Problems with VeriSign's new Flash-based "Trust Mark" seal

[Declan McCullagh <declan () well com>]

---

Reply-To: <ray () everett org>
From: "Ray Everett-Church" <ray () everett org>
To: "'Declan McCullagh'" <declan () well com>, <dave () farber net>
Subject: More VeriSign problems

X-UIDL: 968c9b776221209877520c929468a9c2

According to http://www.theregister.co.uk/content/55/33779.html, on November
4:

> VeriSign today unveiled a redesign of its ubiquitous
> Trust Mark seal symbol. Instead of a static GIF image,
> the new Trust Mark features a Flash-based animated
> design to make it more recognizable online.
>
> By clicking on the new VeriSign Trust Mark, consumers
> can verify a business's legal name, determine the
> validity period for the Secure Sockets Layer (SSL)
> certificate, and view their place of incorporation.
>
> Mike Foley, vice president of VeriSign Security
> Services, explained that the underlying technology
> behind the design had changed so that this information
> could be validated in real time - unlike earlier
> versions of the seal where information wasn't served
> dynamically. This also means that VeriSign can strip
> off the revamped Trust Mark seal from a site when a
> digital certificate expires, he added.
>
> The newly designed VeriSign Trust Mark is positioned
> as a way for VeriSign's customers to better communicate
> the authenticity of their site to potential consumers
> online.

Unfortunately (but not surprisingly) they implemented it very poorly. My
partner, a Flash designer and developer, analyzed their implementation and
found numerous problems, including several ways in which it can be trivially
spoofed. His analysis, with a live demonstration, appears at:
http://www.infinitumdesign.com/verisign.html (Flash 6 required).

Regards,
-Ray
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)