about that.

Just use a green 3rd party for checkout?

[insomniac8400]

Would something like google checkout or yahoo stores be the perfect solution? As long as it goes green when it comes time to enter financial information, I doubt anyone would care. I think microsoft is smart to not allow every little business to handle their own financial transactions. These are the stores where credit theft probably comes from.

Re:Spend the extra time and setup your biz correct

[drsmithy]

While I understand the basic concept- the frivolous litigation wouldn't be anything like what it is if businesses operated morally to begin with.

Of course it would. Frivolous lawsuits have zero to do with how businesses operate and everything to do with individuals' greed.

Re:Forcing FF on someone is just as bad as forcing

[Korin43]

If Firefox had a warning every time you looked at for-profit websites and refuse to accept fancy overpriced certificates, people would be doing the same thing with another browser.

Re:Spend the extra time and setup your biz correct

[hexmem]

$500 filing fee? Where are you at? In Utah it only costs $52 per LLC or Inc.

Re:Spend the extra time and setup your biz correct

[hexmem]

Yes I have. And after doing my own research, I'd still rather incorporate then be a sole proprietor.

And you obviously have no idea what a "close corporation" is. Here's a link: http://www.nolo.com/definition.cfm/Term/8E1B6E0E-A D70-4EFF-A3BF3EF03E96D60A/alpha/C/

"Piercing the Corporate Veil" is not as easy as you imply. Don't mix your personal and business funds and treat your business like a business and not your "alter ego" and the person suing you won't be able to get to you personally.
http://www.expertlaw.com/library/business/corporat e_veil.html

Re: Free Referral System!!

[TaoPhoenix]

In the name of our country's movement towards Terror Marketing, they have built themselves a free referral network!

Coming Soon: Microsoft Stockings (MS).

  "We want to give Christmas Media Users the widest holiday content experience. Children can download passcodes from our site that let them log into the scales built into their stockings. Thus, if they ask for a new PlayStationSure-Mini, which weighs 19.7 ounces, and their stocking only weighs 13.5 ounces, they will receive an early warning that their wishes were not met.

A Microsoft spokesman has said, "We want to embrace the holiday experience, and extend our goodwill towards all non-windows users. Since children clearly did not want the products from other manufacturers in their stockings, children are being given an early opportunity to confront their parents before the packaging is destroyed."

Re: National Mood

[TaoPhoenix]

Anyone else see any resemblance to the general opinion of the internet 1.0 model about Christmas 1999? "22 year old CEO's" and so on. "Stocks to reach 15,000" "The age of unlimited progress!"

Then it all caved. It took something approaching 5 years to repair. Is that MS desktop monopoly STILL on complete and utter automatic pilot? Can Microsoft one day just say "ho hum, we're not even going to bother to make another OS ever again"?

Or can the illusion shatter in a tidal wave across the company if sufficient reports of complete disasters come in from Vista? I changed my sig to reflet my new direction. Where I go, someone has to follow.

from the GNU-inspired-wonder-child-speaks dept.

[chemaja]

Pre-RTFA, this articile passes the "Holy Jesus and Mohammad, Microsoft really IS fucking evil!" test...

Organized Crime

[Nazlfrag]

All this "protection" in IE7 is there to try and limit which software you run. If they don't 'protect' you from their competitors who will? The Mafia? Triads?

Re: National Mood

I changed my sig to... ...a two-word sentence fragment that's grammatically incorrect. You missed a comma there, bubby.

Re: Sigs

[TaoPhoenix]

After floating Sig V2.00 out to the general FOSS Community, it was determined that a comma was missing. Sig 2.01 is the result, which still makes this the direction I am going.

You'll still need IE installed

so even though FF or whatever is safer than IE, you'll have TWO web browsers to keep up to date. Even if that's only one exploit (or a local exploit) for FF, you could get hosed because a non-critical (doesn't access other MS programs) IE error is also there.

Install Vista and it should work for you

http://www.verisign.com/ssl/buy-ssl-certificates/e xtended-validation-pro-ssl-certificates/index.html

EV SSL FAQ

[giafly]

Let's cast some light on this. How it will work (including screenshots)

See Appendix F of Verisign Certification Practice (PDF). I think the fuss is about the following statement "Verisign verifies that the Applicant is a legally recognized entity, in existence and validly formed (e.g., incorporated)". Possibly people have mis-read "e.g" as "i.e".

