×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Extended Validation SSL, More Secure or Just a Racket?

ScuttleMonkey posted more than 7 years ago | from the fun-with-revenue-generation dept.

205

Nalfeshnee writes "The Register is reporting on the new 'Extended Validation SSL' cert currently being touted by Verisign. Vista and IE7 will be using this but not, apparently, Firefox anytime soon. For this the Verisign Product Marketing Director Tim Callan squarely blames the Firefox dev team for 'not keeping up' with their new technology. However, the whole thing just seems to be a way for Verisign to enjoy ridiculous markup on selling 'more secure' certs."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

205 comments

Color coded? (4, Insightful)

eric76 (679787) | more than 7 years ago | (#16585242)

Verisign say 99 per cent of sites will be get the "ok" and the address bar left white. Only outfits which fork out for an extended validation SSL will get the psychological filip of "green for go". Firms will have to stump up about 150 per cent of what they currently do for an SSL certificate.

I'm colorblind. Would I ever notice the difference?

Re:Color coded? (1, Informative)

Anonymous Coward | more than 7 years ago | (#16585348)

Yes. Look at the screenshots and you'll see the organization name appears at the right of the address bar.

Yes. (3, Informative)

khasim (1285) | more than 7 years ago | (#16585430)

IE 7 will have different icons on the location bar to indicate that a site has the "higher" level of "security" (translation: "bought the new certificate").

Re:Color coded? (0, Redundant)

Zeinfeld (263942) | more than 7 years ago | (#16585580)

I'm colorblind. Would I ever notice the difference?

yes, Microsoft has thought of that one, there are other, non colour cues.

Certs are a joke (2, Insightful)

rs79 (71822) | more than 7 years ago | (#16585676)

In a world where even PayPal can't get it right (and nobody cares) what does it matter?

"Oh, it's an https site. It's encrypted. Cool". Next.

Some time when you're really bored look at the low level ssl stuff (with openssl or something) and notice all the errors. The browsers ignore so many of these I think it's all a big joke.

Re:Certs are a joke (1)

Fulcrum of Evil (560260) | more than 7 years ago | (#16586386)

In a world where even PayPal can't get it right (and nobody cares) what does it matter?

Aside from their lack of care with your money, paypal gets a lot right - all their communication refers to paypal.com, not somerandomurl.com like a lot of real banks do. This single thing is probably worth way more than any fancy SSL hokum.

Re:Color coded? (3, Funny)

interiot (50685) | more than 7 years ago | (#16585936)

Don't worry. Once consumers realize that the new "super duper" certs are being given out to phishers as well, Verisign will come out with a 3rd level of verification ("extra super duper certificates") that cost 50% more, and they'll have to go to a numbering or lettering scheme ("1", "2", "3"). This will also facilitate the periodic addition of new levels whenever consumers realize Verisign still isn't doing the job they say they're getting paid to do.

Most colorblind people can tell white from green (2, Interesting)

wsanders (114993) | more than 7 years ago | (#16586198)

However, they feel just as dumb as everyone else after they've been suckered into paying an extra $1000 for a Verisign Super-duper Whiz-Bang Mega-Ultra Cert.

To be honest there is a difference between a cert from a real CA and some $10 cert from some outfit that doesn't care anything more about your true identity than whether your credit card payment goes through. Google for "high assurance" vs "low assurance".

Re:Most colorblind people can tell white from gree (1)

pboulang (16954) | more than 7 years ago | (#16586310)

Yeah, the "real" CA's require that you fax in something on, wait for it, letterhead. oooooh safety......

Re:Most colorblind people can tell white from gree (2, Insightful)

TheRaven64 (641858) | more than 7 years ago | (#16586572)

On the otherhand, CACert, which is free, requires to see two forms of government issued ID, one of which must have a photograph.

Sadly, CACert's root certificate is still not included with Mozilla, although a number of distributions include it.

Re:Color coded? (1)

midnighttoadstool (703941) | more than 7 years ago | (#16586350)

Most color blind people are read/green colour blind, which only requires using distinct shades of red and green to cater for. Which kind of colour blindness have you?

Re:Color coded? (0)

Anonymous Coward | more than 7 years ago | (#16586594)

I'm red-green colorblind. I also have trouble (so I've heard) with various shades of orange and brown. And the shades of red, green, orange, and brown that cater to me may not cater to someone else.

Here's an idea: rather than monkey around with shades of colors that are the most popular for colorblindness, why not use the colors that the greatest number can see. Hint: it isn't red/green.

Secure? (3, Insightful)

Kazrath (822492) | more than 7 years ago | (#16585244)

Has anyone found an effective way of cracking regular SSL? Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?

I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?

Re:Secure? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16585680)

This isn't about the encryption itself, it's about identity. Certificates are not used for encryption, they are used for identifying a communications partner. The way this is done uses cryptography, but the actual connection is encrypted by a different process and with different keys than the ones from the certificate.

A certificate is a way of proving who you are by proving that someone whom the other person trusts has verified that you are who you say you are. There are two ways of attacking this concept: You can break the cryptography which is used in that process or you can get a certificate which says you are someone else by pretending to the trusted third that you are someone else. Extended Validation is a (misguided) attempt at preventing attacks of the latter kind. The only job of a CA is to verify identities. If a CA can't guarantee identities, the CA's certificate should no longer be trusted. Instead, EV adds "super trusted" certificates and leaves insufficiently checked identities in the trust hierarchy.

Re:Secure? (1)

Jahz (831343) | more than 7 years ago | (#16585690)

Has anyone found an effective way of cracking regular SSL? Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?

I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?

1. You have clearly not read the article, or even the entire /. summary.
2. Who is talking about cracking SSL? Nobody... the underlying algorithm algorithms can be changed.
3. You should not sue VeriSign because they did not invent AES or 3DES or the SSL spec. Nor did VeriSign encrypt the data you get when using SSL. All they do is "guarantee" that the certificate you recieve is from a website belongs to that website and only that website. They basically sign certificates with their own super-secret private key.

You really should figure out what you're talking about before writing garbage like this.

Re:Secure? (2, Informative)

cortana (588495) | more than 7 years ago | (#16585848)

If you read their terms of service you will see that they "guarantee" sweet fuck all.

