more on Warning: Microsoft/Verisign scam on the horizon

[David Farber <dave () farber net>]

Begin forwarded message:

From: john kemp <john.kemp () mac com>
Date: October 26, 2006 11:43:38 AM EDT
To: dave () farber net
Subject: Re: [IP] Warning: Microsoft/Verisign scam on the horizon

Hello,

With all due respect to Mr. Bamford, I'm not sure if I yet understand
exactly what the scam is.

I went to Microsoft's IE 7 blog, and found [1], describing how the URL
bar will turn green if an SSL certificate is a "high assurance
certificate". Furthermore, the name (presumably Common Name or
Distinguished Name from the certificate) of the business is displayed
next to the URL - in other words, the user can see that the business
name is (hopefully) related to the domain name of the business (which
seems reasonable).

I then went to Verisign's page [2] "High Assurance SSL FAQ" to discover
that a high assurance SSL certificate is granted only after a certain
process (yet to be described by the "CA/Browser authority") is followed.
On [2], some items expected to be included in this process are:

i) authenticate the authority of the person requesting the certificate -
presumably, that means checking whether this person is actually employed
by the company on whose behalf the person is requesting the certificate?
ii) verification of the business with government or other third parties.

I will note that the exact process is not yet described anywhere I  
can find.

So, my personal opinion of this so far is:

1) I think displaying the business name obtained from the cert in the
URL bar is a reasonable thing to do - it provides the possibility of a
visual check by the user to see whether the URL and business name are
related. In many cases (particularly banks) I'd expect the domain name
in the URL to contain almost the exact business name. SO that seems like
a good hint.
2) The bar turning green because of the usage by the site owner of a
"high assurance SSL certificate" /may/ turn out to be useful, probably
depending on how easy (or not) it becomes to obtain one of these
certificates, or the ability of those with malicious intent to spoof
them. Will Internet Explorer accept such certificates only if issued by
Verisign? Or is it possible for me to be my own certificate authority?
Who will determine the validity of a particular CA accepted in this
high-assurance certificate market?

Is this a scam? I'm not sure. Should we continue to check carefully that
we are doing business over the Internet with whom we think we are doing
business, regardless of this innovation or any other? Yes. That's just
like making sure that you walk into the right building to make a deposit
in your savings account.

Regards,

- John

[1] http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx
[2]
http://www.verisign.com/ssl/ssl-information-center/faq/high-assurance- 
ssl.html


