Small Businesses Worry About MS Anti-Phishing

prostoalex writes "Ever get that warm feeling of safety, when the anti-phishing toolbar on Microsoft Internet Explorer 7 turns green, telling you it's safe to shop on the site you're visiting? Well, you probably don't, but the millions of Internet users who will soon be running IE7 probably will be paying attention to the anti-phishing warnings. WSJ.com is reporting on how Microsoft is making it tough for small businesses to assure they're treated properly by the anti-phishing algorithm." From the article: "[S]ole proprietorships, general partnerships and individuals won't be eligible for the new, stricter security certificates that Microsoft requires to display the color. There are about 20.6 million sole proprietorships and general partnerships in the U.S... though it isn't clear how many are engaged in e-commerce... 'Are people going to trust the green more than white? Yes, they will,' says Avivah Litan, an analyst at Gartner Inc. and an expert on online payments and fraud. 'All the business is going to go to the greens, it's kind of obvious.'"

WTF? Phising and certs are different issues.

[Whiney+Mac+Fanboy]

'Are people going to trust the green more than white? Yes, they will,' says Avivah Litan, an analyst at Gartner Inc. and an expert on online payments and fraud.

WTF? Shouldn't that read:

'Are people going to notice the green or than white? No, they wont,' says WMF, an analyst at slashdot Inc. and an expert on stupid punditry.

On a slightly different note, I think the submitter has gotten the new expensive secure certs gold-rush/scam confused with the anti-phishing tech. Not surprising 'cause the article melds them together in a rather confusing manner.

Re:WTF? Phising and certs are different issues.

[WilliamSChips]

You even used bad grammar and spelling, like a Slashdot editor!

Re:WTF? Phising and certs are different issues.

I think any comment about IE7's anti-phishing system should note that it sends every website you visit to Microsoft. If you care even an iota about the privacy of your web browsing, you should choose "no" when IE7 asks you to enable its invasive anti-phishing system.

Re:WTF? Phising and certs are different issues.

[thinkliberty]

This can also work 2 ways.

Users favorite deal sites can display an error message to IE7 users that tells them their browser is defective and that in order for them to keep prices low, they will need to upgrade their web browser to Firefox to purchase anything from the site. They can also have a continue anyways button and store a cookie to not display the message again. That way when there is no green bar the users will know it is because they are not using an approved browser.

YAY for Microsoft, let them shoot themselves in the foot.

Re:WTF? Phising and certs are different issues.

[ShieldW0lf]

Now there is a tangable commercial interest in creating phishing sites.

Huge corporations that quietly invest money in polluting the internet with phishing sites that create an environment where "white = tangably untrustworthy" will see returns on their investment because this exists.

There was a business model in polluting the P2P networks so they become inefficient services. Then there were businesses that did it. Now there is a new business model. What comes next, you think?

Re:WTF? Phising and certs are different issues.

[tacocat]

I think you complete misssed the point.

It's a great business model.

If you want to buy stuff from the InterWeb thingy you want to buy from the GREEN because everyone else is EVIL.

If you want to get more business sent your way, you have to purchase the certificates to go GREEN or else you lose money.

So if the businesses buy in to this green craze then it starts to feed into a cyclic frenzy of cornering the purchasing power of the consumers. And everyone pays Microsoft. And that makes it a great business model.

But we all know that Microsoft is pretty much regarded as a joke by more and more people every day. Just not enough quite yet.

Re:WTF? Phising and certs are different issues.

Oh, quit whining about your perceived double standard. Just as many people here on Slashdot were upset when Google started doing this, so you really can't claim any particular bias against MS in this case. Sorry.

Re:WTF? Phising and certs are different issues.

[killjoe]

Today I was trying to use a SSH java applet to connect to a server in IE7. IE7 refused to run the applet because it did not recognize the signature. I added the site to my trusted sites list but it still refused to load it. I went into advanced setting and told it to install unsigned activex controls but it still do it. After struggling for a little while longer I installed firefox (this was not my computer) and ran the applet I needed to run. Installing firefox and then installing java took less time then my struggles trying to get IE7 to load an open sourced applet.