BTW, does anyone else keep reading the name of this technology as "EVIL SSL"? No? Just me then.

Truly, Slashdot is hilarious

I love Slashdot I really do. Nowhere else do you get such a combination of highly-opinionated yet spectacularly ignorant people. Except perhaps Fox News. Let's get some facts on the table here.

1. This is not a Microsoft initiative
2. This is about the Extended Validation Certificate programme which involves a large number of organisations, most of whom are CAs.
3. The EVC is the initiative of the CA/Browser Forumhttp://www.cabforum.org/
4. The point of EVC is to raise the game of the CAs in terms of actually checking who has bought an SSL certificate from them, which is what should have been the case when SSL was invented but which market forces ensured did not happen.
5. This is not just about IE7. Firefox, Opera and other browsers will also process EVCs and many may use the green bar. IE7 is likely to be the first browser to use them, but it will not be the last.

A teeny tiny bit of research by any half-normal human would have revealed the above. But nooooo, this is /. where a$$hole opinions are the only condition of entry.

As a case in point I just loved killjoe's "contribution", where he admitted hacking someone else's PC to get a crappy unsigned app running on it. If some moron did that to my PC he would get a screwdriver in the eyes.

Oh great, they want more protection money

[rumplet]

It is bad enough that IE 7 gives such dire warnings when a certificate isn't signed.
I can live with the firefox warning, and if IE didn't exist I probably wouldn't bother getting signed,
you could ask customers to either trust your company, or not.

Not an option anymore since IE 7 gives them a full page "OMG HaX0rs in teh y0u Brow3zers". That is going to put off most IE users straight away.

Thanks Microsoft. We need to get customers used to the new definition of trust. Yes, that's right folks, trust CAN be bought.

Don't worry

[rootnl]

Slashdot has got a lot of green bars, safest place on the internet. Just the IT section is a bit brownish.

Another sole-proprietor who can't afford a EV SSL

[sherriw]

I have a small sole proprietorship in Canda, and this is going to be a huge problem for me. I only do a few thousand dollars of sales per year (I have a day job), so paying for one of the 'green' certificates is WAY out of my budget. In addition my clients have ecomm websites and no money for these certs.

Now what? If I'm using a shared certificate is it going to show as yellow or red for me? This doesn't only apply to ecomm sites but also sites with a secure area like a user admin.

What a big pisser on the little guy. I don't quite understand why it is Microsoft's problem to protect the idots who don't realize they are at amason.com instead of amazon.com or whatever. Microsoft is not responsible for phishing and the hazards of the internet. Cars don't prevent me from exceeding the speed limit.

Really... what IS wrong with the 3rd party lists of known phishing sites? Why does MS have to do things in a completely idiotic pain in the ass way every time? Thanks for crapping on the little guy. I guess I'll ratchet up my get Firefox, burn IE campaign. Damn it.

Most of all, this just makes me frustrated and upset. I won't be using IE7 or developing websites for it. Screw them.

Re:Spend the extra time and setup your biz correct

[sherriw]

And the $1000 needed for the EV SSL cert might be a quarter of her yearly sales... so, not it's not that simple.

Why is this relevant?

[bl8n8r]

Every time I see an article like this, it reminds of the small child that burns his hand on the stove, cries, and then tries it again 5 minutes later. If you don't like the way Microsoft is making the consumer bend to their will, STOP using their products. If you're foolish enough to be supporting Microsoft's marketing tactics by buying and using their products, there is nothing anyone can do to help you. If you value choice and alternative, you should start thinking about where your future choices are going to come from in the next few years. It's really going to be interesting when Microsoft's DRM is in full swing and everyone's word DOCs are locked up in some format that Microsoft itself can't even get right, and it will be illegal to try and figure out a solution.

Pish posh we know where this crossbranding goes

[gelfling]

There will be 40-50 megawebsites who proudly call themselves MS Antiphishing Certified. They'll have a little logo. It's all a crossbranding strategy. And everyone else will happily stumble along as they do today.

