With IE 7, green means go for legit sites

The Microsoft browser will soon use a green address bar to indicate that you can trust a Web site--but it will leave some smaller businesses out.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
6 min read
Starting early next year, the address bar in Internet Explorer 7 will turn green when surfing to a legitimate Web site--but only in some cases, not all.

The colored address bar is designed to be a sign that a specific site can be trusted, giving people the green light to carry out transactions there. It is a weapon in the fight against phishing scams, which use fraudulent Web sites.

The idea is among the draft guidelines created by the CA Browser Forum, an organization comprised of companies that issue certificates for Web sites and major browser makers. Last week, Microsoft decided to adopt that draft version for IE 7, released last month. It plans to add the functionality in January.

A primary concern is to help the targets of online scams, said Markellos Diorinos, a product manager for Windows at Microsoft. "If you look at the phishing problem today, it is usually about all the big brands that get hijacked," he said. "We addressed the problem that we have at hand today, and that was one very important thing for us."

There is broad agreement in the industry that Web browsers need a better way to identify trusted sites. The familiar yellow padlock icon found on sites today was designed to show that traffic with a Web site is encrypted and that a third party, called a certification authority, has identified the site. However, there's agreement that the system has been weakened by lax standards and loose supervision.

But the new system adopted for IE 7 has been causing friction, too. Initially, only corporations will be able to get the online trust indicator--a rule that shuts out smaller businesses. While the CA Browser Forum is still working on final guidelines that would include all legitimate Web sites, those could take a while to complete.

That has led some to complain that the software giant is moving too fast. Other browser makers are taking a "wait and see" approach, and some certificate issuers and small businesses say that Microsoft is jumping the gun in introducing the technology before everyone's on board.

"I believe this is an unfair standard," said Gregory Waldron, chief executive officer at Visual Water, a Conifer, Co.-based seller of water features and fountains. "It undoes what I think is really one of the greatest things about the Internet: the ability for anyone with a good idea and a little capital to compete with Amazon or Overstock."

Locked out?
IE 7 will display a green address bar when the user goes to a Web site that has obtained an "extended validation certificate," or EV SSL, given only to incorporated entities. This new type of security certificate will be sold by the same companies that today sell Secure Socket Layer, or SSL, certificates that allow traffic to be encrypted and that are indicated by a yellow padlock.

What?s EV SSL?
EV SSL stands for Extended Validation Secure Socket Layer. These are SSL certificates just like those that allow encrypted connections between browsers and sites.
The difference, though, is that the identity of each certificate holder has been verified. Requestors will be subject to a strict vetting process which all issuers must follow.

The problem is that while it is easy for sellers of certificates to verify the authenticity of a corporation, it is tough to do the same for sole proprietorships, partnerships and other types of businesses. The CA Browser Forum has talked about guidelines to do this for over a year and has not yet been able to agree.

As Visual Water is a limited liability company, Waldron believes he won't be able to get its Web site displayed with a green address bar in IE 7. He says that Microsoft is putting him at a competitive disadvantage.

"What shocks me about Microsoft is that it makes so much money off of small businesses and then it seems that sometimes they forget we exist," Waldron said. "Incorporation doesn't make a company more legitimate than another company."

The Redmond, Wash.-based software giant recognizes that under the draft guidelines, not every legitimate Web site will be able to show a green browser bar. "That is definitely a legitimate concern, but it is not an immediate problem," Diorinos said, stressing that corporations bear the brunt of most phishing attacks.

Other browser makers
Opera Software and makers of the open-source Konqueror browser agree with Microsoft that the big-brand phishing problem should have first priority. Phishing is a prevalent online scam that uses Web sites faked to look like they belong to a legitimate provider to trick people into giving up personal information. The scams, which often target financial institutions, cost businesses millions of dollars and hurt consumer trust in the Net.

"Our main concern has been protecting users from phishing attacks. Most of these companies that the current guidelines cover are the victims of phishing attacks," said Michael Smith, part of the standards team at Opera.

Still, Opera is waiting to see how Microsoft fares with the green bar in IE 7 before adding such functionality to its browser, Smith said.

Mozilla, which manages development of the Firefox browser, has not committed itself and appears to be holding out for final guidelines on extended validation certificates.

"Mozilla is evaluating various solutions, participating in the CA Browser Forum, and actively encouraging discussion between vendors and users to find a resolution that serves the needs of everyone," a company representative said.

Browser friction
The guidelines Microsoft is adopting--officially called "Draft 11 of the CA Browser Forum guidelines for extended validation certificates"--were voted down as a standard at the forum's most recent meeting because they were not inclusive enough, several members of the CA Browser Forum told CNET News.com.

"I am very dissatisfied with the fact that noncorporate entities are being excluded," said Scott Harris, CEO of XRamp, a San Antonio, Texas-based seller of Web site certificates. "Small companies aren't getting phished, but to tell people that it is safe to buy from businesses with a green bar and then not allow small businesses to get it is just discriminatory."

On the other hand, Comodo says it's a good sign that after more than a year of talks there is real movement. The Jersey City, N.J.-based certification company started the CA Browser Forum effort last year to address the issue of Web site verification.

"The champagne is on the table and the glasses are chilling in the freezer and the cheeses are warming on the table, but we have not quite dug in yet," said Judy Shapiro, the vice president of marketing at Comodo.

Some wiggle room?
It will take some time for people to become used to the green bar in IE 7, Diorinos said. By the time that consumers really perceive the color-filled address bar in the browser as a trust indicator, small businesses should also be able to get the new certificates, he said.

Comodo hopes the guidelines will include all legitimate Web sites within 90 days of when IE 7 starts displaying the first green bar in early 2007. "Otherwise there will be material damage" to unincorporated entities, Shapiro said. VeriSign, the world's largest certificate issuer, thinks it will take at least double that time.

"I don't think it is a purposeful move to exclude certain types of businesses," said Spiros Theodossiou, a product manager at VeriSign in Mountain View, Calif. "We're still going through a number of steps to include them."

IE 7 is ready to support the new certificates. However, the browser bar won't turn green until Microsoft has issued new root certificates for Windows, so the browser can recognize the new extended validation certificates. That won't happen until January.

Meanwhile, certification authorities such as VeriSign, XRamp and Comodo will need to be audited before they can sell the new certificate type. This is to ensure they follow the correct practices. All three companies will sell the extended validation certificate, even if they disagree with Microsoft's move to adopt the draft guidelines.

Corporations that want the address bar to turn green when people visit their Web site will have to buy a new certificate. This process will include extra verification to identify the company as legitimate.

With regards to criticism that it's adopting a technology that isn't fully baked, Microsoft said it isn't ignoring the standards process. It is committed to creating a standard for the new certificates, but felt it should move ahead with the draft version to deal with the phishing problem, Diorinos said.

"We had a really good first step that we could make available to users today and help online transactions today, we did not want to keep it under wraps until we can have a great solution," he said. "We're still keeping an open eye on how to evolve this and make this a great solution as soon as possible."