Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Extended SSL Certs Make Online Debut

Posted by CowboyNeal on from the bar-is-green-site-is-clean dept.

An anonymous reader writes "The first of the new 'extended validation' SSL certificates went live this week, signaling the latest effort by the browser makers and major Web sites to further verify the identity of SSL applicants and help consumers spot fraudulent Web sites, the Washington Post's Security Fix blog notes. The technology is pretty simple: Visit a login page for a site that uses one of these EV certs and the browser bar turns green; likewise, the browser's anti-phishing filters can turn the URL field red when the user is at a known phishing site. There is still quite a bit of debate over whether this whole scheme isn't just a new money-making racket for the SSL providers, and whether small mom-and-pop shops will be able to afford the pricey new certs."

6 of 106 comments (clear)

  1. It isn't whether they can afford them. by khasim · · Score: 4, Informative
    It isn't whether mom-and-pop shops can afford the new certificates.

    It's whether they'll be allowed to purchase them.

    That's because sole proprietorships, general partnerships and individuals won't be eligible for the new, stricter security certificates that Microsoft requires to display the color.
    1. Re:It isn't whether they can afford them. by mastershake_phd · · Score: 4, Insightful

      That's because sole proprietorships, general partnerships and individuals won't be eligible for the new, stricter security certificates that Microsoft requires to display the color.

      Thats because we all know there is no such thing as a shady corporation with enough money for expensive certifications.

      --
      Libertarian Leaning Political Discussion Forum.
  2. Great by finkployd · · Score: 4, Interesting

    So, the CA oligopoly is now going to be charging extra for doing the assurance checking they should have been doing all along but now admit they were not. And once they decide they need more money I am sure they will claim that they have been screwing up their assurance checking on these new ones as well but for a little bit extra, they will do SUPER DUPER identity validation. Then we can REALLY trust the certs.

    Why are we paying and trusting them again?

    Finkployd

  3. Gripes with HTTPS by RAMMS+EIN · · Score: 4, Informative

    I have one major gripe with HTTPS:

    If you don't pay the Powers That Be, you can still make your site more secure, but it will appear to be less secure.

    The way HTTPS normally works is that you create a key to be associated with your domain name. This key is then signed by some certificate authority (supposedly after verifying you are you). If the certificate authority is one of those trusted by your visitors' browsers, the browser will go ahead and use your site, as well as display some indication that it is secure. The security includes both encryption (confidentiality) and authentication (you're really communicating with foobar.com - VeriSign says so).

    However, you have to pay the certificate authority to sign your key. If you don't, you can still sign the key, but it won't be trusted by browsers. So far so good. The problem is that browsers will scream bloody murder, because they can't verify that you are you, making at look like you're attempting some kind of scam, while, actually, you're offering your visitors encryption. It's not as secure as encryption and authentication, but it's still better than plain HTTP - a protocol which browsers will accept without a hitch.

    As a minor issue, the SSL key is sent during the connection set up, before the client can send a Host: header. This means that each host wishing to employ HTTPS has to have its own IP address - otherwise, the server doesn't know which key to use. There's actually a way around this: HTTP 1.1 specifies how to upgrade a connection to HTTPS, which can be done after the Host: header has been sent. Unfortunately, a lot of software appears not to support this feature.

    --
    Please correct me if I got my facts wrong.
  4. Entrust's SSL certificate, and its problems by Animats · · Score: 4, Insightful
    OK, here's Entrust's SSL certificate. Let's see what we've got.

    Domain: www.entrust.com

    Server identity:
    CN = www.entrust.com
    serialNumber = DOC:19961216
    OU = it
    O = Entrust Inc
    jurisdictionOfIncorporationStateOrProvinceName = MD
    jurisdictionOfIncorporationCountryName = US
    L = Ottawa
    ST = Ontario
    C = CA
    Issuer identity:
    CN = Entrust Certification Authority - L1A
    OU = (c) 2006 Entrust, Inc.
    OU = www.entrust.net/CPS is incorporated by reference
    OU = CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY
    OU = AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE
    O = Entrust, Inc.
    C = US Certificate has 10 extensions.

    • Extension #0: keyUsage = Digital Signature, Key Encipherment
    • Extension #1: privateKeyUsagePeriod = Not Before: Jan 12 13:57:28 2007 GMT, Not After: Jan 12 14:17:41 2009 GMT
    • Extension #2: extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
    • Extension #3: authorityInfoAccess = OCSP - URI:http://ocsp.entrust.net
    • Extension #4: crlDistributionPoints = URI:http://crl.entrust.net/level1a.crl
    • Extension #5: certificatePolicies = Policy: 2.16.840.1.114028.10.1.2 CPS: http://www.entrust.net/cps User Notice: Explicit Text: The Entrust SSL Web Server Certification Practice Statement (CPS) available at www.entrust.net/cps is hereby inc orporated into your use or reliance on this Certificate. This CPS contains limitations on warranties and liabilities. Copyright (c) 2002 Entrust Limited
    • Extension #6: authorityKeyIdentifier = keyid:7E:B7:FC:4C:26:E6:B0:7A:FB:54:E2:3C:45:73:C6 :43:90:5E:28:04
    • Extension #7: subjectKeyIdentifier = 10:E0:70:1B:D7:78:17:32:B4:BA:EB:00:6A:E2:25:C3:67 :FC:77:1D
    • Extension #8: basicConstraints = CA:FALSE
    • Extension #9: UNDEF = None (this is a bug in the cert. viewer)

    The CA Browser Forum has published a standard for these certificate. So that's what we go by.

