<<< Date Index >>>     <<< Thread Index >>>

[IP] more on Warning: Microsoft/Verisign scam on the horizon



Begin forwarded message:

From: john kemp <john.kemp@xxxxxxx>
Date: October 26, 2006 11:43:38 AM EDT
To: dave@xxxxxxxxxx
Subject: Re: [IP] Warning: Microsoft/Verisign scam on the horizon

Hello,

With all due respect to Mr. Bamford, I'm not sure if I yet understand
exactly what the scam is.

I went to Microsoft's IE 7 blog, and found [1], describing how the URL
bar will turn green if an SSL certificate is a "high assurance
certificate". Furthermore, the name (presumably Common Name or
Distinguished Name from the certificate) of the business is displayed
next to the URL - in other words, the user can see that the business
name is (hopefully) related to the domain name of the business (which
seems reasonable).

I then went to Verisign's page [2] "High Assurance SSL FAQ" to discover
that a high assurance SSL certificate is granted only after a certain
process (yet to be described by the "CA/Browser authority") is followed.
On [2], some items expected to be included in this process are:

i) authenticate the authority of the person requesting the certificate -
presumably, that means checking whether this person is actually employed
by the company on whose behalf the person is requesting the certificate?
ii) verification of the business with government or other third parties.
I will note that the exact process is not yet described anywhere I can find. 

So, my personal opinion of this so far is:

1) I think displaying the business name obtained from the cert in the
URL bar is a reasonable thing to do - it provides the possibility of a
visual check by the user to see whether the URL and business name are
related. In many cases (particularly banks) I'd expect the domain name
in the URL to contain almost the exact business name. SO that seems like
a good hint.
2) The bar turning green because of the usage by the site owner of a
"high assurance SSL certificate" /may/ turn out to be useful, probably
depending on how easy (or not) it becomes to obtain one of these
certificates, or the ability of those with malicious intent to spoof
them. Will Internet Explorer accept such certificates only if issued by
Verisign? Or is it possible for me to be my own certificate authority?
Who will determine the validity of a particular CA accepted in this
high-assurance certificate market?

Is this a scam? I'm not sure. Should we continue to check carefully that
we are doing business over the Internet with whom we think we are doing
business, regardless of this innovation or any other? Yes. That's just
like making sure that you walk into the right building to make a deposit
in your savings account.

Regards,

- John

[1] http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx
[2]
http://www.verisign.com/ssl/ssl-information-center/faq/high-assurance- ssl.html 


David Farber wrote:



Begin forwarded message:

From: Cliff Bamford <bamford@xxxxxx>
Date: October 26, 2006 10:45:34 AM EDT
To: dave@xxxxxxxxxx
Subject: Warning: Microsoft/Verisign scam on the horizon

Dave: for IP if you wish...

Microsoft doesn't like the fact that Firefox is chipping away at its
Internet Explorer monopoly.  It has teamed up with another outfit with
equally uncertain corporate morals: Verisign. Together, they are going to implement a masterpiece of marketing hype called "extended validation 
certificates (EVCs)” I’ll explain what those are below, but first here
are my predictions about the effects EVCs will have on our online lives: 

Extended validation certificates will:

1. Further screw up the already dismal security of the Internet

2. Confuse and mislead nearly everybody

3. Help Microsoft scare people back to Internet Explorer

4. Allow Verisign to charge premium prices for a bunch of almost
meaningless "upgrades"

The way this will work is: when you visit a site that has purchased an
EVC from Verisign, if you are using a recent version of Internet
Explorer, the address bar at the top of your browser window will turn
green --- supposedly indicating that you are connected to a "super
secure" site.  This is brilliant marketing, but technically, it is 99%
baloney.

Digital certificates are electronic credentials that your browser uses
to insure that you are actually communicating with the website you think 
you're communicating with. They don't work very well, in part because
this is a very difficult problem involving elusive concepts like "the
true identity of an organization, as reflected in the equipment it
attaches to the Internet"  --- or worse, "the website you think you're
communicating with".  The problem was slowly being solved, but neither
Microsoft nor Verisign (nor, to be fair, anybody else) was willing to
wait for a solution. So the current version of digital certificates was 
implemented, in a manner that left serious holes in the security fence
that certificates were supposed to provide.

