EV SSL, aka "high assurance" certs: When Will We Call It What It Really Is?
PERMALINK || External link to topic of post
Well, at some point someones got to do it. Two experts, I assume they are, to have opinions printed in a magazine I regard very highly (it's one of the few I actually subscribe to, SC Magazine, April 2007 issue), weighing in on "high assurance" certs, the abomination formerly known as EV SSL (?), both correct, and both missing or avoiding(?) the obvious: it's not only a marketing "thingy", it's just a cash cow...a search for a new revenue stream.
In addition to being tagged as "certifiably useless", based on a Stanford study that concluded:
There are obvious questions that we should all ask: what is the definition of a Trusted 3rd Party Certificate Authority? I know I have:
http://dailycrapola.blogspot.com/2007/01/enhanced-validation-ssl-cash-cow.html
Ok, so one study by Stanford shouldn't be taken as the ultimate source of information. Fine, I have a suggestion:
If we really want EV SSL to "cure" phishing, it's simple. STOP SELLING "LEGACY" SSL certs. Then you'll have more credibility, no confusion since no one can have a "padlock" (of any color) without being validated properly (like they should have done in the first place). Only legitimate businesses can have a "padlock". Add some accountability, like offering some guarantee to the consumer if for some reason an illegitimate business manages to obtain a cert - I'll make it easy, offer the same "insurance" provided to the cert holders...cap the liability it if they want...
Then we can all join Scott Harris to "encourage (even teach) to only do business with sites that have a padlock", not green, not yellow nor white, just a padlock.
When cert providers do that, I'll stop calling it a cash grab.
Sorry, if the excuse is "what about the smaller people"?
What about them? Validate them, give tiered pricing, period. We don't need a green bar for that to happen.
In addition to being tagged as "certifiably useless", based on a Stanford study that concluded:
"The only real information a user will get from an EV certificate is that a particular web site ponied up extra cash to get one"
There are obvious questions that we should all ask: what is the definition of a Trusted 3rd Party Certificate Authority? I know I have:
http://dailycrapola.blogspot.com/2007/01/enhanced-validation-ssl-cash-cow.html
- Was it simply for secure communications? Hogwash, it takes 2 or 3 clicks of the mouse to install a Private CA in IIS (likely just as simple for all other platforms) and we can all have encrypted traffic flowing
- Wasn't it so that we could have a some 3rd party who we could all trust? Yeah, I remember that
- Was it technology that failed? Or was it the process? Me thinks it's the latter...so will a "product" solve a process issue? Or is the process in fact the new product? But the "process" was their whole point for being, wasn't it? [loop to first bullet point]
Ok, so one study by Stanford shouldn't be taken as the ultimate source of information. Fine, I have a suggestion:
If we really want EV SSL to "cure" phishing, it's simple. STOP SELLING "LEGACY" SSL certs. Then you'll have more credibility, no confusion since no one can have a "padlock" (of any color) without being validated properly (like they should have done in the first place). Only legitimate businesses can have a "padlock". Add some accountability, like offering some guarantee to the consumer if for some reason an illegitimate business manages to obtain a cert - I'll make it easy, offer the same "insurance" provided to the cert holders...cap the liability it if they want...
Then we can all join Scott Harris to "encourage (even teach) to only do business with sites that have a padlock", not green, not yellow nor white, just a padlock.
When cert providers do that, I'll stop calling it a cash grab.
Sorry, if the excuse is "what about the smaller people"?
What about them? Validate them, give tiered pricing, period. We don't need a green bar for that to happen.
Labels: browser security, EV SSL, high assurance certificate, phishing
posted by EdSF at
11:30 PM
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home