Microsoft / Verisign SSL Scam

Having worked at the NSA and CertCo, I’ve got quite a bit of PKI / Crypto under my belt. Public Key Cryptography is something I am a bit passionate about, given it’s profound impact on information security. So when I see something in this area that is half a bubble of plumb, I get a little worked up.

Verisign and Microsoft have teamed up to fight fraudulent web sites with a combination of Internet Explorer 7 and High Assurance SSL certificates. On the surface it doesn’t sound bad, but let’s dig into this a bit. When you purchase and deploy a High Assurance SSL certificate for your website, it’s URL will show up with a green background in IE 7. To the right of the URL will be the Site Name and certificates Issuer Name rotating back and forth. Here is an example:

EDIT: thanks again to Eric for pointing out another error of mine. Non-High Assurance certificates show up with a white background. This is much better behavior than I incorrectly reported. I still do not agree with it. Large corporations and high end retailers will spend the money for High Assurance certs first. They are going to want to be in ‘the green”. This will force the little guys who want to compete and look like the big guys to buy them as well.

Eric and I are in disagreement on the cost. He is correct in that there is no requirement that these new certs cost more. This is a tremendous opportunity for Verisign to capitalize on a technology arrangement with Microsoft to upsell a premium product. I will be shocked if High Assurance certs do not cost more than regular ones. The additional cost for the extra due dilligence (whatever that may be) has to be covered by someone. I think it may be a bit naive to think Verisign would absorb that cost.

My obvious errors aside, I still stand by my assertion that this is a ploy to sell more, higher priced certs.
Even better is that Verisign promotes High Assurance certificates as a competitive differentiator for your company. This is from their FAQ.

“If your site has the “green bar” in IE 7 and your competitor’s site does not, you appear to be more trusted and more legitimate.”

Notice the word appear. Verisign isn’t saying that the website is more trusted, it appears so to your customers. What a big steaming pile of sh!t. I happen to be picking on Verisign, they are the 800lb gorilla so I think they can take it. The idea of selling High Assurance certificates will be supported by all the commercial CA’s if it will increase revenue.

Measuring the trust level of a web site by how much they paid for an SSL certificate is ridiculous. Let’s call this what it is, a way to generate more revenue from SSL certificate sales for Verisign and other commercial CA’s. The really funny (or not so funny) thing is that most fraudulent web sites avoid SSL like the plague. Why? The phishing sites run the chance of scaring off potential victims because of the certificate warning that browsers would pop up.

EDIT: Accoriding to this post from Netcraft, 41,000 URL’s were submitted to them in 2005 using their toolbar. This post says that around 450 phishing URL’s used SSL in 2005. This means that a little over 1% of the phishing web sites used SSL.
Of those 1%, how many had SSL certs that:

a. Were not expired
b. The URL matched the certificate
c. Were issued by a root certificate in the trusted root store

Those 3 conditions already throw up visual indicators without the additional Green / Yellow / Red in the URL.

High Assurance should be an attribute of the web site itself, not an attribute of the site’s SSL certificate. /rant

Copyrights © 2019 Infosec Podcast| All Right Reserved