On a related note, I was doing some poking around the other day and noticed this:
$ certtool -i < /etc/ssl/certs/Verisign_Class_1_Public_Primary_Cer tification_Authority.pem
 
X.509 certificate info:
 
Version: 1
Serial Number (hex): 00:CD:BA:7F:56:F0:DF:E4:BC:54:FE:22:AC:B3:72:AA:55
Subject: C=US,O=VeriSign\, Inc.,OU=Class 1 Public Primary Certification Authority
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 1 Public Primary Certification Authority
Signature Algorithm: RSA-MD2
Warning: certificate uses a broken signature algorithm that can be forged.
Validity:
        Not Before: Mon Jan 29 00:00:00 1996
        Not After: Wed Aug 2 00:59:59 2028
Subject Public Key Info:
        Public Key Algorithm: RSA (1024 bits)
modulus:
        e5:19:bf:6d:a3:56:61:2d:99:48:71:f6:67:de:b9:
        8d:eb:b7:9e:86:80:0a:91:0e:fa:38:25:af:46:88:
        82:e5:73:a8:a0:9b:24:5d:0d:1f:cc:65:6e:0c:b0:
        d0:56:84:18:87:9a:06:9b:10:a1:73:df:b4:58:39:
        6b:6e:c1:f6:15:d5:a8:a8:3f:aa:12:06:8d:31:ac:
        7f:b0:34:d7:8f:34:67:88:09:cd:14:11:e2:4e:45:
        56:69:1f:78:02:80:da:dc:47:91:29:bb:36:c9:63:
        5c:c5:e0:d7:2d:87:7b:a1:b7:32:b0:7b:30:ba:2a:
        2f:31:aa:ee:a3:67:da:db:
public exponent:
        01:00:01:
 
Other information:
        MD5 Fingerprint: 97:60:E8:57:5F:D3:50:47:E5:43:0C:94:36:8A:B0:62
          SHA1 Fingerprint: 90:AE:A2:69:85:FF:14:80:4C:43:49:52:EC:E9:60:84:77 :AF:55:6F
        Public Key ID: 79:6F:71:F0:F5:FD:FF:F7:50:86:F5:B6:5F:5B:D7:CD:7F :C0:A0:CD
 
-----BEGIN CERTIFICATE-----
MIICPTCCAaYCEQDNun9W8N/kvFT+Iqyz cqpVMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
BgNVBAYTAlVTMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
    c3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dG hvcml0eTAeFw05
NjAxMjkwMDAwMDBaFw0yODA4MDEyMzU5NT laMF8xCzAJBgNVBAYTAlVTMRcwFQYD
VQQKEw5WZXJpU2lnbi wgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJp
bW FyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG 9w0BAQEFAAOB
jQAwgYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3 noaACpEO+jglr0aIguVzqKCbJF0N
H8xlbgyw0FaEGIeaBpsQ oXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR
4k5F VmkfeAKA2txHkSm7NsljXMXg1y2He6G3MrB7MLoqLzGq7qNn2t sCAwEAATAN
BgkqhkiG9w0BAQIFAAOBgQBMP7iLxmjf7kMzDl 3ppssHhE16M/+SG/Q2rdiVIjZo
EWx8QszznC7EBz8UsA9P/5 CSdvnivErpj82ggAr3xSnxgiJduLHdgSOjeyUVRjB5
FvjqBU uUfx3CHMjjt/QQQDwTw18fU+hI5Ia0e6E1sHslurjTjqs/OJ0A NACY89Fx
lA==
-----END CERTIFICATE-----
Three things to be concerned about:

  1. It's only a 1024 bit RSA key. That is weak by today's standards.
  2. The signature algorithm is 'RSA-MD2'.
  3. Attacks against this certificate may only be theoretical today, but Verisign foresaw this, and saw fit to mark the certificate as valid until 2028!

Thank you, Verisign!

Re:Secure? (4, Interesting)

tyler_larson (558763) | more than 7 years ago | (#16586014)

Has anyone found an effective way of cracking regular SSL?

No.

Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?

No.

I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?

No.

SSL (and TLS) aren't encryption algorithms, they're protocol standards. These protocols make use of existing encryption algorithms to secure data. Many of these algorithms have a variable level of complexity, depending on things like key size. Since security (including encyrption) is always a tradeoff of resources versus security, the goal is to tweak the configuration parameters (again, such as key length) to find a level of security such that an attack against the cipher is less profitable an option than the next best choice, such as kidnapping the document's author. Those who require greater security can use turn up the complexity at the expense of using more resources.

As computation capability increases, the complexity of encryption system is increased to compensate, usually by increasing key length. If a flaw is discovered in a given encryption algorithm making it too easy to break, or if the algorithm isn't capable of being expanded to account for better decryption technology (such as DES) then that algorithm is discarded in favor of some stronger replacement. SSL remains the same.

Verisign's "Extended Validation" program has nothing to do with cipher strength, key length, or encryption. Instead, it's indicative of the vetting process that the company had to undergo to get the certificate. To get a certificate for citibank.net, I have to verify that I own that domain. I don't, necessarily, have to verify that I represent Citibank [1]. Under this High Assurance program, Verisign will vouch, not only for the validity of the domain, but also for the validity of the organization owning that domain.

This is a Good Thing, since there currently is only one tier of validation. An SSL certificate is designed to prevent man-in-the-middle attacks, which it does well. What it doesn't protect against (though we act as if it does) is forged identity attacks. Certificates used for financial transactions, for example, should go through a stronger vetting process than certificates used for securing a blog.

[1] In reality, almost all CAs do extended verification when the other party sounds like a high-profile company or financial institution. Nonetheless, Mistakes do happen [washingtonpost.com].

Re:Secure? (0)

Anonymous Coward | more than 7 years ago | (#16586210)

Thanks for that post. When I read the summary I was immediately feeling very cynical that this would be another MS conspiracy and marketing fluff. I agree 100% with your post. This sounds like a good thing for financial institutions. Now why can't Firefox support this? I would rather not be forced to use IE to connect to an online banking site. I suppose if I did find myself in that situation, then I'd install a VMware based XP virtual machine solely for that purpose and nothing else.

Re:Secure? (1)

silas_moeckel (234313) | more than 7 years ago | (#16586648)

Actually all you need to do to get a cert is sign a piece of paper saying you will do all the checks and take the risk and they you can get a trusted cert for anything. Well you also need a valid D&B number with some history on it (couple years). Last I checked I am supposed to be able to get these new certs with the same technical level of protection, just more paperwork to promise to have but never get checked. So this really just sounds like another scam and maybe setting the bar marginally higher.

It's called "open source" (5, Insightful)

truthsearch (249536) | more than 7 years ago | (#16585246)

Hey Verisign, it's called "open source". If you'd like the feature added submit a patch and they'll consider it. Until then the people working on it will finish when they can. Thanks.

Re:It's called "open source" (2)

Zeinfeld (263942) | more than 7 years ago | (#16585356)

Hey Verisign, it's called "open source". If you'd like the feature added submit a patch and they'll consider it. Until then the people working on it will finish when they can. Thanks.

The Register was putting word's into Tim's mouth. They are the ones who used the phrase 'dragging their heels', not Tim.

The Mozilla team have been part of the EV development process from the start.

The real issue is that IE7 is harder to change once released. So the different deployment strategies make sense.

Re:It's called "open source" (2, Interesting)

mikiN (75494) | more than 7 years ago | (#16586108)

IE7 is harder to change once released

Say again?

Since when has there been any difficulty changing IE once released?
It's just a matter of releasing eleventy-one quadruple bazillion 'security updates' until it is deemed 'just barely functional'...

Has any major IE update been anything else but the last major version with the last bazillion security patches rolled into it, then dotted with fresh new bloat, eyecandy and bugs?

Re:It's called "open source" (1)

jacksonj04 (800021) | more than 7 years ago | (#16586202)

IE6 actually got rid of Active Channels, making it a step forwards in browser technology.

