Microsoft and its industry partners have a new initiative to combat phishing.
At next month's RSA Conference in San Francisco, Microsoft plans to announce that a number of websites have gone through a new certification process designed to make it harder for phishers to spoof them. The process gives third-party certification authorities like VeriSign and Entrust a more stringent set of guidelines to follow when they are authenticating websites.
The result of the process is something called an Extended Validation Secure Sockets Layer (EV SSL) certificate, which can be used by sites to help reassure surfers that they are handing over their private information to a legitimate site.
Microsoft is ahead of other browser-makers in supporting EV SSL certificates, which will work with Internet Explorer 7 by the end of this month, but the company needs to persuade other website owners of the technology's worth.
Microsoft plans to show that this is now happening, said Markellos Diorinos, product manager with the Internet Explorer team. "We're getting more and more names that are going to be supporting Extended Validation, and we'll be announcing the first ones at RSA," he said.
Sites that have been EV SSL-certified will look a little different from today's secure sites, which typically display a small "lock" icon in the browser.
When IE hits part of a website that supports the EV SSL standard, there will still be a lock icon but the address bar will also turn green. Users will also be able to see what country the website is based in and who has certified it. "What this really means is that someone went and made sure that this corporation is in good standing," Diorinos said.
Websites buy these EV SSL certificates from certification authorities, who in turn follow the website company's paper trail: making sure it is registered with local authorities, that it has a legitimate address, and that it actually has control over the domain in question, for example. In some cases the certificate authority may even send out a representative to confirm that the business is who it claims to be.
"If you're a company without a reliable paper trail, you're not going to get one of these," said Tim Callan, a product manager with VeriSign's business unit. "If you're incorporated, if you're an LLP, or if you're a registered charity, you have nothing to worry about."
VeriSign has been offering EV SSL certificates since 11 December, and has over 300 businesses now going through the certification process. About 20 of them have been issued certificates so far, Callan said.
The certificates are certainly of interest to sites that have been targeted by phishers. Wells Fargo & Co. has helped develop the EV SSL standard, and Ebay's PayPal has recently gone live with EV SSL certificates on its https://history.paypal.com and https://av.paypal.com/ websites.
Still, there are some issues to be worked out.
One unanswered question is whether or not smaller sites that haven't been spoofed will be willing to pay for these certificates.
There are also technical questions that have yet to be worked out by the browser makers. For example, how will EV SSL deal with international character types, and how will they deal with two companies in different countries that happen to share the same name.
"There are a lot of open issues," said Window Snyder, head of security strategy at Mozilla. The Firefox team will probably wait until version 3.0 of its browser is released later this year so that these questions can first be addressed, she said.