Let's see the likely candidates:

Wal*Mart
Target
Amazon
Barnes and Noble
Petsmart
Victoria's Secret
Abercrombie and Fitch
Dell
and so on.....

None of the financial companies will go for this nor will TicketMaster, etc.

Microsoft responds to my email

[sherriw]

A while a go I emailed MS about the warning that pops up for shared certificates. They don't mention the address bar coloring, but since we're on the topic, here's what they said:
---------
[ME]--

The problem with "shared" SSL certificates is that they're pretty much "useless" to begin with. Certificates are issued to map a real-world site owner to a hostname and a private key used when communicating with that hostname. When the hostname doesn't match the website, there's no reason for the user to believe that certificate is presenting the private key of the site owner.

All modern browsers warn the user of this discrepancy, and in the face of one-click attack toolkits which intercept and resign SSL connections, IE7's Certificate Error page was designed to inform the users of the significant risks they face when interacting with such sites.

There are a number of options to correctly use SSL, ranging from purchasing individual certificates (available for as little as $18/year), wildcard certificates (e.g. using a *.example.com certificate to secure shopa.example.com & shopb.example.com) or using a shared server with a single hostname and corresponding digital certificate (partnersales.onlinemall.com).

Best wishes,

Eric Lawrence
Program Manager
Internet Explorer Trust & Networking

-----Original Message-----
From: [me]
Sent: Friday, October 20, 2006 5:27 AM
To: IE External Feedback
Subject: IE7 effectively makes shared ssl certificates useless.

Hello,

Many of my clients own ecommerce sites that barely earn only a small profit. They
cannot afford personal ssl certificates for their websites. My hosting
provider, like many others provides a shared certificate that can be used.
However, IE7 is now going to present a big, intimidating warning page that
effectively scares visitors away from a site. Even though a shared cert
provides just as much encryption protetection for their credit card data.

IE6 presents a less-frightening dialog box warning that the domain of the
site does not match the domain of the cert. This was fine. But, now with the
IE7 warning page, I can forsee that most visitors will be scared away.

On behalf of the many thousands of ecommerce site operators that use shared
certificates because it's all we can afford, I strongly believe that many website owners
will want or need you to replace the big scary warning page with a dialog box warning or
perhaps a banner at the top of the page. I also ask you to include in your
warning, a clear statement that certificates that do not match the domain,
or do not come from a certifying authority, do still provide encryption
protection of credit card and sensitive data. Perhaps a big warning is more
appropriate for sites that ask for credit card data but do not use any SSL
encryption.

I'm sure that Thawte and Verisign are seeing $$s at this IE7 "feature".

~[me]

Phishing feature clouding the real issue

[0x537461746943]

The phishing thing is just tacked on to cloud the issue. The real issue is that the big cert authorities are upset at the cheap certificate companies cropping up and cutting into their huge profit margins so they invent a super duper secure server certificate so that they can make everyone think that actually means something and keep the other certificate authorities out of the picture. It is just a reason to charge more money and businesses will have to purchase the new certificates or risk being non-green (that is just wrong in so many ways). It is all a scam... The idea that some super verified certificate makes sites more secure is rediculous. Even if you use a cheap $15 cert or this expensive version really doesn't matter... Security layers are defined my the business not by some magical certificate. That is the way I see it anyway. The color should only reflect phishing status.

even Amazon doesn't get a green bar...

I'm using IE7 running on windows 2003 server, loading https://www.amazon.com/ and it only gets a white bar.

Did Amazon not pay the MS tax?

I'll see your Countdown...

[bill_mcgonigle]

and raise you another.... until they offer Microsoft Stores with Microsoft Payments as a way to get greenlisted.

Now why do they call it a greenlist, hmmm....

Re:Spend the extra time and setup your biz correct

[Marxist+Hacker+42]

I think that you and the rest of us are using different working definitions for the word "frivolous."