I don't get it (4, Interesting)

Lord Grey (463613) | more than 7 years ago | (#16585252)

I had never heard of "Extended Validation SSL" so I went to Google. Among the hits was something from Thawte, so I went there. It turned out to be a FAQ [thawte.com]. This FAQ contained such gems as:

4. Why is High Assurance/Extended Validation SSL being implemented?

Answer:

Improved online identity assurance, and improved browser representation of online identities, will empower users to better protect themselves against malicious and suspicious activity, which has gradually been eroding user confidence in digital security, including online shopping and banking. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.

And:

6. What is the difference between High Assurance/Extended Validation/Enhanced Validation SSL certificates and existing SSL certificates?

Answer:

The online identity assurance process is intended to be more comprehensive and standardized across the entire industry. Whereas currently online identity assurance processes vary from CA to CA, the new standards/processes under discussion by the CA Browser Forum, will have to be adhered to by all CAs if they wish to offer High Assurance/Extended Validation SSL certificates. This will encourage greater confidence in CAs as well as the processes that are used to vet and issue digital certificates. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.

Is it my imagination, or is this new Extended Validation SSL thing, in the end, just a bunch of paperwork? I may simply be missing the point. If someone can point to a better description of this thing that makes sense, please do so.

Re:I don't get it (2, Insightful)

hardburn (141468) | more than 7 years ago | (#16585378)

It may solve some problems, like having a few guys claiming to be from Microsoft showing up at VeriSign's offices and walking off with a signed SSL key for MS.

This is only one of the many major problems that SSL has, though. I don't see how this can address the problems of international domain names (where glyphs for certain characters can look the same, but aren't). I also doubt that it gives assurances about the security practices of the company (why would a cracker sniff a few credit cards at a time off the wire if they can break into a database and get hundreds of credit cards at once?).

Overall, this seems like a way to make the customer pay again for the CA's own bad practices.

Re:I don't get it (4, Insightful)

skiflyer (716312) | more than 7 years ago | (#16585506)

Overall, this seems like a way to make the customer pay again for the CA's own bad practices.

That pretty much sums up this garbage. This is what SSL is supposed to already be, but as anyone who has filed for an SSL certificate already knows the whole thing pretty much works as a handshake... you're who, yes, ok, credit card with that name please, great, here you go.

And what about this "standardized across the industry"... I bought an SSL certificate from a 3rd party because they're in the Firefox/Opera/IE default trust lists, and because they cost $40 a year instead of $400, is this really a new industry standard or is this just Verisign's way of artificially creating a new market now that there's too much competition?

I'm going to guess (3, Insightful)

tkrotchko (124118) | more than 7 years ago | (#16585436)

I'm guessing the certificate security itself isn't changed. What they're saying is they're just going to do more research on a company before they hand out certificates. Right now you fill in a form, fax it in, and *presto* you get certs. Now, I guess someone will actually call and check before issuing.

They could do this now with regular SSL, but they couldn't charge more money... too much competition out there.

The thing is, the encryption of SSL is not at issue; it's just a new product to market.

Re:I'm going to guess (1, Interesting)

Anonymous Coward | more than 7 years ago | (#16585564)

They couldn't do this with SSL because the user wouldn't know if a certificate comes from a CA which has really checked the identity of the certified company. With Extended Validation, the certificate will contain the information that the CA actually checked, and standardization makes sure that nobody issues such a certificate without checking.

I don't think anybody believes that. It was the CA's job all along to verify the identity before certifying the identity. If the CAs can't do their job for the kind of money that they are asking, who thinks the CAs can and will do it for 150%?

Re:I don't get it (5, Informative)

Anonymous Coward | more than 7 years ago | (#16585716)

I used to work at a certain SSL place, so here's what I could gather.

Right now to get a cert it's a phone call verification or something else that can be done remotely.

For High Assurance CAs, the issuer has to fly a person out to the physical site, take pictures of the site, go inside, take pictures of at least two(?) employees, get names of workers, get signatures, and so on. At least that was the idea last I heard.

Rather than a remote validation, which I guess is easier to forge and easier to issue a mistake to by accident, this requires in person validation and lots of other crap you can't do without actually going there and checking it out. You decide if it's worth it. If not seeing that "special green color" stops just a few customers from using your site, it probably is.

Re:I don't get it (3, Informative)

not-enough-info (526586) | more than 7 years ago | (#16585928)

I went to verisign to get some facts direct. They have a "live chat" feature that pops up when you go to the faq.
According to their customer rep "Doreen", there's really nothing special about this.
What I got out of the chat session:
  • The encryption is the same, or possibly the same, but probably not better.
  • So far other CAs are not onboard with this (but "expected to follow suit" whoopee.)
  • The only informational resources they give their people are the faq page and the MS blog.
  • Doreen freely admits to knowing less about her own product than me, some interested schmuck.
  • There aren't white papers available for me to peruse. (presumably because there's no actual new technology involved)

Now, I understand that this is pretty low on the totem pole, but still I think it's indicative enough to start throwing around some assumptions.

<assumptions style="raging">
From a technical standpoint, "High Assurance SSL" is functionally the same as vanilla SSL. The only difference is that for supported browsers, the cert holder and issuer will be visible in the URL address bar. (Oh, and you can toggle between them by clicking, whoopee.) The main draw is that it's "more visible!!!".

So functionally, if the FF devs want to counter this ridiculous load of crap, all they have to do is stick the plain old vanilla certs into the URL bar and maybe highlight weird characters to show phishing attempts. Certainly, a whole lot more paperwork isn't going to stop the phishers if they're going to the trouble of getting a cert anyways.
</assumptions>

Smells like a turd, looks like a turd.

Re:I don't get it (1)

ocbwilg (259828) | more than 7 years ago | (#16586536)

Is it my imagination, or is this new Extended Validation SSL thing, in the end, just a bunch of paperwork? I may simply be missing the point. If someone can point to a better description of this thing that makes sense, please do so.

No, you've got it about right. The only difference is the amount of verification being done on the back end.

Realistically, the SSL Certificate has very little to do with the encryption. All it is saying is that "some organization presented us with this public encryption key, said that it was for this server/site/organization, and at the time that we tried to verify it this was true." So if you wanted to set up a phishing site, there's nothing really to prevent you from buying a cheap cert from one of the CAs that is trusted by default in IE, setting up a server with it, and going to town. To the average web user, the site will look "safe" to them because it shows a key/padlock to indicate that communications is encrypted, regardless of the fact that the encrypted communications could be going to a criminal's web server.

I have only bought certs from Thawte in the past (they're as good as Verisign I think, and half the price, though there are undoubtedly cheaper CAs), and Thawte has offered several levels of SSL certificates in the past. I was reading on their FAQ page the other day when trying to decide which cert I wanted for a mail server, and they basically explained the difference between some of their levels of certificates as being the amount of verification done on the back end. Some had a turnaround time of a few hours. Some took a couple of days. Presumably this is no different. I remember when my organization bought our first cert, it did take a couple days for them to verify everything. After that, subsequent certs from the same domain name and admin mailbox/technical contact/admin contact went through much faster. Apparently because they know us now.

