Warning: Microsoft/Verisign scam on the horizon

[David Farber <dave () farber net>]

Begin forwarded message:

From: Cliff Bamford <bamford () oz net>
Date: October 26, 2006 10:45:34 AM EDT
To: dave () farber net
Subject: Warning: Microsoft/Verisign scam on the horizon

Dave: for IP if you wish...

Microsoft doesn't like the fact that Firefox is chipping away at its  
Internet Explorer monopoly.  It has teamed up with another outfit  
with equally uncertain corporate morals:  Verisign.  Together, they  
are going to implement a masterpiece of marketing hype called  
"extended validation certificates (EVCs)” I’ll explain what those are  
below, but first here are my predictions about the effects EVCs will  
have on our online lives:

Extended validation certificates will:

1. Further screw up the already dismal security of the Internet

2. Confuse and mislead nearly everybody

3. Help Microsoft scare people back to Internet Explorer

4. Allow Verisign to charge premium prices for a bunch of almost  
meaningless "upgrades"

The way this will work is: when you visit a site that has purchased  
an EVC from Verisign, if you are using a recent version of Internet  
Explorer, the address bar at the top of your browser window will turn  
green --- supposedly indicating that you are connected to a "super  
secure" site.  This is brilliant marketing, but technically, it is  
99% baloney.

Digital certificates are electronic credentials that your browser  
uses to insure that you are actually communicating with the website  
you think you're communicating with. They don't work very well, in  
part because this is a very difficult problem involving elusive  
concepts like "the true identity of an organization, as reflected in  
the equipment it attaches to the Internet"  --- or worse, "the  
website you think you're communicating with".  The problem was slowly  
being solved, but neither Microsoft nor Verisign (nor, to be fair,  
anybody else) was willing to wait for a solution.  So the current  
version of digital certificates was implemented, in a manner that  
left serious holes in the security fence that certificates were  
supposed to provide.

Most of the holes have been patched, but the original, fundamental  
issues of identity and authentication are still unsolved.   Until a  
good solution to those abstract problems is found and widely  
implemented (that’s at least 5 to 10 years away), the term “fully  
validated digital certificate” is an oxymoron.

But peopled want assurance that they are safe while surfing the wild  
and dangerous Internet --- and they don’t want to waste much time  
understanding the details.  Which is why a green bar is a brilliant  
marketing idea --- even if it actually means next to nothing.

Microsoft is a masterful marketing company, but it doesn’t do  
security very well.  Remember January 2004, when Bill Gates promised  
us that spam would be ended by 2006?  The reason that Bill couldn’t  
keep his promise was ultimately due to the same kinds of problems  
with identity and authentication that apply to digital certificates  
-- "extensively validated" or otherwise.

Bill’s promise about spam was empty.  The green bar in Internet  
Explorer will be almost equally empty.  Unfortunately, many people  
will probably fall for the razzle-dazzle.

Cliff Bamford

Here’ some background information:

Original URL: http://www.theregister.co.uk/2006/10/25/ 
verisign_extended_validation/

Verisign backs Vista security green streak

By Chris Williams (chris.williams () theregister co uk)

Published Wednesday 25th October 2006 12:04 GMT



The Mozilla Foundation risks losing the browser battle if it fails to  
keep up with Microsoft by incorporating new security technology into  
Firefox, a Verisign exec has claimed.

According to Verisign product marketing director Tim Callan, the  
"loose collection of technoanarchists" which make up the open source  
development community has frustrated efforts to build new security  
features into its new browser.

Verisign is at the RSA Europe Conference in Nice talking up a new  
breed of online security certificate. The padlock encryption symbol  
used by browsers has been effectively meaningless for some time, and  
consumer paranoia surrounding fraud remains a barrier to using online  
commerce for many.

In response, the verification industry in the form of the CA browser  
forum has come up with extended validation SSL, where the certificate  
really is a guarantee of kosher status. Honest.

Murphy's law says extended validation will be broken by the bad guys  
sooner or later. Callan said the industry had learned from the  
fossilised nature of SSL, and the new standard will be continually  
updated to keep pace with organised crime. "That's how it goes...I'm  
not going to lie and say we can beat them with a static defence," he  
said.

The system is implemented in IE7 by turning the address green for  
sites holding a extended validation certificate. Redmond is keeping  
the feature under wraps until the release of Vista in January, when  
the first wave of extended validation certificates will be issued to  
the likes of PayPal and Amazon. Along with many others, Verisign are  
working towards a January 24 release date which was briefly bean- 
spilled by Amazon on Vista pre-orders.

Callan puts Mozilla's apparent heel-dragging on the new security  
technology down to the character of its development community.  
Several community members have been involved in the development  
process however and are "acutely aware of the most minor details" of  
the project.

One snarl-up for Mozilla may have been working out an alternative to  
the rest of Microsoft's site-rating system. As well as getting  
dishing out green address bars, servers at Redmond will blacklist  
dodgy and suspect sites, which can look forward to red and amber  
flashing up.

A Firefox implementation of extended validation can only be a matter  
of time, since the Mozilla Foundation knows in order to compete it  
cannot afford for its browser to be just as good as IE7; it has to be  
better.

Verisign say 99 per cent of sites will be get the "ok" and the  
address bar left white. Only outfits which fork out for an extended  
validation SSL will get the psychological filip of "green for go".  
Firms will have to stump up about 150 per cent of what they currently  
do for an SSL certificate.

Microsoft-beating security meant the first Firefox browser found its  
way onto millions of desktops. When Vista finally ships, a big  
Microsoft public awareness campaign will be aimed at making extended  
validation a de facto standard, which will pile pressure on Mozilla  
to update Firefox sharpish. ®

-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/