Feide is adding EV certificates. Extended Validation Certificates (EV certificates) are a type of X.509 certificate which requires more extensive investigation of the requesting entity by the Certification Authority (CA) before being issued.
Feide decided to use EV certificates on our newest login service, to give users more feedback in their browser about the status of the login site. The EV certificate shows up in the browser as a Green Line URL, or a green field before the URL. Browser support includes: Microsoft Internet Explorer 7, Mozilla Firefox 3, Safari 3.2, Opera 9.5, and Google Chrome.
The procedure for getting an EV certificate includes a stricter vetting process from the CA, with phone calls and other tests to ensure that the certificate issues is in fact issued to the legitimate owner of the domain name. The goal is to ensure a better assurance level for the domain name with the certificate.
Critics of EV certificates have pointed out that EV does not ensure anything for the end user beyond a warm and fuzzy feeling about better security, and does not stop phishers from setting up phishing site for which they have legitimate domain names. However EV does stop phishers from setting up site for which they do not own the domain name, if you can trust the end user to not press OK to continue when issued a warning about invalid certificates.
Supporters of EV certificates like the fact that there is a common ground and a standardized issuing policy for certificates across certificate suppliers; and even better, a standard integration into newer browsers. Real life people respond better to visual clues than they do to endless pages haranguing them to be vigilant.
My take on this is that we need to train end users to recognize when they are putting themselves in genuine danger, and when they are just being careless. In real life they would not walk naked through town carrying bags of gold (apart from students, for whom life issued separate rules way back) , and they should not do the Internet equivalent. At least not if we could tell them when they are naked gold-carrying virgins…
March 3, 2009 at 12:06
To add: not only did the browser developers add the ‘green bar’ effect, giving positive user feedback when connecting to a site that went through a number hoops to establish organizational traceability, they also made it much more difficult for a user to accept self-signed certificates, increasing the negative feedback for ‘wrong’ certificates. A user now has to go through some 3 or 4 clicks, including some strong warnings that a decent site should not put you through this mess.
Not good for those of us with self-signed CAs or certificates, but good for the end user, I’d say.
It seems to me that finally browser vendors together with certificate providers are coming together to start implementing SSL features in a way that makes sense to a user.
You could of argue that if a user is infected with a trojan/rootkit, there’s nothing in the way of that rootkit to paint your browser bar green. But then again, with a rootkit you’ve lost already anyway.
Jan