For my money, it doesn't really make a difference. If you're going to "Bob's Sneaker Store" online, it probably doesn't matter to you if Verisign did a 3 day audit to verify their identity because you don't know who "Bob" is anyway. If you're going to a Microsoft/Cisco/other major company web site, the degree of validation being done on the back end might make you feel safer, since you may already predisposed to trust that company more than some anonymous web merchant.

STOP THE PRESS! ORACLE LINUX IS HERE! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16585270)

Somebody post this story.. I'm too lazy and I've got enough karma to care. Here's the article. Published 1 hour ago. [yahoo.com]

Re:STOP THE PRESS! ORACLE LINUX IS HERE! (0, Offtopic)

AKAImBatman (238306) | more than 7 years ago | (#16585320)

1. That a commitment to Linux, not their own distro.

2. The story was already posted here [slashdot.org].

Now go troll somewhere else.

Re:STOP THE PRESS! ORACLE LINUX IS HERE! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16585380)

RTFA fucker! Hahhahha! And you were the one who said Linux would never make it back then.. hahhahhah! Eat shit dilbert! I told you in 1999 this would happen!

They SHOULD be doing this for everyone... (3, Insightful)

dolphinling (720774) | more than 7 years ago | (#16585274)

I think I remember reading about this either on firefox dev blogs or mailinglists or IRC. IIRC, the upshot was that verisign should be doing "extended validation" type things on all their clients. The validation they have now is really pretty shoddy, shoddy enough that they'd be risking getting kicked out if they weren't so big and so many websites would break. But that's just my memory, which could be bad, you'd have to look into it yourself.

OT: A heads up on your .sig (1)

Zero__Kelvin (151819) | more than 7 years ago | (#16586008)

From your .sig:
There are 11 types of people in the world: those who can count in binary, and those who can't.
... and the 3rd type would be? ... it would appear that you are a member of the latter set. You see 11 binary is 3. You want to say: there are 10 types of people in the world ...

Peace ...

Re:OT: A heads up on your .sig (1)

geminidomino (614729) | more than 7 years ago | (#16586200)

Wooosh!

Re:OT: A heads up on your .sig (0, Offtopic)

Zero__Kelvin (151819) | more than 7 years ago | (#16586296)

Presumably you are saying that something just flew over my head? Or are you saying it flew over the head of the parent? If you are saying something flew over my head, then I would love to hear what it is supposed to be that I missed.

Re:OT: A heads up on your .sig (0, Offtopic)

ezzzD55J (697465) | more than 7 years ago | (#16586396)

I'm wondering that too. Maybe the joke is that the author can't count in binary either.

Re:OT: A heads up on your .sig (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16586482)

Maybe the joke is that he's one of the people who can't count in binary? See, it plays against the standard "10 types of people" joke.

Re:OT: A heads up on your .sig (1)

Zero__Kelvin (151819) | more than 7 years ago | (#16586502)

I'm wondering that too. Maybe the joke is that the author can't count in binary either.
I think you are right. That was the only thing I could think of as well. Of course, it isn't funny if you have to point out that it is a joke. Claiming that the "joke" (as it were) went over my head is just plain absurd. Of course, I laughed my ass off either way :-)

Re:OT: A heads up on your .sig (0)

Anonymous Coward | more than 7 years ago | (#16586236)

whooosh! :)
welcome to the world of the meta-joke

Re:OT: A heads up on your .sig (0)

Anonymous Coward | more than 7 years ago | (#16586284)

The third type would be those built so low to the ground that the jokes go whizzing over their heads at near-supersonic speeds...

Racket (5, Insightful)

AKAImBatman (238306) | more than 7 years ago | (#16585282)

More Secure or Just a Racket?

Definitely sounds like a racket to me. If you get the green bar by paying Verisign 150%, how does that differ from today's security certificates? Other than having to pay more money, and only being able to be verified by Verisign, that is. (Doesn't sound racket-y at all. Or was that rickety?) While they make it sound like the Green Bar is an excellent method of knowing that Amazon is really Amazon, I think it's actually a reverse attempt. By getting Amazon to use this spiffy new green bar, Verisign is attempting to legitimize their new technology in the eyes of the consumer. Little will actually change for the consumer, as he already knows when he's surfing Amazon.

The only place it would supposedly help is with Phishing. But since Phishing sites can't get certificates anyway, what does this help? If the lock isn't good enough, just change the URL Bar green for every VERIFIED certificate received. That will have the EXACT same effect.

The new certificates are double plus super good. (4, Insightful)

khasim (1285) | more than 7 years ago | (#16585604)

#1. In order to issue the new certificates, the Certificate Authorities (CA's) will be "required" to follow "industry standard" practices in "verifying" whomever applies for a new certificate.

#2. This additional "verification" is what will cost the additional money.

#3. Any business that does not pay the additional fees to be "verified" by "industry standard" practices will be ... the same as they are today.

#4. Phishing depends upon a person making a single error in judgment, one time. This will not stop phishing.

This will not stop anything. This is stupid. You're paying EXTRA to have someone do the verification they were supposed to be doing already. Imagine trying to run a business like that.

Boss - "I paid you last week, but you barely did any work. I'm going to fire you."

Employee - "If you give me a 50% raise, I'll perform the work to industry standards."

Boss - "Okay, that sounds like a good deal to me."

Re:Racket (1)

CerebusUS (21051) | more than 7 years ago | (#16585658)

But since Phishing sites can't get certificates anyway, what does this help?

Actually, I don't think phishing sites have much trouble getting certs. Several SSL providers merely check that you own the domain the cert is registered to. If I'm the registrant of amaz0n.com, I'll approve the ssl purchase and have a cert. It tells you absolutely nothing about whether you can trust the person running the website you've connected to.

I'm guessing this is going to end up a lot like the "Made for Windows" certifications where each SSL vendor will be required to meet certain criteria before being able to offer these new certs.

It might work, but I'm guessing it won't really help.

Current system is already a racket (2, Interesting)

rhaas (804642) | more than 7 years ago | (#16585994)

I mean... since they don't do any verification anyway... and the customer service is terrible... why does it cost hundreds of dollars?

Not firefox supported. (1)

lordShiva (636856) | more than 7 years ago | (#16585288)

It just seems funny with the release of 2.0 and now here verisign is blaming the dev team at mozilla. Kind of odd you know fox or verisign didn't speak more closely.

Riiight. (2)

TubeSteak (669689) | more than 7 years ago | (#16585290)

The padlock encryption symbol used by browsers has been effectively meaningless for some time, and consumer paranoia surrounding fraud remains a barrier to using online commerce for many.

In response, the verification industry in the form of the CA browser forum has come up with extended validation SSL, where the certificate really is a guarantee of kosher status. Honest.
Thank you The Register for saying what I was thinking.

Re:Riiight. (1)

Midnight Thunder (17205) | more than 7 years ago | (#16585572)

The padlock encryption symbol used by browsers has been effectively meaningless for some time, and consumer paranoia surrounding fraud remains a barrier to using online commerce for many.

Silly us, we should haver been using two padlock symbols the whole time.