All this "protection" in IE7 is there to try and limit which software you run. MS has decided that before they can beat open source they need to winnow the list of companies that deal with it and this is a good first step to do that with. If this same applet was signed by novell I am sure it would run in IE.

Re:WTF? Phising and certs are different issues.

[seeker6182000]

Time to take off the tinfoil had sonny. If IE7 still sent out URLs visited after you told it not to, the lawyers would have a field day, and MS would have a huge PR problem. I am sure this was checked and double checked numerous times to make sure that it didn't happen.

Re:WTF? Phising and certs are different issues.

[Julian352]

There is no way in IE7 to remove the URL bar from the window. Even a window with no other UI elements must show the URL to prevent such attacks. (Or other phishing problems.)

Re:WTF? Phising and certs are different issues.

[dnc253]

Didn't you know that Microsoft always knows better than you what is safe and what you want to do?

Re:WTF? Phising and certs are different issues.

[marcello_dl]

...sites can display an error message to IE7 users that tells them their browser is defective and that in order for them to keep prices low, they will need to upgrade their web browser to Firefox... Good idea, but i'd say not "defective", but "deliberately denying small businesses the status of legitimate web sites". That's the truth.
BTW, what if somebody got certified somehow, and then hosted a portal for businesses he trusts giving them the green light? I guess certification contract explicitly forbids that in the first 10 lines of the agreement :)

Re:WTF? Phising and certs are different issues.

[jasen666]

No, IE will not even pass the applet to the JVM if it does not pass the certification test. AND, the same JVM will run the applet just fine in Firefox.
Nice try though.

Re:WTF? Phising and certs are different issues.

[Casualposter]

A few words: "Class Action Lawsuit" Microsoft as a monopoly is adversely labeling businesses because they don't pay for a certificate and they can do this only because they are a monopoly. And if microsoft is doing this to fight phishing, where is the liability if that protection does not work? I'm sure someone will figure out how to get a green bar without a certificate and a phishing they will go. Meanwhile, the legitimate small business gets labeled "untrustworthy" by Microsoft software. Now THAT is ironic.

going to have come up with a better way

[yagu]

Microsoft may think they've solved a problem and maybe they have, but this could be creating a bigger problem, though as usual it'll be no skin off of Microsoft's nose.

Microsoft's stance (FTA):

Microsoft says green shouldn't be considered a seal of approval, but rather a sign that the site owner is a legitimate business.

It may not be formal logic (all farmers wear overalls, therefor if I wear overalls.... (hint: I am not a farmer)), but most internet users are going to make the simple logical leap and assume that not "green" implies not legitimate.

It's easy for Microsoft to skate... they don't live the existence of normal business - it's a shame they have so much input into what others' business rules look like. This probably isn't fair. There has to be a legitimate way to become legitimate.

Re:going to have come up with a better way

[coolgeek]

I think there will be an obstruction of trade class action suit filed against Microsoft for this.

Re:going to have come up with a better way

[tonywong]

So Microsoft has decided that whitelisting companies is a good idea, and everyone else is to be lumped into a greylist and blacklist area? No wonder the individuals in the grey zone are peeved, the association with blacklist websites alone will tank sales.

Re:going to have come up with a better way

[calciphus]

What makes you think you can sue MS? You can't sue Google (successfully) just because your page gets blocked by them, even though they are arguably obstructing trade on your site. You can't sue VeriSign for not giving you a free certificate, even though some people won't shop at non-VeriSign secured sites.

Really, I'd hope people don't sue for this. If your sole source of income relies on a system you can't control, then you have a bad business model, plain and simple. Be it Google, or Microsoft, or VeriSign.

Plus...do you really want to make it EASIER to phish? That's just more junk mail in your inbox, because it'll continue to work.

Re:going to have come up with a better way

[tinkertim]

>> Get over it.