Most of the holes have been patched, but the original, fundamental
issues of identity and authentication are still unsolved. Until a good 
solution to those abstract problems is found and widely implemented
(that’s at least 5 to 10 years away), the term “fully validated digital 
certificate” is an oxymoron.
But peopled want assurance that they are safe while surfing the wild and 
dangerous Internet --- and they don’t want to waste much time
understanding the details.  Which is why a green bar is a brilliant
marketing idea --- even if it actually means next to nothing.

Microsoft is a masterful marketing company, but it doesn’t do security
very well. Remember January 2004, when Bill Gates promised us that spam would be ended by 2006? The reason that Bill couldn’t keep his promise 
was ultimately due to the same kinds of problems with identity and
authentication that apply to digital certificates -- "extensively
validated" or otherwise.
Bill’s promise about spam was empty. The green bar in Internet Explorer will be almost equally empty. Unfortunately, many people will probably 
fall for the razzle-dazzle.

Cliff Bamford

Here’ some background information:

Original URL:
http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/

Verisign backs Vista security green streak

By Chris Williams (chris.williams@xxxxxxxxxxxxxxxxx)

Published Wednesday 25th October 2006 12:04 GMT



The Mozilla Foundation risks losing the browser battle if it fails to
keep up with Microsoft by incorporating new security technology into
Firefox, a Verisign exec has claimed.
According to Verisign product marketing director Tim Callan, the "loose 
collection of technoanarchists" which make up the open source
development community has frustrated efforts to build new security
features into its new browser.
Verisign is at the RSA Europe Conference in Nice talking up a new breed 
of online security certificate. The padlock encryption symbol used by
browsers has been effectively meaningless for some time, and consumer
paranoia surrounding fraud remains a barrier to using online commerce
for many.

In response, the verification industry in the form of the CA browser
forum has come up with extended validation SSL, where the certificate
really is a guarantee of kosher status. Honest.

Murphy's law says extended validation will be broken by the bad guys
sooner or later. Callan said the industry had learned from the
fossilised nature of SSL, and the new standard will be continually
updated to keep pace with organised crime. "That's how it goes...I'm not 
going to lie and say we can beat them with a static defence," he said.
The system is implemented in IE7 by turning the address green for sites 
holding a extended validation certificate. Redmond is keeping the
feature under wraps until the release of Vista in January, when the
first wave of extended validation certificates will be issued to the
likes of PayPal and Amazon. Along with many others, Verisign are working 
towards a January 24 release date which was briefly bean-spilled by
Amazon on Vista pre-orders.

Callan puts Mozilla's apparent heel-dragging on the new security
technology down to the character of its development community. Several
community members have been involved in the development process however 
and are "acutely aware of the most minor details" of the project.
One snarl-up for Mozilla may have been working out an alternative to the 
rest of Microsoft's site-rating system. As well as getting dishing out
green address bars, servers at Redmond will blacklist dodgy and suspect 
sites, which can look forward to red and amber flashing up.
A Firefox implementation of extended validation can only be a matter of 
time, since the Mozilla Foundation knows in order to compete it cannot
afford for its browser to be just as good as IE7; it has to be better.

Verisign say 99 per cent of sites will be get the "ok" and the address
bar left white. Only outfits which fork out for an extended validation
SSL will get the psychological filip of "green for go". Firms will have 
to stump up about 150 per cent of what they currently do for an SSL
certificate.
Microsoft-beating security meant the first Firefox browser found its way 
onto millions of desktops. When Vista finally ships, a big Microsoft
public awareness campaign will be aimed at making extended validation a de facto standard, which will pile pressure on Mozilla to update Firefox 
sharpish. ®

-------------------------------------
You are subscribed as frumioj@xxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting- people/ 



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/