Microsoft and some industry partners are promoting a new certification process designed to make it harder for phishers to spoof websites. The plan gives third-party certification authorities like VeriSign and Entrust more stringent guidelines for authenticating websites. A resulting new seal of approval, an Extended Validation Secure Sockets Layer (EV SSL) certificate, may reassure consumers that they are handing information over to a legitimate site.
EV SSL–certified sites will look a little different from today’s secure sites, which typically display a small “lock” icon in the Web browser.
When Internet Explorer hits part of a website that supports the EV SSL standard, the address bar will turn green. Users will also be able to see the country where the website is based.
Websites buy these EV SSL seals from certification authorities, who follow the company’s paper trail, for example, confirming it has a legitimate address and control of the Web domain in question.
“If you’re a company without a reliable paper trail, you’re not going to get one of these,” says Tim Callan, a product manager with VeriSign. “If you’re incorporated, if you’re an LLP, or if you’re a registered charity, you have nothing to worry about.”
VeriSign has been offering EV SSL certificates since Dec. 11 and has more than 300 businesses going through the certification process.
Wells Fargo has helped develop the EV SSL standard, and eBay’s PayPal has recently gone live with EV SSL certificates on two of its sites.
Still, some issues must be worked out. For example, will smaller sites that haven’t been spoofed be willing to buy certificates? Also, it’s not settled how EV SSL will deal with international character types, or with two companies that have the same name but operate in different countries.
According to Window Snyder, head of security strategy at Mozilla, the Firefox team will probably wait until version 3.0 of its browser is released later this year to support the new certificate program.