I'm fully over it, actually never found myself under it :) I have an all Penguin company. But I must continue to whine relentlessly over things that I have absolutely no control over .. to do otherwise would be , well, boring.

Its still a low down dirty market grab putting themselevs quietly in a position of authority they have no business assuming, any way you cut it. We can debate the roots of a definition, but the fact remains that this is going to cost some mom and pops a few conversions.

That's sad.

Re:going to have come up with a better way

[jc42]

Microsoft's scope is anywhere that they see a need and people are willing to pay for. If I choose to believe that Microsoft's whitelist really represents reputable sites, I should be allowed to do so.

Sure, you're free to believe whatever you like. But in most jurisdictions, there are laws about things like libel and slander. I'd think that such laws might be easily used in this case.

If I were to start up my own business that published ratings of other businesses' honesty based on whether they've paid me for a rating, I'd be in court real fast. In some jurisdictions, I'd might be in jail, too.

It'll be interesting to see whether Microsoft is powerful enough to get away with such public libel without any punishment.

Smart enough to notice that green toolbar

[namityadav]

I hope a user smart enough to notice and use the phishing feature of IE, would be smart enough to use Firefox instead

Given the fact

[gillbates]

That even Microsoft itself has allowed its security certificates to lapse in the past, I don't think this is going to mean much. As soon as the address bar goes white when getting updates from microsoft.com, people will start to ignore it.

Besides, the user sophisticated enough to notice the difference probably won't care - by now, he's already got a set of favorite bargain sites, and when their address bar stays white, he'll just assume they're too cheap to buy the MS cert. After all, how *do* they undercut the competition?

And I'm guessing that most people - if they notice at all - will not be any more cautious. After all, that's what they bought anti-virus for, right? I'd be willing to bet that the average user believes AV software protects them from everything bad that could happen when using a computer.

Re:Given the fact

[Todd+Knarr]

Actually I think the bigger problem is that Microsoft and Verisign in the past have allowed a completely valid, high-grade signing certificate with Microsoft's own corporate identity to be issued to crackers (see http://www.pcworld.com/article/id,45284-page,1/art icle.html or the more authoritative http://www.microsoft.com/technet/security/bulletin /MS01-017.mspx for details). Note that a class-3 code-signing certificate was one of the more secure grades Verisign issues, it's not their standard e-mail-address-only ones. So how long until the bad guys start getting their own EV-SSL certificates and make the whole scheme not merely useless but advantageous to the phishers?

Countdown

[DrYak]

Countdown to the phisher finding a way to subvert the system and obtain legitimate certs to green-light their scam sites :
4... 3... 2... 1...

Re:Countdown

[StikyPad]

"A way" already exists, and it's called XSS, or Cross-Site Scripting. It's all a matter of how secure any given "green light" site is, which means the "green light" is borderline worthless, from an anti-phishing standpoint anyway. There are even vulnerabilities which do not require any social engineering, such as a vulnerability in the user reviews section of a business's website, or something similar.

So really, like the padlock "secure" icon (which tells you only that you're on a an encrypted connection, and is meaningless if the target site has been compromised), it's just presenting a false sense of security, while at the same time giving small businesses a small stain on their reputation.

Re:extortion

[yagu]

This isn't even a problem of "paying up".... the small one-person companies don't even qualify to get certified for the green status... no amount of money will anoint them. This is where is starts to be unfair.

damned if they do, damned if they don't

[Darkon]

If you make certificates too easy to obtain then every phisher and his dog will just buy one and create a false impression of legitimacy. If you try too hard to restrict them to bona fide companies then you risk shutting out the mom and pop outfits. What's the answer?

Anyone what approach Firefox takes compared to IE7 here?

Re:damned if they do, damned if they don't

[mrchaotica]

What's the answer?

Don't bother implementing any kind of "anti-phishing" crap and let the buyer be responsible for his own damn self for a change!