Charging more to do what they should be doing. (5, Insightful)

datajack (17285) | more than 7 years ago | (#16585340)

The online identity assurance process is intended to be more comprehensive and standardized across the entire industry. Whereas currently online identity assurance processes vary from CA to CA, the new standards/processes under discussion by the CA Browser Forum, will have to be adhered to by all CAs if they wish to offer High Assurance/Extended Validation SSL certificates. This will encourage greater confidence in CAs as well as the processes that are used to vet and issue digital certificates. thawte's commitment to establishing and implementing High Assurance/Extended Validation SSL standards, and to being one of the first to offer compliant product lines, underscores our commitment to enabling a secure digital environment for all.


Err, excuse me.. isn't the verification of the identity of the applicant of the certificate exactly what the CAs are meant to be doing anyway?

I thought that that is why we had these 'trusted' third-parties, to vouch for the identity of the certificate owner - that is the fundamental basis of PKI and certificates. If they weren't doing that before (which they clearly weren't doing properly), what the hell were they doing?

So, we're paying them extra to get a 'fixed' version of something that they caused to be broken in the first place because they couldn't do their job properly. WHy should paying an extra 50% on top of their fees all of a sudden make us able to trust them now?

Re:Charging more to do what they should be doing. (1)

Anonymous Crowhead (577505) | more than 7 years ago | (#16585408)

WHy should paying an extra 50% on top of their fees all of a sudden make us able to trust them now?

Because they want more money?

Re:Charging more to do what they should be doing. (1)

skiflyer (716312) | more than 7 years ago | (#16585556)

Couldn't agree more, posted a similar concept a little higher up... but reading it in your words makes me wonder, is there a class action lawsuit in the near future for standard SSL users?

Re:Charging more to do what they should be doing. (1)

RAMMS+EIN (578166) | more than 7 years ago | (#16585956)

``Err, excuse me.. isn't the verification of the identity of the applicant of the certificate exactly what the CAs are meant to be doing anyway?''

Yes. And the fact that there is apparently a need for "more comprehensive" identity checking means Verisign haven't been doing their jobs.

``If they weren't doing that before (which they clearly weren't doing properly), what the hell were they doing?''

Playing monopolist. Charging ridiculous amounts of money for simple records in databases. Claiming to run a trustworthy authentication service. Answering queries for non-existant domain names with addresses of their own services. Generally running the DNS root servers in such a way that various alternatives have sprang up to correct their missteps. Probably filing the odd lawsuit and patent or two.

``WHy should paying an extra 50% on top of their fees all of a sudden make us able to trust them now?''

It shouldn't. They've wasted the trust that was put in them. We should abandon them, turn to alternatives, and try not to make the same mistakes again.

Re:Charging more to do what they should be doing. (1)

mod_critical (699118) | more than 7 years ago | (#16586112)

What were the doing? Verifying identities of course! By means of making you enter a phone number and then enter the code on the screen when it's called, or making you scan and email a utility bill! YES! These are actually two different methods I've used buying certs before.

So you are indeed correct, there has been no reason to trust a cert before, but they haven't actually fixed anything either ;)

So the verification is crap, but who cares, Joe User never checks the certs anyway, and probably dosen't notice the padlock. In fact, Joe User (in my experience) will not check the cert, check the sitename, click the seal, and check the URL to make sure the verification page came from a CA. If Joe knows what a CA is ... or dosen't just jump under the desk and cry when he sees the cert's fingerprint presented to him in hex pairs after clicking the padlock.

Okay, so Joe dosen't know how to verify a site and dosen't give a rip, but who cares, no matter how well you can verify your own identity, someone can still impersonate you well enough to reel in the suckers.

Trusted third party identification only works if that trusted third party can identify EVERYONE, not just those who have opted for identification. The security companies probably all know this, but the current method hasn't exausted it's power to generate income.

The only way for trusted third party identification to actually work is to be able to identify every site within the browser's scope. Since verification is opt-in, then the only remaining way to do this is to limit the scope of the browser. Example: and this is a quick idea, it probably could be improved quite a bit, but for starters: Have a browser button to turn on secure browsing mode, and with it on you cannot visit any unidentified site. Across the top of every page you visit there is about a 100px tall banner displaying the legal name and address of the verified site owner. That is something Joe can understand.

Re:Charging more to do what they should be doing. (1)

eraserewind (446891) | more than 7 years ago | (#16586340)

Well, this is true, but don't most people don't treat the cert as anything other than an indication that the connection is encrypted? I mean, you could just put your self generated cert on your site, and most people would click "accept this cert permanently" just like they do when e.g. hotmail or other sites sometimes have the same problem.

If browsers prominently displayed

"Firefox considers Verisign reliable (ha!), and Verisign certifies that this site belongs to 'Joe Bloggs, 123 main St, sslville'"

or

"you yourself have decided to believe that this site belongs to 'J03 B100g5, 123 main st, fishtown', but firefox doesn't vouch for them in any way."

for every site, then there might be some point to it.

Re:Charging more to do what they should be doing. (1)

Lord Ender (156273) | more than 7 years ago | (#16586124)

It sounds to me like you all have it wrong.

No CA can be 100% sure you are who you say you are. But there are things they can do to increase their confidence in your identity. Doing these things costs more money of them (and so, of you, the SSL site owner).

It sounds like Verisign wants to use color codes to demonstrate SSL site users how confident Verisign is in the identitiy of the certificate holder.

I think this is a fantastic idea.

Are you really surprised? (1)

Rosco P. Coltrane (209368) | more than 7 years ago | (#16585350)

So, a product is proposed by Verisign (the guys who tried to shove their shoddy SiteFinder search engine down your throat by abusing their monopoly) and Microsoft (the guys who have been shoving their shoddy DOS and Windows down your throat for decades by abusing their monopoly).

You know what? I'm quite sure it's a shoddy product they're trying to shove down people's throat for some reason...

Gaah! Please skip the revisionism. (2, Insightful)

ScentCone (795499) | more than 7 years ago | (#16585660)

shoving their shoddy DOS ... down your throat ... abusing their monopoly

Right! Because DOS was definitely the only O/S upon which big business was doing business, say, back in the 1980's.

And then there were those enormous numbers of consumers using DOS instead of Apple II machines or Ataris or Amigas... Shoved down their throats? Come on. If you're going to rant about MS market share, at least skip over the part when it was anything but a sure thing, before all of the other platform makers wheezed and missed the opportunity to take over the business desktop market (when they already owned the back office corporate computing market!) when it was anything but settled in one popular direction.

Re:Are you really surprised? (0)

Anonymous Coward | more than 7 years ago | (#16585872)

Not only that, but the PR guy...talk about pissing in the wind. Badmouthing any team that would lead to implementation of your proposed feature set is just stupid. To badmouth a fairly up there open source project, hell, that just invites the question why doesn't Verisign just put up the code themselves then instead of taking public swipes at the project?