I'm using the definition that http://www.stellaawards.com/ uses. A case where, if both parties were acting reasonably, could easily be settled out of court instead of wasting taxpayer money to try the case. 9 times out of 10 the businesses do indeed win such cases- but if they had acted MORALLY instead of PROFITABLY in the same situation, then no lawyer in the world would have filed a lawsuit to begin with. These lawsuits get filed because there is a 10% chance of actual wrongdoing on the part of the business- if there were no chance of wining, there'd be no settlement to take legal fees out of.

Wanna Bet

[baggins2001]

I bet that if you run your web server on a MS platform with licensing purchased from MS you can get the cert no matter what.

They can do this and people will use it. The only thing we can do is try to figure out an alternative or a better mouse trap

The incorporation requirement...

[WebCowboy]

...makes me wonder what business outside the US have to do to hold a valid certificate to get the "green light"

Incorporating in my case (1-person business) would mean hiring a lawyer and accountant to file the annual state forms, draw up the stock agreement, and file the taxes in return for a few hundred dollars in tax savings and pretty much no liability protection.

In my case there wasn't much difference either way in terms of operating expenses or tax advantages--it was all a wash, but I incorporated anyways because I figured it put me in a better position should my revenues grow or I was to hire full-time employees.

Anyways, I incorporated in Canada and doing so did NOT require me to hire a lawyer OR an accountant (though you can certainly do so if you want the help--it often is a good idea especially if you are already an established sole proprietor or partnership). The annual corporate return is no more complicated than my personal income taxes (and is actually simpler than my personal taxes have been in some years)--and I've always done my own taxes. Did you really NEED a lawyer and accountant to incorporate a 1-person business in your state or is the paperwork really that complex? I thought the US had LESS red tape than Canada--guess that is a bit of a stereotype. The incorporation forms can be bought at a registry office where I'm at and filing an annual return is the same cost as renewing the registration of your personal vehicle (IIRC--all of these things are done at "authorised registry agencies" where I live--there is no separate "DMV" and you go to the same place to file corporate returns, register vehicles, get drivers licences and ID, marriage licenses, etc).

My first impression was like the grandparent post--basically "it's a bit of a pain in the arse, but not a REAL big deal, so just incorporate and you'll be fine". Well, then I read some of the replies here and really READ the effin' article. It looks like in many foreign countries it is a much bigger hassle and large expense to incorporate (1000s of euros? need a board of 5 directors or more? Seems like overkill bureaucracy to me...). Then in the article they talk about LLCs and S and C and other American-only oddities. These corporate structures/terminologies do not apply in Canada. We have provincial and federal incorporation and different tax rates based on the size/income of the corporation (there is not need to be a special type of corporation to get a lower small-business tax rate). However, Canada also has co-operatives covered under the incorporation act as legal entities distinct from normal corporations that have no exact analogue to a type of corporation in the US. Canadian business trusts are also different than those in the US (Canadian business trusts are more like the way they were in the US when Standard Oil used them as a vehicle to propel themselves to monopoly status--though the taxation advantages are being phased out over the next few years which will bring their status more into line with how they are treated in the US).

Anyways, the unique Canadian situation means that some VERY big, established and/or well-regarded businesses are NOT actually corporations (or LLCs or whatever else) as described in the article. Do these businesses have to establish corporations to get the enhanced certificates? Are these certificates only available from Microsoft (it says these are based on a standard devised by an 18-member consortium so maybe not)? To foreign businesses have to incorporate in the US? THAT would be quite a higher hurdle for smaller, foreign businesses with an established online presence in foreign markets.

I think it'll take awhile to sort out--longer than it will to even see Vista and IE7 to become prominent. So, for a long time all users will see are white bars, with a smattering of yellow and red alerts, and a few green bars--mostly on Microsoft sites or close MS affiliates, or REALLY major sites like ebay or Amazon. So, no I don't think users are stupid enou

Re:Spend the extra time and setup your biz correct

[Marxist+Hacker+42]

Of course it would. Frivolous lawsuits have zero to do with how businesses operate and everything to do with individuals' greed.

Not entirely- 10% of so-called frivolous lawsuits actually have enough merit to win large awards. The reason they win such awards is because the business did something wrong- there was indeed forseeable harm. Because of that one-in-ten chance, the free market dictates that other gamblers will take the chance- and will find lawyers who will support them. But when a business takes OBVIOUS measures, such as salting icy sidewalks and putting up stupid signs like "Wildlife exists in outdoor malls", then there's no chance of winning a lawsuit, and thus, one never gets filed.

