Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, December 12, 2005

Browsers to get sturdier padlocks

The yellow security padlock in Web browsers, weakened by lax standards and loose supervision, will get reinforced next year with tougher requirements and browser updates.  The browser icon was designed to show that traffic with a Web site is encrypted and that a third party, called a certification authority, has identified the site and vouches for its validity.  To solve that problem, a group of companies that issue the Secure Socket Layer certificates are working with major Web browser makers to develop a new type of “high assurance” certificate.  What’s new: A group of companies is working to rebuild trust in the SSL security certificates issued to Web sites by developing industrywide standards for a stronger, “high assurance” product.

Bottom line: The tougher certificates, coupled with browser developments, could help fight “phishing,” which threatens the multibillion-dollar online retail market.

“We as an industry must look into trust threats,” said Melih Abdulhayoglu, chief executive of Comodo, a certification authority based in Jersey City, N.J., that set up the first CA Forum meeting.

The lock icon was designed to assure consumers that online transactions, such as banking and shopping, are protected.  As such, it’s key to Web commerce, a big business: Forrester Research predicts online retail sales in the United States will grow from $172 billion this year to $329 billion in 2010.  Initially, all certificate providers performed thorough checks of applicants before they issued a security certificate for a Web site.

Several years ago, however, some providers relaxed their background checks in order to offer cheaper certificates, and the rest of the market followed, industry members said.  All sites with an SSL certificate get the same padlock display.  “Web browsers have not been able to deal with the different kinds of certificates, which meant that it did not matter how strong the verification was by the certification authority, and some took advantage of that,” Gartner analyst John Pescatore said.  That changed when some certification authorities started lowering their verification standards and discounting certificates, said Judy Shapiro, vice president of marketing at Comodo.  “Browsers were unprepared to display high assurance and low assurance certificates in a different way.”

But that is set to change next year, with Microsoft planning to release Internet Explorer 7 and makers of other Web browsers also contemplating changes in the way their applications handle SSL certificates.  The move by browser makers is partly why certification authorities such as VeriSign, Comodo, GeoTrust and Cybertrust are banding together in the CA Forum to come up with an industry wide agreement on a new, highly verified certificate.  The certificate authorities are working to make the vetting process for the new high-assurance certificates objective and consistent across the industry.

Developers for Firefox, Opera and Konqueror are also considering adding new display mechanisms to the padlock to call out the strongly encrypted and strongly validated certificates.

Posted on 12/12