IE 7 gives secure Web sites the green light

The software giant in early January made a change on its computer systems that allowed Web sites fitted with a new type of security certificate to display a green-filled address bar in IE 7, Markellos Diorinos, a product manager for Windows at Microsoft, said in an interview.

"We have rolled out many of the parts that are required to get it working. We're coming close to the point where all the moving parts are in place," Diorinos said. Microsoft plans to promote the green bar at next week's RSA Conference in San Francisco, an annual security confab kicked off by Microsoft Chairman Bill Gates.

The colored address bar, a new weapon in the fight against phishing scams, is meant as a sign that a site can be trusted, giving Web surfers the green light to carry out transactions there. The green bar already appears on the secured sites of Overstock.com and VeriSign.

VeriSign has about 300 customers, including online retailer Overstock.com, that have signed up for the green bar certification process, said Spiros Theodossiou, a senior product manager at VeriSign. The company plans to unveil the names of more participating Web sites at the RSA Conference, he said.

Phishing is a prevalent online scam that uses faked Web sites to trick people into giving up personal information. The scams cost businesses millions of dollars and hurt consumer trust in the Internet. Nearly $2 billion in U.S. e-commerce sales were lost in 2006 due to security concerns, a recent Gartner survey estimated.

"We want users to build up their confidence and feel safe again about transacting online," Diorinos said. "EV (extended validation) is one of many things we're doing to achieve that."

SSL price hike
IE 7, Microsoft's newest Web browser, will show a green address bar only when displaying a Web site that has an "extended validation certificate," or EV SSL. This is a new type of security certificate being sold by the same companies that sell Secure Socket Layer, or SSL, certificates that allow traffic to be encrypted and that are indicated by a yellow padlock in Web browsers.

There is broad industry agreement that Web browsers need to better identify trusted sites. The padlock icon used today was designed to show that traffic with a Web site is encrypted, and that a third party, called a certification authority, has identified the site. However, the system has been weakened by lax standards and loose supervision.

EV SSL certificates are just like those that allow encrypted connections between browsers and sites. The difference is that the identity of each certificate holder has been verified. Requestors will be subject to a strict vetting process that all issuers must follow. As a result, EV certificates cost more than traditional SSL certificates.

For example, Cybertrust sells conventional certificates for $230 a year, but charges $800 a year for an EV SSL certificate. Similarly, VeriSign sells EV SSL certificates for $995 a year, while its traditional certificates go for $399. Discounters sell the common certificates for much less. GoDaddy, for example, has prices as low as $19.99 a year.

"With EV we have a common vetting standard, which raises the cost. That is why you can't have these rock-bottom prices," Johan Sys, a senior director at Cybertrust, said in explaining the price difference.

Shutting out the little guy
The new system adopted by Microsoft has won both praise and criticism. Initially, only incorporated entities will be able to get the trust indicator--a rule that shuts out smaller businesses. The CA Browser Forum, the organization that drafts the rules for EV SSL certificates, is still working on guidelines that would include all legitimate Web sites.

"The CA Browser Forum is continuing to work on that issue and that is probably No. 1 on the agenda," Diorinos said.

The CA Browser Forum, comprised of companies that issue certificates for Web sites and major browser makers, is treading carefully. It doesn't want to weaken the security of the EV SSL certificates, VeriSign's Theodossiou said.

"We don't want to come up with a standard for nonregistered businesses that adds a loophole," Theodossiou said. "We want to make sure that the standard is correct. Trying to push out something that adds loopholes is pushing out something that devalues the green toolbar."

Microsoft is the first browser maker to adopt the EV SSL certificates. Some say the Redmond, Wash.-software giant even jumped the gun by adopting an unfinished standard for issuing the certificates. Other browser makers are still contemplating how to support the new certificates in their products.

"We are including support for EV certificates in Firefox 3, but we are still investigating how we will communicate the additional information to the user," said Window Snyder, security chief at Mozilla, which coordinates development of Firefox, the most used Web browser after IE. Firefox 3 is due in the second half of the year, Snyder said.

Representatives for Opera have said they are waiting to see how Microsoft fares with the green bar in IE7, which last month reached more than 100 million users, before adding such functionality to its browser.

Adoption of EV SSL certificates is expected to ramp up as more people become aware of the feature. "We think the adoption rate can take about 6 to 12 months until you hit a sweet spot where most of the high-profile Web sites will have it," Cybertrust's Sys said.

Microsoft plans to make promotional material available for Web site owners to explain what the green bar means, Diorinos said. "I will pop the champagne when we see widespread adoption of EV and when we start seeing users be more secure online," he said.