CA/Browser Forum releases new guidelines for vetting website legitimacy

Share this article:

The CA/Browser Forum, a consortium of four major internet browsers and more than 20 certification authorities, this week announced the first-ever set of standardized guidelines to validate the legitimacy of website operators.

In the past, sites that issued SSL certificates – represented by the padlock in the corner of the browser – received little to no scrutiny, Tim Moses, chairman of the forum and the senior director of advanced technology at certification vendor Entrust, told SCMagazine.com today

"Never before has there been a standard for vetting the identities of subscribers," he said. "They have been issued to phishing sites. The consumers must have gotten confused as to what the padlock meant to them. All it’s telling you is you have an encrypted connection to whatever site you’ve been at, but that’s as far as it goes. Clearly, there was a need for something stronger."

The new extended validation certificates, which have been issued to more than 2,000 websites since being unveiled earlier this year, are signified by a green address bar that not only contains the padlock but also identifying information about the business, such as its official name and address, Moses said.

And now, under the guidelines, all businesses receiving the high-assurance certificates will be required to prove they are recognized as an official company, he said. The new 80-page set of guidelines - announced Tuesday - also opens the door for sole proprietors, general partnerships and other small businesses to receive the certificate.

This will help to prevent users from stumbling into phishing scams, including difficult-to-identify man-in-the-middle attacks, and increase consumer confidence, Moses said.

The guidelines also include processes for revoking certificates, he said.

"The applicant has to go through many steps (for identity)," he said. "If it turns out they’re engaged in something illegal and fraudulent, it will be possible to track them down and make them accountable."

The new technique may help to ward off phishers but it likely won’t identify those companies conducting general bad business practices, Avivah Litan, a Gartner analyst, told SCMagazine.com today.

"It will tell you they have the right paperwork and that they’re traceable but it won’t tell you if they’re going to end up ripping you off," she said.

Experts agree education is the key component to making extended-validation certificates effective. Moses said the major financial and ecommerce firms must lead the campaign to explain "in consumer-appropriate terms" what it means to have a green bar.

"Consumers need to be trained on what it means," Litan said.

Participating browsers include Internet Explorer, Mozilla Firefox, Opera and the Unix-based Konqueror.

Click here to email reporter Dan Kaplan.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.