I don't know if this is at all possible, but any competitor to Verisign that may exist with a similar but hopefully superior scheme could now undermind Verisign by working closely with and supporting the Firefox team.

more info (1, Informative)

Anonymous Coward | more than 7 years ago | (#16585352)

Verisign used to call "Extended Validation SSL" "High Assurance SSL". A little more info here:

http://www.verisign.com/ssl/ssl-information-center /faq/high-assurance-ssl.html [verisign.com]

This seems to be composed of two parts:

  1. Some higher-level of SSL certificate for which Verisign will somehow verify the legitimacy of the company rather than just their domain, and for which they will presumably charge more $$$.
  2. Visual indication in browsers that a site has such a certificate, and displaying who validated the certificate (i.e. Verisign.)

Re:more info (2, Insightful)

DragonWriter (970822) | more than 7 years ago | (#16585548)

So, Verisign realizest that their practices are insecure and broken, but instead of fixing their practices and being a good CA, they are instead creating a new kind of "we actually did our job" certificate that requires new code for browsers to recognize?

I mean, wouldn't it make more sense for Verisign to do the same thing (if they wanted to get some money for insecure certs but still have a more secure cert) to create a new Certification Authority name also run by Verisign that actually does their job, and not require any browser code changes? Or are they just afraid that if they did that, browser vendors might delist Verisign's main CA from their default list of trusted CA's, since that would be admitting that, well, basic Verisign certificates can't be trusted.

Seems to me this is an unnecessary technical change to a business practices problem at Verisign.

Re:more info (1)

ebyrob (165903) | more than 7 years ago | (#16585696)

I mean, wouldn't it make more sense for Verisign to do the same thing (if they wanted to get some money for insecure certs but still have a more secure cert) to create a new Certification Authority name also run by Verisign that actually does their job, and not require any browser code changes?

But then how would you tell the old CA apart from the new CA? It isn't like your browser loudly proclaims which CA is validating a particular domain. Or are you suggesting they revoke their own current CA status?

Re:more info (0)

Anonymous Coward | more than 7 years ago | (#16585884)

Or are you suggesting they revoke their own current CA status?

That's the idea, yes. A certificate says that the CA which issued the certificate has checked that the person or webserver which is named in the certificate is or belongs to the person to whom the certificate was issued. If the CA didn't really check that, because the supplicant didn't spring for the "extended validation", then the certificate should not be trusted. All information in a certificate must be verified. If a CA is known to put information in certificates without verifying the validity of the information, the only sane consequence is to delist the CA.

Browsers could react differently to certificates which certify just the server domain or the server domain and responsible person/company. Putting unvalidated information into certificates on the other hand is a big no-no and can not be tolerated by instituting "super trust" certificates.

Scam... (5, Insightful)

tomstdenis (446163) | more than 7 years ago | (#16585368)

This is coming from the people who stole DNS, and sell certificates for hundreds of dollars which take milliseconds to make....

Now we're supposed to get a more "trustworthy" cert and make our address bar green?

Fuck you Verisign.

Tom

Anti-Phishing Technology will make it moot (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16585374)

Nobody uses SSL to verify that a site is who they say it is - when was the last time 99% of users looked at a website's certificate?

SSL is still good for keeping the data encrypted between client and server. You don't need some super-duper certificate for that.

Anti-phishing blacklists will be what works well for end-users. Being told explicitly that they're on a dangerous website is far more effective than 'hmm, well the location bar is in green!'. They won't even look.

A personal view from someone at Mozilla (0)

Anonymous Coward | more than 7 years ago | (#16585458)

See this [hecker.org] blog post from about a year ago on this topic.

Do disreputable sites get them? (1)

iabervon (1971) | more than 7 years ago | (#16585532)

The only way to judge whether this is legitimate is to see whether sites that do fraudulent things (get traffic from mistyped domain names, send out "renewal" requests to non-customers, etc) are able to get these certificates. If Verisign is able to make sure that sites that do these things or have a history of doing them can't get certificates, then maybe they'll mean more than current SSL certificates.

Of course, there are technical issues with a PKI system without trusted root certificates, so it might not work even then.

Re:Do disreputable sites get them? (1)

Kelson (129150) | more than 7 years ago | (#16585868)

The only way to judge whether this is legitimate is to see whether sites that do fraudulent things (get traffic from mistyped domain names, send out "renewal" requests to non-customers, etc) are able to get these certificates.

I think you're being too subtle [slashdot.org] for this site [slashdot.org]...

mod parent up! (1)

element-o.p. (939033) | more than 7 years ago | (#16586582)

Nuts...I'm out of mod points!

The first paragraph of the parent post is, IMHO, both +5 Funny and +5 Insightful.

Uh, what was the middle choice again? (1)

Medievalist (16032) | more than 7 years ago | (#16585536)

"More secure or just a racket?"

C'mon, ScuttleMonkey, are you trying to get a job as a pollster for Karl Rove?

"Would you be more likely or less likely to vote for John McCain for president if you knew he had fathered an illegitimate black child?"

All the brower teams and SSL CAs agreed to this (4, Informative)

miller60 (554835) | more than 7 years ago | (#16585552)

The article is, not surprisingly, VeriSign's version of events. The Extended Validation standard emerged from talks among a consortium of browser makers (the IE team, Mozilla, Opera and Konqueror) and a ghroup of SSL certificate authorities, which includes not only VeriSign but also geoTurst (since bought by VeriSign), Comodo, Entrust and Go Daddy. The group is known as the The CA/Browser Forum, the group of certificate authorities and browser developers that is working with the American Bar Association's Information Security Committee on finalizing an open standard for the validation process, which is to be followed by all participating CAs. So this isn't just a VeriSign issue, but the culmination of an 18-month process.

The plan was for all the browsers to implement the color bar scheme, based on IE's implementation. There were optimistic announcements by all involved, but no final standard has emerged. VeriSign and other SSL certificate authorities are preparing to start selling these in January. It's not clear to me if Firefox/Mozilla has actually opted out or is just moving more slowly than MSFT in incorporating the changes in the browser. Mozilla tends to be deliberate about SSL-related changes in the browser.

Re:All the brower teams and SSL CAs agreed to this (1)

Zeinfeld (263942) | more than 7 years ago | (#16585656)

The article is, not surprisingly, VeriSign's version of events. The Extended Validation standard emerged from talks among a consortium of browser makers (the IE team, Mozilla, Opera and Konqueror) and a ghroup of SSL certificate authorities, which includes not only VeriSign but also geoTurst (since bought by VeriSign), Comodo, Entrust and Go Daddy.

No the article is the Register's version. Its hard to tell but there is actually a panel session on this at RSA Europe and the other vendors are on the panel.

Re:All the brower teams and SSL CAs agreed to this (1)

pvanheus (186787) | more than 7 years ago | (#16585708)

An open standard for the validation process sounds like a really good thing. Who would police compliance with the process though? The reason I wonder about this is that if CAcert.org could adhere to some well known standard for validation, it would make its certificates much more believable.

