Though the recent news from Microsoft and the CA Browser forum leaves me shocked and almost speechless, now is no time to remain silent. This time, Microsoft is wrong.
Microsoft is soon implementing a new feature in IE 7 (Internet Explorer Browser v. 7), that will "attempt" to give its end users a better feeling of personal online security. I think we should all take a look at what they are doing, and why they are doing it.
What is Microsoft doing? Coming soon to an IE browser near you, is a little security patch from Microsoft. This patch will update your MS browser to include all kinds of fancy functionality to recognize the new EV SSL (Extended Validation SSL, or Secure Sockets Layer) certificate. Now if that last sentence sounds like it was written in Mandarin Chinese, stay with me - I'll explain.
Internet sites install an SSL (Secure Sockets Layer) on their site to make your data transactions secure. When you are on a site and the address (URL) starts with "HTTPS", that means you are on a site that has proactively applied and paid for the installation of an SSL certificate. This means the people that own the site care about your personal online security and they are processing the information that you submit through various web forms over a secure connection. To the end user, it's one letter (S), but if "S" comes after "HTTP", that one letter makes a big difference. It means encryption. It means secure data transfer. It means your form submission is safe (the actual data transaction). But that isn't enough for Microsoft anymore - hence the reason why they are on board to invent a new level of security. They have decided that SSL isn't good enough anymore, and the whole world now needs EV SSL. And when their IE 7 sees an EV SSL, it will turn the address bar green, which to Microsoft means "safe". How thoughtful of them.
These efforts to enhance user safety and security are BADLY misguided.
Why is Microsoft is doing this? The rise online fraud? Identity theft? Phishing scams? You bet. Phishing is the problem most commonly sited. After all, Phishing is a one of the easiest ways for crooks to obtain sensitive and personal information from someone.
So let's all agree together that this is a problem. It's a big problem, and it needs a solution. Microsoft says EV SSL is the solution. But I say that is no more a solution to phishing and online safety than wearing a second condom is to safe sex. What?!? What was that? Yes. Safe sex. That's essentially what we're hearing from Microsoft and their partners. According to Microsoft, an SSL (read "1 condom") isn't good enough, so we need an EV SSL (read "additional, more expensive 2nd condom") to make the transaction safe.
Question: What has happened over time concerning safe sex? Think back to the 80's with the rising concern of AIDS. Take it to the 90's when hundreds of other STD's were found to exist. How about here in the new millennium where experts say that most people with an STD, don't even know they have one. What have we learned as a culture? Well, we learned that we can invent all the tricks, pills, products, patches, shots, condoms, and caps we want... but in the end, education is key. Isn't that where we are at with the whole safe sex thing? Education? That is the primary concern now.
EV SSL is nothing but a second condom. And as such it is being pitched as the solution to make internet users safer. Sure it's more expensive and it's harder to apply for. As of now, only incorporated entities can apply for the EV SSL. As a result, small businesses (sole proprietorships, partnerships, etc... ) are presented with yet another series of hurdles to jump over, only to be followed by a finish line made of expensive red tape.
The introduction and critical mass buy-in of the EV SSL will aid big businesses in edging out their small business competitors. Why? Because small businesses that choose not to incorporate, can't get the EV SSL. The integration of the EV SSL is meant for people to better trust the site their on. But what does it (the EV SSL) actually do? Well, other than turning the address bar green in IE 7, not much. Oh wait, it will attach the name of the incorporated entity to the address in URL bar. Well I'm sure we'll all feel much safer now. Big business gets the edge, my address bar turns green, and I feel safer. Whew, thanks for that.
Oh I apologize, but we must dig deeper.
The EV SSL turns the address bar green, and displays the name of the incorporated identity associated with the site. So this means when you are on a site like www.paypal.com, it might display something like "PayPay, Inc." noted in the URL bar. Now that might give some end users a slightly heightened feeling of warm and fuzzy, but their transaction is no safer now, than it was with the traditional SSL.
Back to Education I'm going to preach loud and proud here that educating internet users and businesses is a far better agenda than inventing a new certificate. So that leads me to this question: whom do we educate, and what should the curriculum include?
First, educate the users. We all learn the basics of public transportation laws and automobile operation before we drive don't we? So shouldn't we then learn a little about the internet before racing around and submitting our SS number and credit card information online? Of course! If you are going to buy something, you should see the "HTTPS" in the address bar, and you should recognize the address in URL. Example: If you get an email "from" PayPal to update your information, then by clicking the link provided you are taken to a site where the URL address bar reads...
http://secur.x43.zible.ju/paypal
...should you continue? No! Where's the HTTPS? And even if it was there, what in the world is "secur.x43.zible.ju"? "Ju" is the domain extension, and what is that? "zible.ju" is the domain name, and what is that? This is the typical approach of phishing. They'll make a site "look" just like what you're expecting, but they can't trick you out of where you actually are in cyberspace. Read and recognize the address bar! ! !
Second, educate the businesses. The problems that businesses open themselves up to, far exceedingly dwarf the severity of individual phishing scams, and/or any scam aimed at the individual internet user. What's that, you need real world examples? I'm glad you asked.
Boeing Laptop Stolen Personal data, including social security numbers for 382,000 workers were among the contents of the stolen laptop. Question: Why was that data locally stored on a laptop? Why wasn't that data encrypted? Why did similar events happen again and again to the same company? Only a month earlier, 160,000 workers personal data was compromised. Proper data collection techniques might have proved to be useful to Boeing. I would think that a little education for the technology department should be on the next P.O.
Veterans Affairs - Hard Disk Stolen 26 Million personal data records exposed. I'm not going to ask the same questions again.
Data Breach at UCLA 800,000 users' personal data exposed
Starbucks Laptop Lost 60,000 records of personal data at risk.
GE Loses Laptop 50,000 Employees and retirees records at risk
I promise you, the list goes on and on. But let me ask you. Where is the problem? Is a new brand of SSL certificates going to fix the security threats of today? Should we burden businesses to make already secure transactions a little more secure, when the data transaction isn't actually the problem? I would think the most immediate need would be user education and the improvement of big business technology practices.
In 2005, 84% of the people polled in a Forrester Research study said they don't think retailers are doing enough to protect their customers online and 24% did not make purchases online due to security concerns.
Is the problem in the transaction, or is the problem in the data collection? Do you think these people in the poll are worried about their data transaction or the security of their data after the transaction? SSL technology exclusively protects the data transaction, not the collection and storage. We already have a solution to protecting data transactions, it's called SSL.
The EV SSL is a solution where only Microsoft and their partners will benefit from the integration of it. The introduction of the EV SSL is nothing but a scam. Microsoft is trying to gain market share in the browser market and the Certificate Authorities will be charging all their customers over 300% more ($400 SSL to $1300 EV SSL ~ Verisign) for the same security. The problem and the solution simply don't match up.
Further Reading http://www.spreadfirefox.com/node/26081 http://blogs.msdn.com
You right this corporate greed must stop. Consumer should be educated on online shopping, but we don't need microsoft, amazon, google or ebay and yahoo controling the internet. I agree. It is geared toward making the cert companies wealthy (and of course MicroSoft) and putting small business 'out of business'. Using FireFox and other open source software is one way to make a statement. The point about education is well spoken. Watch the address bar. Caveat emptor (let the buyer beware). It would be interesting to see a list of companies that waste money on this unnecessary bloat so that they would think twice about such waste in the future.
