CA/Browser Forum releases new guidelines for vetting website legitimacy
The CA/Browser Forum, a consortium of four major internet browsers and more than 20 certification authorities, this week announced the first-ever set of standardized guidelines to validate the legitimacy of website operators.
In the past, sites that issued SSL certificates – represented by the padlock in the corner of the browser – received little to no scrutiny, Tim Moses, chairman of the forum and the senior director of advanced technology at certification vendor Entrust, told SCMagazine.com today
"Never before has there been a standard for vetting the identities of subscribers," he said. "They have been issued to phishing sites. The consumers must have gotten confused as to what the padlock meant to them. All it’s telling you is you have an encrypted connection to whatever site you’ve been at, but that’s as far as it goes. Clearly, there was a need for something stronger."
The new extended validation certificates, which have been issued to more than 2,000 websites since being unveiled earlier this year, are signified by a green address bar that not only contains the padlock but also identifying information about the business, such as its official name and address, Moses said.
And now, under the guidelines, all businesses receiving the high-assurance certificates will be required to prove they are recognized as an official company, he said. The new 80-page set of guidelines - announced Tuesday - also opens the door for sole proprietors, general partnerships and other small businesses to receive the certificate.
This will help to prevent users from stumbling into phishing scams, including difficult-to-identify man-in-the-middle attacks, and increase consumer confidence, Moses said.
The guidelines also include processes for revoking certificates, he said.
"The applicant has to go through many steps (for identity)," he said. "If it turns out they’re engaged in something illegal and fraudulent, it will be possible to track them down and make them accountable."
The new technique may help to ward off phishers but it likely won’t identify those companies conducting general bad business practices, Avivah Litan, a Gartner analyst, told SCMagazine.com today.
"It will tell you they have the right paperwork and that they’re traceable but it won’t tell you if they’re going to end up ripping you off," she said.
Experts agree education is the key component to making extended-validation certificates effective. Moses said the major financial and ecommerce firms must lead the campaign to explain "in consumer-appropriate terms" what it means to have a green bar.
"Consumers need to be trained on what it means," Litan said.
Click here to email reporter Dan Kaplan.