Peter

Re:All the brower teams and SSL CAs agreed to this (1)

hitchgoat (632779) | more than 7 years ago | (#16586104)

Ok, so what's the technical means by which a browser distinguishes an Extended Validation certificate from any other? Some sort of information associated with the root in your local store? A certificate policy OID present in the certification path? An extension in the CA or end-entity certificate? There has to be something, right? What prevents another SSL certificate vendor from simply including this indicator in their certificates, regardless of the registration procedures that they follow? I suppose if they did so they might get blacklisted by MS, which would be a pretty big blow to their business. SSL, when used for identify verification and not simply for confidentiality, really is the only way to defeat this type of scamming on the web. As everyone else has pointed out, the SSL certificate vendors have effectively nullified the value of SSL for identity verification by following weak registration procedures. It does make sense, given where we are now, to (a) continue allowing SSL for confidentiality without complicated registration, and to (b) offer some sort of enhanced service under which the SSL certificate vendors actually perform their due diligence. What remains to be seen is how effective they'll be.

ORACLE JUST ANNOUNCED ORACLE LINUX (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16585606)

http://biz.yahoo.com/seekingalpha/061025/19242_id. html?.v=1 [yahoo.com]

this just in..

"Oracle starts with Red Hat Linux, removes Red Hat trademarks, and then adds Linux bug fixes," the company said in a new release. "Oracle's new Unbreakable Linux program will provide bug fixes to future, current and back releases of Linux. In other words, Oracle will provide the same level of enterprise support for Linux as is available for other operating systems."

Oracle says it will provide Linux support for "substantially less" than Red Hat now charges. The company said the Unbreakable Linux support program will be available for as low as $99 a year per system.

The company said it will maintain compatibility with Red Hat Linux. The Linux code itself is being distributed free on Oracle.com.

Kudos to Rick Sherlund of Goldman Sachs, who has been predicting this move by Oracle for months.

Red Hat shares are getting clobbered on the news. In after hours trading, Red Hat is down $2 at $17.51. Novell, which sells Suse Linux, is down 8 cents at $6.02. Oracle is up 8 cents at $18.70.

What about this paragraph? (1)

skiflyer (716312) | more than 7 years ago | (#16585614)

One snarl-up for Mozilla may have been working out an alternative to the rest of Microsoft's site-rating system. As well as getting dishing out green address bars, servers at Redmond will blacklist dodgy and suspect sites, which can look forward to red and amber flashing up.

I don't feel all paranoid about this, and I think the technology is a good concept, but dang, do we want any for profit company to be the one in charge of maintaining these lists? And what's the appeal process, if my online store got listed red or amber for even a couple weeks at the wrong time, that's a serious hit to my business. Now, like I said, I'm not really concerned that MS is going to go off and start red flagging sites they have a grudge against, I generally trust them, but do we even want to give any for-profit the temptation? (I wouldn't want to take this responsibility on as part of my company, I'd much rather start a specific organization for it which was completely transparent and accountable)

Where's the specification? (5, Insightful)

Animats (122034) | more than 7 years ago | (#16585714)

Has anyone actually been able to find the specification for "high assurance" certificates? Apparently this is being closely held. The spec comes from something called the "CA Browser Forum", which is invitation-only and doesn't seem to have a web site. A standard was supposed to be issued in August, but apparently agreement wasn't reached until a meeting in September. There are many press releases, but no hard data.

So that's why it's not in Mozilla.

It's actually a good idea. Early in the history of SSL, getting a certificate required presenting appropriate business identification info to the certificate issuer. The problem is that some issuers (GoDaddy comes to mind) started issuing "domain only" SSL certificates; the only verification is that the domain can get email. Then, instead of revoking GoDaddy's root certificate for this, the other cert issuers copied GoDaddy's approach. Now anybody can get a meaningless certificate with a meaningless Relying Party Agreement.

The way it's supposed to work is that the certificate issuer bears financial responsibility for misidentification of the certificate owner. Some certificates from Verisign have a Relying Party Agreement [verisign.com] that does provide a financial guarantee to the party relying on the certificate - $100 for a class 1 cert, $5000 for a class 2 cert, and $100,000 for a class 3 cert. Most of the other issuers have relying party agreements which promise nothing and deliver less.

So what's happening is that, soon, you'll be able to tell the difference between the crap certificates and the good ones. Before you buy. The idea is that if you put your credit card into a site that showed a green toolbar in IE, and it wasn't really the company it should have been, you can collect from the certificate issuer. This puts certificate issuers on the hook for phishing losses.

Unfortunately, the rules and the Relying Party Agreements for the new certificates haven't yet appeared, so we can't tell if the rules are tough enough to make this work. Since they're being drafted by the certificate issuers, there will probably be some loophole that lets them off the hook.

Re:Where's the specification? (0)

Anonymous Coward | more than 7 years ago | (#16585910)

Your reply assumes that identity validation is integral to SSL certificates. It isn't. Many websites need CA-signed certificates to protect data in transmission, and nothing more.

Identity validation and reputation verification are useful features, but need to be separated from the certificate itself. Let the certificate vouch for the transaction-layer security, and a separate site seal vouch for the reputation of the business. Combining multiple distinct and separate functions into one product only inconveniences all users of the product not in need of all features.

Re:Where's the specification? (0)

Anonymous Coward | more than 7 years ago | (#16586300)

Encryption without identification is useless. Look up "MITD, man in the middle". Computers don't need a certificate to "vouch for transaction-layer security": Each computer simply generates a keypair on the fly and sends the public key to the other computer. If that looks secure enough to you, you need to shut the hell up and make a trip to the library. The whole point of certificates is to verify identity so that you know you actually got the public key of the computer that you want to talk to and not the public key of some impersonator.

Re:Where's the specification? (1)

LordLucless (582312) | more than 7 years ago | (#16586308)

It's actually a good idea. Early in the history of SSL, getting a certificate required presenting appropriate business identification info to the certificate issuer. The problem is that some issuers (GoDaddy comes to mind) started issuing "domain only" SSL certificates; the only verification is that the domain can get email. Then, instead of revoking GoDaddy's root certificate for this, the other cert issuers copied GoDaddy's approach. Now anybody can get a meaningless certificate with a meaningless Relying Party Agreement.

So what you're saying is it's a good idea, because they're talking about extorting more money to do what they should have been doing from the get-go? I don't buy that. There should be a mechanism for encrypting web data that doesn't rely on paying a third party for a service only tangentially related to encryption, which they don't provide properly anyway. The only reason certs are being sold is that they're required to encrypt web data without a big warning box popping up. They aren't sold for their actual purpose - conclusively indentifying the holder - because they actually don't fulfil that purpose. This new cert is a racket, but then, so is the whole cert system.

Monopoly ? (0)

Anonymous Coward | more than 7 years ago | (#16585726)

What do you bet the implementation is designed so that the browser will only accept 'enhanced SSL' certificates that have been signed by Verisign ?

Does anyone believe that a system designed by Microsoft and Verisign will be inclusive ?

Has anybody seen a RFC for this yet ?

SSL and Extended SSL (2, Interesting)

Kazrael (918535) | more than 7 years ago | (#16585794)

Honestly, I believe that there should be a WC3 conference to contribute a single CA that makes its way onto all browsers. Give the WC3 CA site an automated system for generating certs, including an open API and then combine DNS registration protocals with the CA gen protocals. Publicly open the API, and charge small, if anything. This service is an easy one to implement. The real issue is getting browsers to add it to its automatically trusted CA list. I can create SSL at home, but I can't get browsers to add my home web onto the trusted CA list by default.