Sole Proprietorship

[mandelbr0t]

The Forum excluded sole proprietorships, general partnerships and individuals because its members couldn't agree on criteria for validating them effectively, something some members said can be difficult.

From TFA, this is the reasoning behind the stocking saleswoman's problems. Now, I tend to disagree that it's difficult to find criteria for validating a Proprietorship, since I've formed one myself. While getting the trade certificate and license to collect tax are easy, obtaining a valid small business bank account is not. I'm thinking that those 3 taken as a whole should be enough information to determine whether the Proprietorship in question exists and is doing legitimate business, at least here in Canada.

I don't think Microsoft screwed up here, incredibly enough. They've released a new product based on standards (of all things!). It doesn't erroneously display this woman's site in yellow or red, and it will correctly display it in green when the forum which determined the new certificate standard makes it available to Proprietorships. The article accuses Microsoft of tilting the online commerce playing field heavily toward big business again, but this isn't really Microsoft's fault. I agree that the new certificate standard should have included everyone from the get-go, but you can't fault Microsoft for building this useful feature on the latest standard.

mandelbr0t

Re:Sole Proprietorship

[John+Hasler]

> While getting the trade certificate...

Not required in the US.

> ...and license to collect tax...

Not every US state has sales tax (and in those that do many goods and services are exempt).

> ...obtaining a valid small business bank account is not.

There is nothing especially special about a "small business bank account" here.

Gartner are idiots, so relax

[roca]

Users will quickly learn to ignore the status bar color just like they've learned to ignore all other security warnings (thanks to expired certificates and other false negatives we throw in their face every day).

Re:Yeah, they will.

[geekoid]

Green means good is pretty standard. Don't go berating the users for making that jump.

Don't confuse ignorance with stupidity. There is a world of difference.

bonding

[TheSHAD0W]

I agree with Microsoft, actually; it can be difficult to take what looks like a perfectly legitimate business and guarantee that they aren't actually sniffing for your personal information. But only labeling large businesses as "safe" will indeed put serious burdens on smaller companies.

Perhaps Microsoft could allow for companies who wish to "go green" to purchase a certain amount insurance from established bonding companies assuring shoppers that their information won't go awry. Bonding companies know how best to deal with this sort of risk; they would subject their client companies to audits, making sure servers were secure and weren't caching the wrong sort of data.

Spend the extra time and setup your biz correctly!

[Silicon_Knight]

I'm a small businses owner, and guess what, I would have ZERO problems with this "green bar" policy.

Reason? I made damn sure that I'm incorporated as either a limited liability company (L.L.C) (www.3dprints4less.com - not up yet) or a S-corporation (www.seattleprototypes.com).

In this day and age of litigation, there is NO reason why if you're going into businses you should even consider sole proprietarship or general partnership agreement. IANAL, but go pick up any of the Nolo self-help books (recomemnded by lawyer friends) and they make it clear: The LLC and corp status is a bit more paperwork to upkeep, but offers MUCH better protection for the business owners. As a sole proprietarship, you are personally liable - down to your last nickel in your bank account, if your business incurs any liabilities. As a general partnership, you would be personally held liable for not only your business's liabilities, but the action of your partners well (if your partner racks up a debt, skips town, and the creditor have easy access to you - guess who's in the hot seat).

Not to mention, there's huge benifits you can get tax wise, from being a corporation or LLC. Corporate tax rates are a heck of a lot lower for one!

So, Aunt Joy making custom stockings, please, go pick up a self help book and get your business setup properly. This way some slimebag ambulance chaser can't sue you out of the house you're growing old in when some irresponsible parent let their kid chew off a bit of the stocking and the kid chokes on it.

-=- Terence

Re:How does the Phishing thing work?

[Kelson]

Actually there's two issues -- site verification and anti-phishing -- which are getting mashed together because they act on a similar concept (how much can I trust this site?) and display through the color in the address bar.

