An EV-SSL is a public key certificate granted only after the identity of the requestor is proven and verified to the issuing Certificate Authority (CA). The only way it differs from other authentication certificates is the addition of a policy ID specific to the CA. This ID is read by EV-aware software that then creates EV-SSL indicators within the browser. In most instances, this indicator is a touch of green to the background of the address bar of the browser.
This incident points out the fact that even the presence of this green indicator does not always mean safe browsing. Though the CA side of the process works quite well, designed as it is for vigorous verification of the requestor, once a web site receives an EV-SSL certificate, there are no requirements for the website owner to safeguard the web pages meant to be protected. If a hacker takes over a page or even the site, the EV-SSL banner will continue to fly.
Add to this incident the suspected issuance last year of at least one rogue SSL certificate by the Dutch CA DigiNotar and you get what should be a sense of increased wariness of the entire certificate verification structure. One reason for the creation of an EV-SSL process was to increase confidence for website visitors that the site they are visiting is indeed who they say they are and not a gang of criminals out to steal the passwords to their financial accounts.
But it appears some CAs are their own worst enemy -- some have begun issuing "low-validation" SSL certificates that do little more than validate that the name of the domain matches the name of the website. Because these SSL certificates generate the same indicators of verified identity as the more rigorous processes, the entire SSL process looks less trustworthy.
To regain this trustworthiness, participants on both sides of the process must improve their operations. CAs must follow the rules set down for strict authentication and validation for all requestors of SSL certificates. And those asking for the certificates must be ready to prove that their websites are adequately protected.
Kimberly Dovander
Kimberly is the pro blogger in the WHS family. WordPress, Blogger, Tumblr... It doesn't matter - she knows them all. Send her a question, or a drop a line in the comment section below, and she'll get back to you.
-
2012-02-22
One of the fears of those who opposed the passage of the SOPA/PIPA Internet anti-piracy legislation in the US Congress last month may have come true. Many in the web hosting industry are concerned over the growi...
-
2012-02-16
The importance of keeping customers in the loop and making them feel an integral part of a web hosting provider's business was driven home by the recent hack attack on the Cryptome.org web site. Covering whistle...
-
2012-02-15
Yahoo has recently taken a step for interaction with the customer that all web hosting providers may want to think about emulating. Last week, the beta of Yahoo Small Business premiered to the public as a resour...
-
2012-02-09
The Internet Society recently set a date, June 6, 2012, as World IPv6 Launch Day, when it is expected that web companies and major Internet Service Providers (ISPs) will permanently enable the IPv6 protocol for ...
-
2012-02-07
Last month, the United States Congress stopped consideration of two bills, the Stop Online Privacy Act (SOPA) in the US Senate and the Protect Intellectual Property Act (PIPA) in the US House of Representatives,...
-
2012-01-31
Other web host providers may take a lesson from the recent set of problems that have been the experience of DreamHost, a domain name registrar and web hosting provider founded in 1996 and based in Los Angeles, C...
-
2012-01-31
With the overwhelming reaction against the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA), a few members of the United States Congress have put forth an alternative bill. Oregon Democrat Senator Ron...
-
2012-01-30
At its simplest, Magento is a robust e-commerce solution built on a foundation of open-source technologies. The blended approach that Magento uses provides the best of both worlds for end-users. On one hand, the...
-
2012-01-24
ICANN, the Internet Corporation for Assigned Names and Numbers, announced last week that the application system for the new gTLDs (Generic Top-Level Domains) of the Internet began on January 19th and is proceedi...
-
2012-01-19
Amid Internet site blackouts and public outcries, the Stop Online Piracy Act (SOPA) has been placed on hold in the Senate while sponsors regroup and reconsider their position on this controversial topic. Along w...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
