[IP] Warning: Microsoft/Verisign scam on the horizon

To: ip@xxxxxxxxxxxxxx
Subject: [IP] Warning: Microsoft/Verisign scam on the horizon
From: David Farber <dave@xxxxxxxxxx>
Date: Thu, 26 Oct 2006 10:53:14 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <C301178B-6EB6-4C7C-87FD-F46E194C1F87@xxxxxx>
Reply-to: dave@xxxxxxxxxx



Begin forwarded message:

From: Cliff Bamford <bamford@xxxxxx>
Date: October 26, 2006 10:45:34 AM EDT
To: dave@xxxxxxxxxx
Subject: Warning: Microsoft/Verisign scam on the horizon

Dave: for IP if you wish...

Microsoft doesn't like the fact that Firefox is chipping away at itsInternet Explorer monopoly. It has teamed up with another outfitwith equally uncertain corporate morals: Verisign. Together, theyare going to implement a masterpiece of marketing hype called"extended validation certificates (EVCs)” I’ll explain what those arebelow, but first here are my predictions about the effects EVCs willhave on our online lives:


Extended validation certificates will:

1. Further screw up the already dismal security of the Internet

2. Confuse and mislead nearly everybody

3. Help Microsoft scare people back to Internet Explorer

4. Allow Verisign to charge premium prices for a bunch of almostmeaningless "upgrades"

The way this will work is: when you visit a site that has purchasedan EVC from Verisign, if you are using a recent version of InternetExplorer, the address bar at the top of your browser window will turngreen --- supposedly indicating that you are connected to a "supersecure" site. This is brilliant marketing, but technically, it is99% baloney.

Digital certificates are electronic credentials that your browseruses to insure that you are actually communicating with the websiteyou think you're communicating with. They don't work very well, inpart because this is a very difficult problem involving elusiveconcepts like "the true identity of an organization, as reflected inthe equipment it attaches to the Internet" --- or worse, "thewebsite you think you're communicating with". The problem was slowlybeing solved, but neither Microsoft nor Verisign (nor, to be fair,anybody else) was willing to wait for a solution. So the currentversion of digital certificates was implemented, in a manner thatleft serious holes in the security fence that certificates weresupposed to provide.

Most of the holes have been patched, but the original, fundamentalissues of identity and authentication are still unsolved. Until agood solution to those abstract problems is found and widelyimplemented (that’s at least 5 to 10 years away), the term “fullyvalidated digital certificate” is an oxymoron.

But peopled want assurance that they are safe while surfing the wildand dangerous Internet --- and they don’t want to waste much timeunderstanding the details. Which is why a green bar is a brilliantmarketing idea --- even if it actually means next to nothing.

Microsoft is a masterful marketing company, but it doesn’t dosecurity very well. Remember January 2004, when Bill Gates promisedus that spam would be ended by 2006? The reason that Bill couldn’tkeep his promise was ultimately due to the same kinds of problemswith identity and authentication that apply to digital certificates-- "extensively validated" or otherwise.

Bill’s promise about spam was empty. The green bar in InternetExplorer will be almost equally empty. Unfortunately, many peoplewill probably fall for the razzle-dazzle.


Cliff Bamford

Here’ some background information:

Original URL: http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/


Verisign backs Vista security green streak

By Chris Williams (chris.williams@xxxxxxxxxxxxxxxxx)

Published Wednesday 25th October 2006 12:04 GMT

The Mozilla Foundation risks losing the browser battle if it fails tokeep up with Microsoft by incorporating new security technology intoFirefox, a Verisign exec has claimed.

According to Verisign product marketing director Tim Callan, the"loose collection of technoanarchists" which make up the open sourcedevelopment community has frustrated efforts to build new securityfeatures into its new browser.

Verisign is at the RSA Europe Conference in Nice talking up a newbreed of online security certificate. The padlock encryption symbolused by browsers has been effectively meaningless for some time, andconsumer paranoia surrounding fraud remains a barrier to using onlinecommerce for many.

In response, the verification industry in the form of the CA browserforum has come up with extended validation SSL, where the certificatereally is a guarantee of kosher status. Honest.

Murphy's law says extended validation will be broken by the bad guyssooner or later. Callan said the industry had learned from thefossilised nature of SSL, and the new standard will be continuallyupdated to keep pace with organised crime. "That's how it goes...I'mnot going to lie and say we can beat them with a static defence," hesaid.

The system is implemented in IE7 by turning the address green forsites holding a extended validation certificate. Redmond is keepingthe feature under wraps until the release of Vista in January, whenthe first wave of extended validation certificates will be issued tothe likes of PayPal and Amazon. Along with many others, Verisign areworking towards a January 24 release date which was briefly bean-spilled by Amazon on Vista pre-orders.

Callan puts Mozilla's apparent heel-dragging on the new securitytechnology down to the character of its development community.Several community members have been involved in the developmentprocess however and are "acutely aware of the most minor details" ofthe project.

One snarl-up for Mozilla may have been working out an alternative tothe rest of Microsoft's site-rating system. As well as gettingdishing out green address bars, servers at Redmond will blacklistdodgy and suspect sites, which can look forward to red and amberflashing up.

A Firefox implementation of extended validation can only be a matterof time, since the Mozilla Foundation knows in order to compete itcannot afford for its browser to be just as good as IE7; it has to bebetter.

Verisign say 99 per cent of sites will be get the "ok" and theaddress bar left white. Only outfits which fork out for an extendedvalidation SSL will get the psychological filip of "green for go".Firms will have to stump up about 150 per cent of what they currentlydo for an SSL certificate.

Microsoft-beating security meant the first Firefox browser found itsway onto millions of desktops. When Vista finally ships, a bigMicrosoft public awareness campaign will be aimed at making extendedvalidation a de facto standard, which will pile pressure on Mozillato update Firefox sharpish. ®


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on Apple's iPod code 'cracked'
Next by Date: [IP] more on Dynamic IP address confusion results in wrong family raided
Previous by thread: [IP] Dutch parliament neatly slashed Gordian Knot of neutral network issue
Next by thread: [IP] more on Dynamic IP address confusion results in wrong family raided
Index(es):
- Date
- Thread