White is the default state, and says nothing about the site.
Red is when the site matches a blacklist of known phishing sites. (If you have the antiphishing turned on, it will check with MS each time you load a new page.)
Green is when the site uses one of these new SSL certificates which provides additional data and (supposedly) has a tougher approval process in which the certificate authority does an actual background check on the company instead of just making sure they have a working phone number. One hopes a blacklist hit will trump this.

A secure site that uses a standard SSL cert and is not a known phisher will have a white location bar.

Re:Spend the extra time and setup your biz correct

[Ashtead]

But is Microsoft the right one to enforce this? Even if sole proprietorship or general partnership might be inadvisable, it isn't illegal, and Microsoft or anyone else who is not the government has absolutely no jurisdiction and no mandate to make it so.

Something seems definitely out of bounds here...

Re:Yeah, they will.

[John+Hasler]

> The solution for small business will be to market through a strong co-op or
> an established corporate partner like Amazon or eBay. The benefits are obvious

Yes. Control. Amazon and Ebay can suck off most of the profits and prevent the small businesses from growing into competitors.

Re:Spend the extra time and setup your biz correct

[Silicon_Knight]

RTFA.

You don't get a "green" cert. You get an EV-SSL, or, Extended Verification SSL. It's not like MS invented something horrible to extort money out of people. FYI, Firefox and Opera implements anti-phishing toolbars as well.

http://www.digicert.com/ev-ssl-certification.htm

And, guess what? cost of the EV-SSL, along with payments to banks, credit card processors, etc... are just a part of the cost of doing business.

-=- Terence

Re:How does the Phishing thing work?

[Kelson]

Sorry, I forgot to mention that it does block access to a "red" site with an "are you sure you want to visit this?" warning. The initial design of the phishing filter is described on IEBlog. Some details have probably changed since then, but that's the basic way it works in the final version.

Re:Really?

[troll+-1]

The only people this can significantly hurt are business which were doomed to fail in anycase, and scammers.

But doesn't TFA say that many of the people that will be doomed to fail are legitimate businesses like Aunt Joy Christmas stockings? Though Microsoft will claim they're not. She won't be green. She'll lose business. It's small businesses that will hurt.

Re:Green hack

[rjdegraaf]

What about a window without an address bar, but with an image which looks like an address bar.

Why is this unfair?

[raehl]

If you can't get a certificate as a sole proprietorship, INCORPORATE! Problem solved.

Nobody is making anyone run their business as a sole proprietorship. And this day in this sue-happy age, there's plenty of other reasons incorporation is a good idea.

Re:Why is this unfair?

[lordkuri]

Bullshit. Why should I be forced to spend more money when a Sole Proprietorship is JUST AS LEGITIMATE as a Corporation. Matter of fact, a lot of people tend to think that a sole prop. is *more* legitimate, from years of dicking from most major corporations.

Re:Why is this unfair?

[raehl]

Bullshit. Why should I be forced to spend more money when a Sole Proprietorship is JUST AS LEGITIMATE as a Corporation.

Why should I be forced to pay someone to create a website and rent a server when a brick-and-mortar storefront is JUST AS LEGITIMATE as a web storefront?

Fact is, you're not. Nobody is forcing you to spend money to incorporate. But just like if you want to sell on the internet, you need to pay for a website, if you want a certifying authority to certify your identity, then you need to meet the requirements for being certified. Nobody is FORCING you to do it, but if you're not willing to prove your identity by getting incorporated, then the certifying authority isn't willing to certify your identity either.

This isn't about whether a sole proprietorship is JUST AS LEGITIMATE as a corporation, whatever 'just as legitimate' means. It's about having a standard of what it means to have a certified business identity. Corporations have state records about who they are, and who their registered agents are. Sole proprietorships do not. If, as a sole proprietorship, you claim you are "Al's Used Cars", how do I know that you're actually Al's Used Cars? Just because you say you are? What's to prevent some other person from coming along and saying THEY are Al's Used Cars? As a certifying authority, how do I tell which one of you is the real Al's Used Cars and which one of you is full of it?

