EV SSL: Tentative First Year for New Online Site Authentication Tool
The Certifying Authority/Browser Forum was upbeat in a press release outlining the utility of its EVSSL (Extended Validation Secure Sockets Layer) guidelines to promote online security. The new guidelines released by the forum last June promised to drive out scams like phishing into extinction. Under the new process, websites who get certified by authorized agents (VeriSign is one), were identified by new versions of most of the regular internet browsers (like Internet Explorer7 or FireFox 3) and their online visitors given visual cues to identify their “secured” status.
Such signals include
- an address bar that turns green,
- a popup bar that indicates alternately the website to which the certificate was issued as well as the issuing authority, and
- a padlock at the end of the address bar.
This was a way to give online buyers an assurance that they were conducting transactions in a legitimate site rather than on a phishing website out to steal such personal info as their credit card number, bank account number and account login details.
CAB Forum, VeriSign drumming up prospects
Sites undertaking financial transactions like banks and e-commerce sites are being sold the certification as a system that is going to be the benchmark for website trustworthiness in the future. Under the new guidelines, a site’s legitimacy was said to be subjected to an intense legal, physical and operational verification before it became eligible for certification. VeriSign was recently featured in what looks like gushing advertorials in CNN Money and in an Online Security Website proclaiming initial success of the new system of validation in the market.
But, for all this, the online community is signaling maybe, they would rather wait awhile before embracing the new certification process. Their expectations are being tempered by studies on the effectiveness of such processes.
Community yet to catch up
A study done by Stanford University and Microsoft as far back as in 2006 revealed no discernible difference in the behavior of respondents armed with knowledge of Extended Validation SSL when compared to those who had no clue about it. Meaning, their noticing visual cues offered by browsers did not prevent them from clicking and giving away their details to a phishing website!
An article in The Register, UK suggests things have not changed. It links a survey done by a web hosting company there to have thrown up much the same result. Over 70% of the respondents were not able to recognize the visual cues provided by their browsers. Thus, it probably reduces to dust efforts of online e-commerce sites in advertising their secure status using the extended validation technology.
The article goes one step further and shows that even if awareness about the new tech grew, sites flaunting the new system could still be easily compromised. An experiment by a web security firm showed how a popular, certified website was compromised by a cross-scripting error. In the real world, such gaps were shown to be capable of being capitalized on by fraudsters in running a phishing scam.
The article too advocates waiting out on the new technology. Perhaps, a foolproof system for sifting secure websites from fraudulent ones is still a technological leap away!
Related posts:
- Barclays Bank Phishing Scam: A shot in the dark?
- Fake Scam Web sites
- Scam Alert: Online Banking Safety Guidelines
- Phishers eyeing Australian Tax Payers
- IRS : Beware of EFTPS Phishing Scam
