Browsers to get sturdier padlocks

The browser icon was designed to show that traffic with a Web site is encrypted and that a third party, called a certification authority, has identified the site and vouches for its validity. But in recent years, standards of verification have slipped, undermining the sense of security implied by the padlock.

To solve that problem, a group of companies that issue the Secure Socket Layer certificates are working with major Web browser makers to develop a new type of "high assurance" certificate. The informal organization, dubbed the CA Forum, has held three unpublicized meetings this year and plans to meet again next year, representatives from the companies involved told CNET News.com.

"We as an industry must look into trust threats," said Melih Abdulhayoglu, chief executive of Comodo, a certification authority based in Jersey City, N.J., that set up the first CA Forum meeting. "You want the padlock to be meaningful. At the moment the value is confused because some providers issue certificates willy-nilly."

The planned new security certificates, allied to Web browser changes, are meant to help rebuild trust in the Web and fight phishing in particular.

The lock icon was designed to assure consumers that online transactions, such as banking and shopping, are protected. As such, it's key to Web commerce, a big business: Forrester Research predicts online retail sales in the United States will grow from $172 billion this year to $329 billion in 2010.

The issue has become more urgent with the advent of phishing scams, which use phony Web sites to trick unsuspecting victims into giving up sensitive information. Some phishers have used valid certificates to give their fraudulent sites a sense of legitimacy with a padlock icon.

"The level of identification that certification authorities do today is subject to somewhat broad standards," said Rob Franco, lead program manager for IE security at Microsoft. "In a world where users get phished and sites try to misrepresent themselves, I think it is important to have a new standard with more identity backing."

Behind the padlock
Today's SSL certificates contain an encryption key, which the certification authority attests belongs to the organization noted in the certificate. Its task is to verify an applicant's credentials, so that Web site users can trust the information in the certificates.

Initially, all certificate providers performed thorough checks of applicants before they issued a security certificate for a Web site. Several years ago, however, some providers relaxed their background checks in order to offer cheaper certificates, and the rest of the market followed, industry members said. Some companies will supply a certificate based on little more than a valid e-mail address, for example.

"The problem with a basic certificate is that the level of screening is too low, and the validation method at the browser is not easy enough for average user," said Jim Maloney, chief security officer at Corillian, which provides online banking technology to more than 100 banks, including Wachovia, JP Morgan Chase and Capitol One. Right now, people have to click on the padlock to get more information about who the certificate belongs to.

Global financial institutions lost at least $400 million in 2004 due to phishing schemes, according to Financial Insights, part of analyst company IDC. Online threats have also instilled fear in consumers. Nearly half of U.S. voters in a survey said fear of identity theft was keeping them from conducting business online, the Cyber Security Industry Alliance reported in June.

Browsers are part of the certification problem. Certificates are regarded as equal by the applications, irrespective of the credentials and practices of the certification authority. All sites with an SSL certificate get the same padlock display.

"Web browsers have not been able to deal with the different kinds of certificates, which meant that it did not matter how strong the verification was by the certification authority, and some took advantage of that," Gartner analyst John Pescatore said.

When the padlock was first invented by Netscape in the early days of the Web, it stood for a secured connection with an identified Web site. That changed when some certification authorities started lowering their verification standards and discounting certificates, said Judy Shapiro, vice president of marketing at Comodo.

"Browsers did an end-run around this. Nobody expected anyone to delete what was a key part of the certificate issuance process, which was the business verification," she said. "Browsers were unprepared to display high assurance and low assurance certificates in a different way."

But that is set to change next year, with Microsoft planning to release Internet Explorer 7 and makers of other Web browsers also contemplating changes in the way their applications handle SSL certificates.

The move by browser makers is partly why certification authorities such as VeriSign, Comodo, GeoTrust and Cybertrust are banding together in the CA Forum to come up with an industry wide agreement on a new, highly verified certificate. The group has met informally to work on standard guidelines for issuing such certificates three times this year, in New York, Boston and Montreal, representatives from member companies said.

"The certification authorities and browser vendors are coming together to identify what a high-assurance certificate should do," said Spiros Theodossiou, a product manager at VeriSign in Mountain View, Calif., the largest certificate authority. "We're trying to define a standard so that consumers can know that the Web site that they are on actually belongs to that organization."

Such a standard is lacking right now, and certificate vendors each have varying rules. For example, to get a certificate that carries the VeriSign name, an applicant must prove it is a registered business and that it has a right to use a specific Internet domain. VeriSign also verifies if the employee buying the certificate is allowed to do so. GeoTrust, a digital certificate provider in Needham, Mass., uses an automated verification system, and VeriSign's Thawte unit offers certificates that only require a confirmation via e-mail.

The padlock in IE's current status bar indicates the Web site has been certified, but not the level of verification.

The high-assurance certificates will go beyond what certificates do today, said Chris Bailey, the chief technology officer at GeoTrust. "They strongly bind the domain name of a Web site to an organization. They also strongly confirm the authority of a requestor to act on behalf of an organization, and they confirm that the business is real," he said.

The certificate authorities are working to make the vetting process for the new high-assurance certificates objective and consistent across the industry. The companies have involved the American Bar Association as an independent affiliate to help with the guidelines, representatives from several certification authorities said.

"We have come far and think that by midyear we will actually have a working product," Bailey said. VeriSign and Comodo also expect to have the new type of certificate available next year.

Round the corner
WebPay, provider of the Click&Buy an online payment service that works with Internet phone company Skype and Apple Computer's European version of iTunes, is waiting for the certificate change, said Fabian Siegel, chief technology officer of the Zurich, Switzerland-based company.

"This is the right step to make this SSL functionality consumer friendly. Those new SSL certificates will definitely help consumers secure themselves against phishing sites," he said. "The biggest problem in the industry today is that consumers don't understand much about the usage of SSL certificates in browsers."

Banks are also likely to adopt the high-assurance certificates, Corillian's Maloney said.

Makers of major Web browsers--Microsoft's Internet Explorer, the Mozilla Foundation's Firefox browser, Opera Software's browser and the open-source Konqueror browser--have called for the new certificates. Most browsers are expected to support those in their applications, with special user interfaces that go beyond simply displaying the padlock.

In the forthcoming IE 7, Microsoft plans to display a green-filled address bar for sites that meet the future guidelines and have been awarded the new certificate.

"We think this will help consumers identify sites that they know and want to do business with. It stands in contrast to the experience that they have when they visit a phishing site or the average everyday Web site," Microsoft's Franco said. IE 7 is currently in testing. A final version is scheduled for release by the end of 2006.

Developers for Firefox, Opera and Konqueror are also considering adding new display mechanisms to the padlock to call out the strongly encrypted and strongly validated certificates.

"If the certificate authorities can come to some agreement, implementing those certificates will become a priority," said Thomas Ford, an Opera spokesman.

Firefox developers are also looking at possible changes, said Chris Beard, vice president of products at Mozilla. While they have not yet settled upon a final design, they are performing a comprehensive review of potential SSL security enhancements, he said.

The biggest hurdle to overcome in creating the new type of certificate is bridging differences between certificate authorities, VeriSign's Theodossiou said. "If we can agree, it will definitely enhance the trustworthiness for consumers in dealing with Web sites," he said.