    How do you tell this is an Extended Validation certificate? That's not in the CA Browser Forum's standard. It's dependent on the certificate issuer.

    It's documented, on Entrust's web site "Each EV SSL Certificate issued by the Entrust EV SSL CA to a Subscriber contains an Object Identifier (OID) defined by the Entrust EV SSL CA in the certificate's certificatePolicies extension ... which by pre-agreement with Application Software Vendors, marks the certificate as being an EV SSL Certificate.

    The following OID has been registered by the Entrust EV SSL CA for inclusion in EV SSL Certificates: 2.16.840.1.114028.10.1.2"

    That OID number appears in the middle of a comment in the certificatePolicies extension. So, for each issuer, you have to look for something different.

    The certificate checker has to be really careful. To verify that a certificate is an Extended Validation certificate, it's not enough to find that OID. You have to make sure that the certificate was issued by the issuer entitled to use that OID. Otherwise, it's easy to forge these certificates.

    But if you're too thorough in the checking, the certificate bounces. The whole point of an Extended Validation certificate is to validate the company's identity. So we have the new fields "serialNumber", "jurisdictionOfIncorporationStateOrProvinceName", and "jurisdictionOfIncorporationCo

  5. There are many problems - some are legacy problems by fyngyrz · · Score: 5, Insightful

    As far as I understand, the main trouble for mom'n'pop shops will be the green colored bar

    It is far worse than that:

    • This encourages people to "trust" Internet Explorer, which has not earned that trust in any meaningful sense
    • This encourages people to "trust" Verisign and others, which have also not earned that trust in any meaningful sense
    • This discourages customers from checking out an online shop themselves, which is just plain really, really bad
    • This certificate is an additional expense not just in obvious costs, but in hoop jumping
    • If a legitimate business is unable to obtain the cert, it will be unfairly damaged by the incorrect presumption of unreliability
    • Certificates never provide anything more valuable than data security, the "identification" is illusory and worse with these, since they create an "underclass" of nominally "untrusted" sites that have no performance reason to be so classed, which is the very definition of an inaccurate take on who is trustworthy
    • The idea that "trust" in one corporation can be settled merely by the endorsement of another is logically and realistically false
    • Browsers, by buying into this corporate scam, have been complicit in hurting the Internet's ability to do business, not in helping it; this is because historically, identification of "who is trusted" has been poorly done by underdoing (in other words, give us a check, we'll give you a cert... just a scam, no ID involved) now we have a scam where it will be overdone, so that perfectly legitimate businesses will be left out in the cold. Again, the idea that a corporation can be trusted to do your due diligence on checking out someone you want to do business with is wrong from its very roots.

    In the end, the benefit of SSL is that of encrypted traffic. The data goes from the client to the server, and nowhere else. That's what a certificate actually ensures. Nothing else. Not one blessed thing. The people who built this scam were either miserably uninformed and/or confused, or underhanded types who recognized the money to scooped up from people who could not afford to have a browser inaccurately claim that their business "might be a scam."

    This is just one more case where superficial thinking about something is being used as an excuse to generate a large and healthy cash cow over and above the current certificate scam. Nothing can legitimately substitute for you checking for complaints, longevity, experience with the product(s) you are interested in, that sort of thing. Which in turn means that by definition, the foisting off on the consumer that the "browser bar turning green" means "shopping or interaction is OK" is outright illegitimate.

    And will any of that stop this from happening? Not a chance. Because it isn't only the consumers that are failing to do due diligence here; it is the browser writers as well, and as per usual, we start with Microsoft who does not have the consumer's best interests at heart.

    The attempt is being made here to do something that is impossible. Wy? Because an operation that was trustworthy yesterday can become untrustworthy tomorrow. Likewise, an operation that was controlled by scammers can replace those people. It is a matter of people and goals that no one can see through the veil of the Internet. This is aside from the creation of a "ghetto" of untrusted merchants who cannot get certified, or cannot afford to get certified.

    I saw a comment elsewhere here by some moron who was pontificating about how "if some business cannot afford $500 for this cert, I would not trust them, etc. ad nauseam." The fact is, some businesses are striving on the edge and that money is important to them. Seeing as how it does nothing for them but keep them from being creamed by this new scam - meaning, it doesn't add value to what they do, just brings them back to a status quo

    --
    I've fallen off your lawn, and I can't get up.