Recent Entries
Popular articles
Topics
Recommended links

RSS icon Subscribe

» View my profile
Technorati

del.icio.us My links on del.icio.us

Tags
analysis antivirus application security auditing botnets breaches compliance crime cryptography DNS encryption forensics humor interesting Linux Malware marketing network pdf pentest phishing php Privacy rant reference software ssl standards sysadmin tool tools trends ubuntu Virtualization virtualization security vmware vulnerabilities vulnerability+assessment web web application security webappsec web security windows Windows security xss

« Previous article — Next article »

High assurance SSL certificates

October 25th, 2006 Posted by D Webber

Verisign and browser vendors have been working on a “high assurance / extended validation” type of SSL certificate. I just learned about this from an article at The Register where a Verisign exec is complaining about Mozilla.

The idea behind this “new” type of SSL certificate is that it has a field indicating the certificate authority has performed much more detailed background checks before issuing the certificate. If you’ve ever bought an SSL certificate for a web site you probably know how little checking some issuers actually do… as long as you provide a valid credit card and fax copies of some easily forged documents, some CAs will happy issue a certificate containing just about any name you like.

The high assurance SSL certificates will include a field indicating the issuer has followed a set of standard checks. According to the FAQ at Geotrust, the checks include:

“verifying the organization’s identity; verifying that the would-be purchaser has the legal authority to make the SSL certificate request for that organizational entity; and confirming that the entity is a legitimate business, not a shell or false front entity.”

SSL certificate providers are already supposed verify each organization’s identity, but proper background checks cost money. As competition in the SSL certificate business increased, profits went down and it appears so did the thoroughness of background checks. High assurance certificates will cost more than regular ones (150% more according to the Register article) so there will be more funds available to issuers for background checks, plus external auditing will ensure they are actually doing them.

Apparently Opera and MS Internet Explorer 7 already have support for high assurance certificates. When they encounter such a site the address bar should turn green, in addition to the familiar padlock status bar icon for regular SSL. The certificates are planned to become available for web site operators next January. The FAQ at Verisign has some nice pictures of how it will work.

How will SSL certificate providers be policed? Without external auditing and enforcement, price pressures will eventually cause this standard to erode as it has for standard SSL certificates The Verisign FAQ mentions a “Webtrust audit”  will be required, which is an auditing standard licensed to accounting firms by the American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants.

So high assurance certificates are just a renewed effort to ensure CAs perform thorough background checks, coupled with a standard way for browsers to indicate a site has such a certificate. There is no change at the technical level, meaning existing issues with man-in-the-middle attacks and key loggers remain.

Update: Researchers at Stanford University have published results of a study (PDF) showing that use of these high assurance certificates did not help users identify phishing attempts.

Related posts:

Posted in Web security |
Tags: , , , , ,

Comments for this article are closed.


Article contents copyright © Advosys Consulting Inc. Comments are copyright of the author
Icons courtesy Wikimedia Commons and are copyright of their authors.