With Corporations, if someone comes to me and says they are Apple Computer, I can go to the state records office and find out who the registered agent for Apple Computer is and make sure I'm dealing with the real Apple Computer.

Getting a certificate of identity requires having a verifiable identity. As a business, the only way to have a verifiable identity is to incorporate.

So why should you be forced to pay more money? Because if you don't, you don't have a business identity to verify, and thus can't get a green address bar. And you don't deserve one.

Re:Why is this unfair?

[Reverberant]

If you can't get a certificate as a sole proprietorship, INCORPORATE! Problem solved. [...] And this day in this sue-happy age, there's plenty of other reasons incorporation is a good idea.

Sole proprietor here. As someone who has spent a lot of time and energy looking at sole proprietorship vs llc vs s-corp incorporation, let me just mention that (contrary to popular belief) incorporation isn't some magic bullet that completely shields business owners/officers from liability - just ask Ken Lay. Incorporation does help shield business owners from the incompetence/misconduct of other employees. Of course this doesn't matter in one-person companies where (by definition) all the business decisions are made by the business owners.

Incorporation does, in theory, separate business assets from personal assets. However, in our "sue-happy" environment, there is a very easy way to get around this separation: simply sue the business *and* the owner.

There are scenarios when it makes sense to incorporate: lower tax rates (only worth it for six-figure revenues by my calcs), if you have employees, if you have multiple locations, if you're trying to establish a Chinese wall for separate-but-related business, etc.

Incorporating in my case (1-person business) would mean hiring a lawyer and accountant to file the annual state forms, draw up the stock agreement, and file the taxes in return for a few hundred dollars in tax savings and pretty much no liability protection. I found it was much cheaper to buy gen liability and E&O insurance (needed anyway for certain gov't contracts I have), and remain a sole proprietor. I imagine that this is true for hundreds (if not thousands) of other businesses across the US.

Summary makes a flawed assumption, MS another

[Dracos]

millions of Internet users who will soon be running IE7

This depends on millions of new Intel machines being purchased after January 30. Febrary and March are the slowest period of the year for any non-essential item, as people are recovering from their holiday spending binges. Retail box sales of Vista will be all but limited to hard core gamers who want DirectX 10 a year before any games actually take advantage of it.

Ok, so IE7 is available on XP if you have SP2 installed. Still not staggering market share if you ask me.

The typical user doesn't notice anything above the top of the page, including the address bar, which is why there's an anti-phishing toolbar in the first place. They'll only notice the color change the first time it happens because a semi-helpful, condescending dialog box will pop up, which the user will check the "do not display again" box, click OK, and continue on their oblivious way without having read the actual message. After that, they'll probably never realize that it changes colors, and if they do, they'll momentarily wonder why, and continue on their merry way.

If something is routinely ignored, it's not useful because it's not being used. This is just one more thing that users will ignore while they submit their credit card info to http://amazon.com.hahawepwnyou.com/ to buy the latest American Idol greatest hits CD.

MS is widely considered to overdo it with the handholding of Windows users, making everything seem cozy and easy, and then they go and implement this toolbar which only gives the illusion of security, in the hopes that the ignorant masses they've created will pay attention to it.

Not gonna happen. Phishing will continue until people learn to use the Internet, jsut like spam will continue until SMTP is replaced.

One thing to say to Microsoft

[Todd+Knarr]

Only one response needed: http://www.microsoft.com/technet/security/bulletin /MS01-017.mspx

This was a class-3 code-signing certificate from Verisign, giving all the correct details for Microsoft but the request was coming from a bunch of crackers. How long, then, until the phishers figure out how to get EV-SSL certificates of their own?

What happens when this is cracked?

[mark-t]

And we know that it's only a matter of time...

And the clincher is that the longer it takes to crack, the worse the ramifications are going to be when it happens.

