InfoSecPodcast.com

Having worked at the NSA and CertCo, I’ve got quite a bit of PKI / Crypto under my belt. Public Key Cryptography is something I am a bit passionate about, given it’s profound impact on information security. So when I see something in this area that is half a bubble of plumb, I get a little worked up.

Verisign and Microsoft have teamed up to fight fraudulent web sites with a combination of Internet Explorer 7 and High Assurance SSL certificates. On the surface it doesn’t sound bad, but let’s dig into this a bit. When you purchase and deploy a High Assurance SSL certificate for your website, it’s URL will show up with a green background in IE 7. To the right of the URL will be the Site Name and certificates Issuer Name rotating back and forth. Here is an example:

So far so good. What about the companies who use their own self signed certificates? They show up in a yellow background with the words “Suspicious Website” to the right of the URL. Like this:

EDIT: As Eric from MS points out, self signed certificates show up in Red. This was an obvious error on my part. I have no problem with this behavior since self-signed certs are probably the most risky.
OK, I’ll buy that since anyone can roll their own SSL certificate. These certificates will also cause IE to throw a warning box because the certificate issuer is not in the browsers trusted root certificate store. What about non-High Assurance certificates issued by Verisign (and other commercial CA’s)? Here is where this train wreck goes off the rails. It’s also why I flat out call it a scam. The SSL certificate that you paid $300 for from Verisign last year will cause your website to show up as Suspicious Website in Internet Explorer 7. Why? Because it is not one of their High Assurance certificates. What a great way to force companies to buy Verisign’s premium product, the threat of having your website tagged as a Suspicious Website by the browser.

EDIT: thanks again to Eric for pointing out another error of mine. Non-High Assurance certificates show up with a white background. This is much better behavior than I incorrectly reported. I still do not agree with it. Large corporations and high end retailers will spend the money for High Assurance certs first. They are going to want to be in ‘the green”. This will force the little guys who want to compete and look like the big guys to buy them as well.

Eric and I are in disagreement on the cost. He is correct in that there is no requirement that these new certs cost more. This is a tremendous opportunity for Verisign to capitalize on a technology arrangement with Microsoft to upsell a premium product. I will be shocked if High Assurance certs do not cost more than regular ones. The additional cost for the extra due dilligence (whatever that may be) has to be covered by someone. I think it may be a bit naive to think Verisign would absorb that cost.

My obvious errors aside, I still stand by my assertion that this is a ploy to sell more, higher priced certs.
Even better is that Verisign promotes High Assurance certificates as a competitive differentiator for your company. This is from their FAQ.

“If your site has the “green bar” in IE 7 and your competitor’s site does not, you appear to be more trusted and more legitimate.”

Notice the word appear. Verisign isn’t saying that the website is more trusted, it appears so to your customers. What a big steaming pile of sh!t. I happen to be picking on Verisign, they are the 800lb gorilla so I think they can take it. The idea of selling High Assurance certificates will be supported by all the commercial CA’s if it will increase revenue.

Measuring the trust level of a web site by how much they paid for an SSL certificate is ridiculous. Let’s call this what it is, a way to generate more revenue from SSL certificate sales for Verisign and other commercial CA’s. The really funny (or not so funny) thing is that most fraudulent web sites avoid SSL like the plague. Why? The phishing sites run the chance of scaring off potential victims because of the certificate warning that browsers would pop up.

EDIT: Accoriding to this post from Netcraft, 41,000 URL’s were submitted to them in 2005 using their toolbar. This post says that around 450 phishing URL’s used SSL in 2005. This means that a little over 1% of the phishing web sites used SSL.
Of those 1%, how many had SSL certs that:

Those 3 conditions already throw up visual indicators without the additional Green / Yellow / Red in the URL.

High Assurance should be an attribute of the web site itself, not an attribute of the site’s SSL certificate. /rant

Here are some links to what others had to say.
www.temme.net/sander/2006/10/27/new-ssl-certificates-now-with-green-which-is-more-safer/
iplist.blogspot.com/2006/10/ip-warning-microsoftverisign-scam-on.html
www.opera.com/security/toronto/
dot.kde.org/1132619164/
www.hecker.org/mozilla/ssl-ui
blogs.msdn.com/ie/archive/2005/11/21/495507.aspx

–Chris

Technorati Tags: Verisign, Microsoft, Internet Explorer, SSL, Certificate Authority