And Firefox doen't recognizing homemaid SSL certs

[I'm+Don+Giovanni]

To those of you calling for class action lawsuits against MS, try this on for size:
If I put up my own online shopping site, with a homebrewed SSL certificate, Firefox will put up a message box to the user warning that my site's SSL certificate isn't authorized by a recognized certificate authority (e.g. Verisign) (because the root cert isn't installed on the local computer). Should I then be able to sue Firefox for not treating my site the same that it does for shopping sites with SSL certs authorized by recognized authorities?

Not the first MS harmful to small business...

[Tarinth]

Not a big surprise from a company that regularly deletes and/or misdirects about 20% of legitimate email to Junk Mail folders on Live/MSN/Hotmail (the worst in the email industry), and tells you that you need to have huge volume before they'll correct problems like sending a personal reply to a customer that never seems to arrive. Their half-baked reliance on technologies like SPF, or demands that companies obtain Sender Score Certification (which will be turned down for any but the most massive email senders) is just the tip of the iceberg.

I don't think anyone would disagree that anti-spam and anti-phishing technologies are a good thing, but Microsoft seems content to wage a scorched-earth battle over the backs of small businesses and startup websites while they tweak the technology.

Anti-Phishing is just one concern online

[WeeBit]

I don't see this Anti-Phishing as the only thing a user online should be concerned about. I believe if MS just handles this one area, many will fall victim to the many other type scams online. The SiteAdvisor is the one addon for browsers that I have been endorcing for some time now. They do more than accept a little pay, etc and clear your name. They offer the service to all users, and they also are not biased of any type website online. As long as you pass their test of users, and your content passes inspection you then get the green. This test is performed many times, not just one time.

The other thing that bothers me, is that websites come and go on a regular basis. If MS gives a website the green light do they have a protection in place in case the domain is dropped, and a person manages to pick up that domain and use it to their advantage?

I also feel that MS plan is biased against a lot of legit businesses online. Their new tool proves it. I think their idea sucks.

She won't be hurt.

[Slashdot+Parent]

I doubt she'll be hurt. I own 3 small businesses. Most of my friends also own businesses. I don't know anybody who is rushing out to pay for one of these "make yourself green" certificates. Hell, I hear people grousing all the time about how much ordinary, no-human-intervention-required SSL certs cost. In small business, every dollar counts (why do you think Auntie Treestocking isn't even incorporated? Because that costs money), and did you look at how much these EV certs cost?

They cost $1299.00 per year. How much profit do you really think Pippy Longstocking is making from her little business? Look at her site. She does sales through via phone, a shared-SSL ecommerce package, and an eBay store. In other words, she didn't even spring for her own $20 SSL cert. Do you really think she's going to drop $1300 just so she can be "green"? Why not just direct all visitors to her eBay store? You know that they're going to be green.

Seriously, I don't think many small businesses are going to be hurt by this.

I call BS

[Slashdot+Parent]

I have a small business, legally registered, which is a sole proprietorship. Even though my business is legal and even though I'm personally legally responsible for the business I cannot get this green bar.

I'm not impressed. Did you even look at how much these certs cost? They cost $1300.00 per year.

If you are so eager to pay $1300/yr for an SSL cert, certainly you can handle the $60/yr to have a real, incorporated business.

Re:I call BS

[mwvdlee]

If you are so eager to pay $1300/yr for an SSL cert, certainly you can handle the $60/yr to have a real, incorporated business.

By "real" you mean one that is no longer under my full control and that requires me to spend a shitload of money on all kinds of taxation, procedural and legal matters which I don't need to do now?

Re:I call BS

[Slashdot+Parent]

I think you greatly overestimate the amount of effort that goes into maintaining an S corp or a single member LLC. Also, of course the corporation is under your full control. Who else's control would it be under?