The Haiku people did this

[alex_guy_CA]

I remember a few years ago, this company licensed a Haiku to put in the email headers. If the Haiku was there, you were automatically white listed in various spam filters. If you used the Haiku without paying the licensed, you could be sued not for spam, but for copyright infringement. I wonder if they still exist. Anyway, small businesses were priced out of the system. If you weren't sending 1,000,000 emails a month, don't bother calling them because you can't afford it. It seemed like such a stupid way to do business in an internet age. I'd pay .05 to make sure an email made it to a client. Oh well.

Re:Really?

[Anonymous+Brave+Guy]

That's how you make your buying decisions?

Personally, no, but it is how a lot of people are likely to make decisions. That's the point.

A device that automatically recommends people be more aware of who they're dealing with isn't a bad thing so long as it's accurate.

Fortunately, our experience with RBLs shows that they never make mistakes, and small businesses never get seriously hurt by them.

It's not like banks serving small businesses can't get into the act offering services to vouch for their clients.

Ah, a good, old-fashioned protection racket. I'm so glad they're still alive and well, even in these high-tech times.

The only people this can significantly hurt are business which were doomed to fail in anycase, and scammers.

Yes, because small businesses are never successful unless they're scammers.

There's another problem here

[wbean]

We have a Web site where we process orders for other companies. The pages are customized to our customers' look and feel and the credit cards are process against their accounts but all of the transactions take place on our server and use our certificate.

We have no problem getting the new certificates but what company name should appear in the bar? If we put our own name in, we will consfuse the end users who have never heard of us. If we want to use our customers company name, then they each have to get their own certificate and we have to assign separate IP addresses to each of our customers - at the moement we only need one IP.

What a nuisance.

Re:Spend the extra time and setup your biz correct

[Draknor]

As a sole proprietor, shouldn't you have enough control over your business to guard against this? And shouldn't you be moral enough to *want* to actually pay your liabilities when you do something wrong?

It's just a legal framework -- and no, you can never have "enough control" to guard against this. In a sole proprietorship, you are not legally distinct from your business, so any liabilities against the business can be taken out of your personal accounts. Assuming you are a legitimate business owner trying to make a profit (not just a shell corporation trying to avoid taxes), your biggest risk (I'm guessing) is from frivolous lawsuits. Somebody slips on the sidewalk in front of your storefront and sues your business for gajillion dollars. Assuming they win & your business can't pay up, it comes out of your personal savings account (or other assets). It's the same reason people carry umbrella liability insurance -- because we can't guard against the stupidity & greed of other people.

its the GOVERNMENTs job

[bussdriver]

To run a business in the usa, you file with the secretary of state of your state plus file for a federal employer ID. You do about as much for that as a Cert authorities(CA) has you do.

1. SSL certs are signed by the US government for all biz with an EID
2. SSL certs are signed (again) by the States the corp is in
3. SSL certs (again; optionally) are signed by a 3rd party that is payed to go further than the government to ensure you are legit
4. Governments make incorporation requirements on par with a typical cert authority. My state is at least as good as a CA.

Benefits:

• Cert authorities(CA) can not extort money from us to avoid a little warning dialog
• CAs will have to do more since the gov does the basics
• Browsers can highlight government backed certs (little flag icons or green?)
• Consumers know governments more than they do some CA
• Government has reasonable information on the corp owners
• Consumers know the corp has to file taxes on regular basis (can't be totally fake)
• Consumers know what country or state the corp is involved with, allows them the freedom to support local business
• Costs little in taxes, much of the stuff is there on their computers already, they can offer the whole thing for free as part of the incorporation process.
• Digital certs are more secure than a paper document from the secretary of state
• Makes it easy to find the corp as well as file complaints with the secretary of state which incorporates them
• CAs are forced to improve their services, no need to regulate them

This is well within government bounds, which legally defines corporations, LLC, LLP (partnership,) regulates them, and taxes them. This would be a cheap additional business service that would ultimately protect citizens (which is a fundamental reason for government.)
Perhaps the government learns and uses digital certs on legal documents like birth certificates? (nah, that would be too smart...BTW, I could fake my birth certificate with a copy machine)

Irony

[The+Clockwork+Troll]

The irony of all this, is that the only companies allowed to be deemed "trustworthy" are the corporate entities whose employees are shielded from personal liability.