David Farber wrote:
> Begin forwarded message:
>
> From: Cliff Bamford <bamford () oz net>
> Date: October 26, 2006 10:45:34 AM EDT
> To: dave () farber net
> Subject: Warning: Microsoft/Verisign scam on the horizon
>
> Dave: for IP if you wish...
>
> Microsoft doesn't like the fact that Firefox is chipping away at its
> Internet Explorer monopoly.  It has teamed up with another outfit with
> equally uncertain corporate morals:  Verisign.  Together, they are  
> going
> to implement a masterpiece of marketing hype called "extended  
> validation
> certificates (EVCs)” I’ll explain what those are below, but first here
> are my predictions about the effects EVCs will have on our online  
> lives:
>
> Extended validation certificates will:
>
> 1. Further screw up the already dismal security of the Internet
>
> 2. Confuse and mislead nearly everybody
>
> 3. Help Microsoft scare people back to Internet Explorer
>
> 4. Allow Verisign to charge premium prices for a bunch of almost
> meaningless "upgrades"
>
> The way this will work is: when you visit a site that has purchased an
> EVC from Verisign, if you are using a recent version of Internet
> Explorer, the address bar at the top of your browser window will turn
> green --- supposedly indicating that you are connected to a "super
> secure" site.  This is brilliant marketing, but technically, it is 99%
> baloney.
>
> Digital certificates are electronic credentials that your browser uses
> to insure that you are actually communicating with the website you  
> think
> you're communicating with. They don't work very well, in part because
> this is a very difficult problem involving elusive concepts like "the
> true identity of an organization, as reflected in the equipment it
> attaches to the Internet"  --- or worse, "the website you think you're
> communicating with".  The problem was slowly being solved, but neither
> Microsoft nor Verisign (nor, to be fair, anybody else) was willing to
> wait for a solution.  So the current version of digital  
> certificates was
> implemented, in a manner that left serious holes in the security fence
> that certificates were supposed to provide.
>
> Most of the holes have been patched, but the original, fundamental
> issues of identity and authentication are still unsolved.   Until a  
> good
> solution to those abstract problems is found and widely implemented
> (that’s at least 5 to 10 years away), the term “fully validated  
> digital
> certificate” is an oxymoron.
>
> But peopled want assurance that they are safe while surfing the  
> wild and
> dangerous Internet --- and they don’t want to waste much time
> understanding the details.  Which is why a green bar is a brilliant
> marketing idea --- even if it actually means next to nothing.
>
> Microsoft is a masterful marketing company, but it doesn’t do security
> very well.  Remember January 2004, when Bill Gates promised us that  
> spam
> would be ended by 2006?  The reason that Bill couldn’t keep his  
> promise
> was ultimately due to the same kinds of problems with identity and
> authentication that apply to digital certificates -- "extensively
> validated" or otherwise.
>
> Bill’s promise about spam was empty.  The green bar in Internet  
> Explorer
> will be almost equally empty.  Unfortunately, many people will  
> probably
> fall for the razzle-dazzle.
>
> Cliff Bamford
>
> Here’ some background information:
>
> Original URL:
> http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/
>
> Verisign backs Vista security green streak
>
> By Chris Williams (chris.williams () theregister co uk)
>
> Published Wednesday 25th October 2006 12:04 GMT
>
>
>
> The Mozilla Foundation risks losing the browser battle if it fails to
> keep up with Microsoft by incorporating new security technology into
> Firefox, a Verisign exec has claimed.
>
> According to Verisign product marketing director Tim Callan, the  
> "loose
> collection of technoanarchists" which make up the open source
> development community has frustrated efforts to build new security
> features into its new browser.
>
> Verisign is at the RSA Europe Conference in Nice talking up a new  
> breed
> of online security certificate. The padlock encryption symbol used by
> browsers has been effectively meaningless for some time, and consumer
> paranoia surrounding fraud remains a barrier to using online commerce
> for many.
>
> In response, the verification industry in the form of the CA browser
> forum has come up with extended validation SSL, where the certificate
> really is a guarantee of kosher status. Honest.
>
> Murphy's law says extended validation will be broken by the bad guys
> sooner or later. Callan said the industry had learned from the
> fossilised nature of SSL, and the new standard will be continually
> updated to keep pace with organised crime. "That's how it  
> goes...I'm not
> going to lie and say we can beat them with a static defence," he said.
>
> The system is implemented in IE7 by turning the address green for  
> sites
> holding a extended validation certificate. Redmond is keeping the
> feature under wraps until the release of Vista in January, when the
> first wave of extended validation certificates will be issued to the
> likes of PayPal and Amazon. Along with many others, Verisign are  
> working
> towards a January 24 release date which was briefly bean-spilled by
> Amazon on Vista pre-orders.
>
> Callan puts Mozilla's apparent heel-dragging on the new security
> technology down to the character of its development community. Several
> community members have been involved in the development process  
> however
> and are "acutely aware of the most minor details" of the project.
>
> One snarl-up for Mozilla may have been working out an alternative  
> to the
> rest of Microsoft's site-rating system. As well as getting dishing out
> green address bars, servers at Redmond will blacklist dodgy and  
> suspect
> sites, which can look forward to red and amber flashing up.
>
> A Firefox implementation of extended validation can only be a  
> matter of
> time, since the Mozilla Foundation knows in order to compete it cannot
> afford for its browser to be just as good as IE7; it has to be better.
>
> Verisign say 99 per cent of sites will be get the "ok" and the address
> bar left white. Only outfits which fork out for an extended validation
> SSL will get the psychological filip of "green for go". Firms will  
> have
> to stump up about 150 per cent of what they currently do for an SSL
> certificate.
>
> Microsoft-beating security meant the first Firefox browser found  
> its way
> onto millions of desktops. When Vista finally ships, a big Microsoft
> public awareness campaign will be aimed at making extended  
> validation a
> de facto standard, which will pile pressure on Mozilla to update  
> Firefox
> sharpish. ®
>
> -------------------------------------
> You are subscribed as frumioj () mac com
> To manage your subscription, go to
>  http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting- 
> people/



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/