Re:Spend the extra time and setup your biz correct

[Lost+Engineer]

The reason frivolous lawsuits exist is because business owners attempt to skimp out on their responsibilities to begin with. If you acted morally towards the people coming on to your property there'd be no grounds for a lawsuit. See definition of frivolous.

At which point you take pictures of the salt you put down, and there's no way they can win in court. Decided to take a larger profit and forgo putting salt down? Well, that was YOUR mistake. How is the sidewalk in front of a business the responsibility of its (the business's) owner? He doesn't own it.

As well it should, if you were guilty. Why are we mixing liability with morals here? Not every tort is a sin. Are you a lawyer?

So why not just carry standard property owner liability insurance and be done with it? Good call.

Yeah, whatever

[Slashdot+Parent]

Are you trying to tell me that she can't afford the $60/yr to have a real, incorporated business, but she's just chomping at the bit to shell out $1300.00 per year just to be "green"?

Yeah, whatever.

Re:Spend the extra time and setup your biz correct

[Slashdot+Parent]

Unless you commit fraud or don't maintain adequate insurance.

Incorporating is not a license to screw people with immunity.

Re:Spend the extra time and setup your biz correct

[Marxist+Hacker+42]

See definition of frivolous.

See definition of Propaganda.

How is the sidewalk in front of a business the responsibility of its (the business's) owner? He doesn't own it.

Actually, your property line runs right out to the center of the street. The city has used the law of eminent domain to create a right of way- but in many cases you're responsible for maintainance of that right of way.

Why are we mixing liability with morals here? Not every tort is a sin. Are you a lawyer?

Worse, I'm a Catholic. Anything that harms the relationship between individuals in a community is a sin. Torts definately fall into that category. So I'll admit to using a different defintion of SIN than most would. It's part of my problem with the whole idea of capitalism in the end- profit cannot be separated from corruption very easily, and in some cases, simply can't be separated at all.

Dogmatic Whitelisting

[Sloppy]

I have no problem with whitelisting, but you have to think about who is doing it. Whose judgement are you really deferring to?

Someone the user didn't select, that's who. Someone pretty fucking mysterious and unaccountable, actually.

X.509 needs to go away. Build the cert system upon an OpenPGP web of trust, and a visible trust-meter actually turns into a pretty good idea, since it will actually mean something. Present information to the user, instead of arbitrarily-derived noise.

Green means good? NO! Green means GO!

You see a hottie flash her green underwear or green dyed bush and you don't mak eyour move, well they have programs that will get you the skills to bag gropceries and tie your shoes.

WHITE means good! For example. When the Lone Ranger says, 'That was might white of the redskin' he is telling us that the red indian did something mighty GOOD.

Things me be different on Mars. DOOD! Get a CLUE! This is EARTH and when on Earth you best do what the earthhlings do.

GREEN = GO
WHITE = GOOD

Anyone with a guestbook should be worried.

[nixkuroi]

I have a site online that has a guestbook and that page was flagged a phishing risk by IE7 beta. I wrote the email address that IE gave and that site was cleared in a couple days...Problem was, I was using that guestbook code in 8 other sites, all personal or small biz. This is a feature that might need to be pulled until it can be tested a little more against non-corporate sites.

Re:Spend the extra time and setup your biz correct

[cdrguru]

The whole idea behind the legal system today is it is a way for a small percentage of people to get very, very rich without working hard at all.

Taking the sidewalk example, if the business does not put salt or other material down, some cities give you a pass because snow is an "act of God". However, someone that slips can still sue in spite of this because a jury may be swayed by it being clearly negligence.

So you put salt down. Now it is no longer an act of God but your own fault if someone slips. They can sue because you put salt down and it was like walking on marbles. Any smart lawyer is going to be able to at least get a sizable settlement out of that.

If you are injured or can fake an injury and go to some quack that will write it up as a permanent disability, you have hit the jackpot. You can get government assistance which can then be used to sway the jury that you are permanently disabled. The business in question will want to settle quickly because they don't need the publicity. Imagine a WalMart with a truck out in front with a sign saying how this person can never work again because of heartless and cruel WalMart. They will pay plently to keep that from happening.

I don't see any morality or responsibility here. The whole concept is that today there are plenty of people that feel entitled to take whatever they can get. And there are lawyers and insurance companies that are ready to help them out. And, the people that serve on juries want to help out their fellow man and step on those evil corporations.