Re:Yeah, they will.

[1u3hr]

it very well may be that they don't use left threaded screws. but concluding that because they make right threaded screws they must also use right threaded screws is jumping to conclusions.

I live in China. I was trying to think of some evidence you could actually see short of catching a plane. And while a box of loose screws would obviously be made to whatever spec the customer wanted, internal screws for consumer appliances, which is what I meant, not loose screws, would be whatever was available to the factory and cheapest -- having been involved with export, cost is everything. Why would they increase costs by using a different kind of screw that has no inherent benefits? Historically, China's heavy inudstry was based on Russain technology, which in turn was copied mostly from Europe. More recently, Japanese, based on US standards, though fortuantely mostly metricated.

I still fail to understand why anyone would imagine LH screws would be standard in China.

PS. Chinese vaginas aren't sloped sideways either.

Small Business Can't Afford These Anyway

[miller60]

VeriSign is charging $1,299 a year for extended validation certificates, and I wonder how many small businesses would be willing to fork over that amount for the benefits of EV SSL. Other certificate authorities will eventually offer these as well, and charge less.

Several CAs, including Digicert, are seeking to have the standard revised to include small businesses. I don't believe the CA/Browser Forum has finalized the standard yet, as there were some holdouts last I checked.

Re:Forcing FF on someone is just as bad as forcing

[Korin43]

If Firefox had a warning every time you looked at for-profit websites and refuse to accept fancy overpriced certificates, people would be doing the same thing with another browser.

Re:Really?

[mwvdlee]

The only people this can significantly hurt are business which were doomed to fail in anycase, and scammers.

I have a small business, legally registered, which is a sole proprietorship. Even though my business is legal and even though I'm personally legally responsible for the business I cannot get this green bar.

I can pay the money for it (even though this starts to smell like a scam itself; pay the money for the certificate or you'll be blacklisted) and would if I could, but simply because they haven't defined rules to verify my type of business (which would be easy; My business is registered, has a clean tax-record and I can provide any identification they'd need).

So now MY business will not get on the whitelist because THEY fail to even set the rules by which I could get on the whitelist.

I seriously think MS should hold out on displaying the bars until sufficient rules are in place that allow all legal businesses equal recognition as such.

Re:Really?

[Jtheletter]

The people looking for Auntie's Christmas stockings don't have anywhere else to go. Presumably they're they're looking for her because they don't want something made in a Chinese prison camp. If the latter was what they wanted they would have gone to Wal*Mart and been back already. No legitimate business which had a chance of succeeding will be materially harmed.

It's like you have no grasp of how people use the internet. People didn't jsut sit down and type in "www.auntiesstockings.com", they most likmely went to their search engine of choice and searched for something like 'holiday stockings crafts homemade' and got a bunch of hits for sites with those keywords. Then they see "Auntie's Christmas Stockings" and decide to give the site a try. As soon as they get there however the bar doesn't turn green, so they decide it's not a legitimate business and click Back on the browser and buy from a different site.

The point is not that previous customers are going to suddenly stop trusting a site they've already done business with (although that is a possibility). The point is that new users coming to a site for the first time, who use the IE7 green color as the sole indicator of trust, will immediately distrust the site when they don't see that green. It has nothing to do with the quality of the products or anythign else, no green bar will mean they assume it's a scam.

I agree that giving the user more info is a good thing, but the problem is MS has not provided adequate means for small legitimate businesses to display the same level of 'trust' as a major corporation. MS needs to provide a streamlined and straightforward way for ALL legitimate businesses to properly utilize this extra feature, by not doing that MS is essentially raising an artifical barrier to competition because of the lack of knowledge by the vast majority of the web using public. And the catch-22 is, if Joe Sixpack were savvy enough to properly use the anti-phishing notifications from IE7 then he probably wouldn't need to be protected from phishing/scam sites in the first place.