Re:SSL and Extended SSL (0)

Anonymous Coward | more than 7 years ago | (#16586534)

Check out http://www.cacert.org/ [cacert.org]. You can join for free, create your own certificates, and it tells you how to add cacert.org to your CA cert authority.

Re:SSL and Extended SSL (1, Informative)

Anonymous Coward | more than 7 years ago | (#16586712)

You're missing the point of what a trusted CA is supposed to do. The point is that the browser makes trusts this CA to verify that a domain name has a legitimate owner. More precisely, the browser maker trusts the CR to verify that the person who applied for the certificate represents the owner of the domain name. If you create a CA that does no verification, how would you trust them? It would be a huge security hole for such a CA to be in Mozilla's list of trusted CAs. Somebody could register with this free CA as citibank.com, hijack DNS, and impersonate https://www.citibank.com with the users none the wiser.

The problem with CAs... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#16585992)

... is that they are a commercial venture. They will sign just about anything as long as they are paid. I have seen more than one piece of malware signed by Thawte. The whole model of third party commercial CAs is badly flawed in concept. One only needs to pay a CA like Verisign or Thawte to appear legitimate to the average user and then proceed with whatever nefarious purpose one desires.

I trust a self-signed certificate more than one signed by Thawte or Verisign. (I do trust Entrust though, as they are Canadian)

Extended Validation SSL? Is it 256 bit? I think not (what would be the point?). 128 bit SSL is 128 bit SSL regardless of who signs it and how. You must trust the server you are dealing with in the first place, SSL is merely there to make your cummunications with that server private (all the more so if self-signed).

I expect that this "Extended Validation" is an implicit admission that up till now they have been signing pretty much anything as long as they get paid. Even so, it is not up to a CA to assure users that a particular site or application is not nefarious in purpose.

The signing CA model is flawed and very misleading to the average user. I say it does more harm than good.

Free Certs are Evil (0)

Anonymous Coward | more than 7 years ago | (#16586052)

Conducting business on the Internet in a secure manner requires two things, trust and privacy. Certificates were SUPPOSED to provide both of these, however free certs have really undermined this because companies offering free certs certainly cannot afford to do a good job of verifying the identity of the applicant. Extended Validation SSL means that the CA agrees to abide very stringent identity verification regulations before issuing a certificate to an individual/company. Guess what? Abiding by these regulations is going to cost money, therefore the cert is going to cost more. Duh.

I look forward to my browser (come on Firefox devs!) distinguishing between Extended Validation certs and "traditional" certs.

Re:Free Certs are Evil (0)

Anonymous Coward | more than 7 years ago | (#16586090)

Its VERY rare to find a customer who cares who signs the cert. They just want to see that little lock icon light up. Beyond that, there is no reason why a free cert would be less secure then one from Verisign.

Re:Free Certs are Evil (0)

Anonymous Coward | more than 7 years ago | (#16586174)

Free certs are DEFINITELY less secure than Extended/For-Pay certs. There is really no way you can argue this. Security means privacy (encryption) AND trust (identity).

I agree that users normally just look for the lock, and they feel secure when they see it. However, if the identity of the certificate holder (person/company running the web server) cannot be vouched for, the only thing the user is getting is encryption. So yeah, the data is secure on the wire but they have no idea who's on the other end.

So I say again, you need BOTH (trust and privacy) and I applaud browsers' and CA's attempts to solve that problem. This CANNOT be solved by open source / free CA's.

Re:Free Certs are Evil (1)

geminidomino (614729) | more than 7 years ago | (#16586262)

If you're going to astroturf, you might want to make a snazzy new account instead of posting AC. Something like "geekgrrrl69" would at least catch the dumber denizens of the site.

Re:Free Certs are Evil (0)

Anonymous Coward | more than 7 years ago | (#16586312)

No kidding, I really should come up with an alter ego to entice readers. At least this time I tried to come up with a subject that would piss off the "only free things are good" crowd.

I mean, free things are usually good, but commercial things can be good as well.

Sincerely,

B1gB00bi3s

Fund raising idea for firefox (5, Funny)

NaCh0 (6124) | more than 7 years ago | (#16586204)

Mozilla.org should get into the SSL certificate reselling business and set the location bar to green when one of the mozilla signed certs is present. Verisign could then have the option of paying a royalty to mozilla.org for each extended certificate if they want green URL bars too.

SSL is worthless anyway (1)

cortana (588495) | more than 7 years ago | (#16586214)

Have you audited any of the dozens of CA certificated that ship with your OS?

Do you fetch a new CRL for each of them whenever you access a site using SSL?

StartSSL and FireFox 2.0 (0)

Anonymous Coward | more than 7 years ago | (#16586252)

Perhaps this is also an answer to the efforts of the StartCom CA [startssl.com]. At this article [linuxboxadmin.com] there is a nice explanation about this...Which doesn't mean, that StartCom can't provide the necessary extensions in the future. With 43 % of market share in Germany and other European countries, Firefox is far away from suffering on the hands of Verisign and MS!

It is Verisign's job (2, Insightful)

rhythmx (744978) | more than 7 years ago | (#16586622)

...as a Certificate Authority to ensure that any sites they issue certificates to are trustworthy. All PKI systems are based on this kind of trust model. If there is any lack of trust/confidence in online ssl-encrypted commerce, it is their fault. Merely because they have been ignoring their role as a trust arbitrator and giving out certs to anyone, they decide now to actually do their part, charge more, and have Microsoft put a flashy "green for go" interface on it.

Then, of course, you must slam Firefox for "losing the browser war" by not keeping up by making their URLs turn green. You know, (speculation alert) you can probably bet Microsoft patented the green url indicator anyway, locking Firefox out.

CardSpace anyone? (1)

monkeybrain (305911) | more than 7 years ago | (#16586688)

So far nobody has mentioned InfoCard/CardSpace. I think you will find that one of the major pushes for the new extended certificates is to improve the user experience with respect to security. Presently anyone can get an ordinary SSL certificate - a phishing site can easily obtain an existing SSL certificate that will allow them to fool more average joe users that no certificate at all. With an extended certificate a company's name, location and logo are also included as part of the certificate so it should be much easier for uneducated users to make the connection between the certificate and the organization whose site they are visiting and more difficult for the phishing sites to do so. So the new certificates provide a better way for websites to prove their identity to users and aim to provide a consistent way of presenting this information to users so that they can make a choice as to whether or not they trust a site.

For details see the section titled Improved User Confidence in the Identity of Web Applications in Introducing Windows CardSpace: http://msdn.microsoft.com/library/en-us/dnlong/htm l/introinfocard.asp/ [microsoft.com]

CardSpace is a Good Thing. Check out Kim Cameron's blog http://www.identityblog.com/ [identityblog.com] for ongoing coverage. Microsoft is doing everyone a big favor in the identity space - they fully acknowledge their mistakes of the past (e.g. Passport) and are very open in terms of what they are doing and how they are doing it. Further, the specifications behind all of this are unencumbered (see http://www.identityblog.com/?p=574/ [identityblog.com].

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...