The odds today are significantly better than the lottery. You need a business that can't afford to fight or can't afford to take the publicity. Or, an insurance company that knows what the fraud is worth vs. what settlement can be done. It is cheaper just to settle than fight even when the settlement is $300,000.

So, have you thought about playing the insurance lottery today? Trust me, people in your neighborhood have and about the only way to be safe from this is either (a) plenty of insurance or (b) zero assets.

Re:Spend the extra time and setup your biz correct

[Marxist+Hacker+42]

So, have you thought about playing the insurance lottery today? Trust me, people in your neighborhood have and about the only way to be safe from this is either (a) plenty of insurance or (b) zero assets.

I do both. I keep my assets low, and my insurance high.

SSL Certificates...

[Julz]

And I thought this was the whole point behind SSL Certificates and Seals of Approval? If only the "Web of Trust" had spread like the viruses, scams, spam and other nasties on the net.

Re:Spend the extra time and setup your biz correct

[Lost+Engineer]

Are you saying that the idea of a frivolous lawsuit is a myth or that governmentally or politically affiliated persons file them as disinformation?

I should clarify that I can envision a lawsuit as described above as being winnable. It's not an entirely frivolous suit either, as it would likely achieve the end of forcing the business owner to put down the sand in the first place. I do find it an unfair lawsuit, as failing to place sand does not rise to the level of negligence, unless there's a law stating that all business owners must salt the sidewalk when it snows.

Guilt is not legally the same as liability. Liability does not imply moral culpability. Perhaps if civil courts were run by the Vatican, then this would be true from your perspective. I agree with you on the wrongness of harming community relationships. Fighting a lawsuit harms both the plaintiff and the defendant, and rarely are these settled in a way that leaves amicable relationships intact. What communities need is a bit more forgiveness, and a lot less incentive for lawyers and plaintiffs to file lawsuits except as a last resort.

Re:Spend the extra time and setup your biz correct

[Marxist+Hacker+42]

Are you saying that the idea of a frivolous lawsuit is a myth or that governmentally or politically affiliated persons file them as disinformation?

Both. Frivolous lawsuits are rarely either frivolous or actually about the lawsuit- what they're really about is damaged communities.

I should clarify that I can envision a lawsuit as described above as being winnable. It's not an entirely frivolous suit either, as it would likely achieve the end of forcing the business owner to put down the sand in the first place. I do find it an unfair lawsuit, as failing to place sand does not rise to the level of negligence, unless there's a law stating that all business owners must salt the sidewalk when it snows.

I took it as such enough that as a homeowner, I always salt the sidewalk in front of my house when it is icy/snowy. Why should a business follow different rules than a homeowner?

Guilt is not legally the same as liability. Liability does not imply moral culpability. Perhaps if civil courts were run by the Vatican, then this would be true from your perspective. I agree with you on the wrongness of harming community relationships. Fighting a lawsuit harms both the plaintiff and the defendant, and rarely are these settled in a way that leaves amicable relationships intact. What communities need is a bit more forgiveness, and a lot less incentive for lawyers and plaintiffs to file lawsuits except as a last resort.

Totally agreed there. Which leads to one of my journals- on guilt not being permanent.

That's ridiculous

[Killer+Koala]

So what if they get the green light? A simple - "Report this website" click just wipes it out.

Firefox uses anti-phishing too

[Killer+Koala]

Sure, switch to Firefox, it solves all of life's problems. Riiight.... You do realize they have an anti-phishing tool as well? You can choose from an unknown Firefox blacklist or Google's anti-phishing blacklist. You won't save yourself any trouble.

Simple answer to that

[Killer+Koala]

Unlike Firefox, IE7 allows you to report any website on the internet you think is a forgery. Go pay for your certificate, just takes a few people to turn that address to yellow then to red.

Firefox is a downgrade

[Killer+Koala]

Don't kid yourself. Firefox still has no support for ActiveX and ASP and therefore can never be a replacement browser for IE. It's still that nice 'alternative' browser for those users not looking at easily upgrading software on their computer.