The SSL protocol is soon due for some of its most meaningful upgrades since adoption in the 1990s, according to a representative from the American Bar Association (ABA) Information Security Committee on Wednesday.
To help with this effort, the ABA is working with the security industry to improve the trustworthiness of SSL certificates, said Ben Wilson, principal consultant of Xcera Consulting and co-chair of the ABA's Information Security Committee. Over the years, the availability of SSL certificates has increased as certificates have dropped in price. Despite that improved accessibility, even the smallest of sites saw a dip in the reliability of certificates released.
"The quality of due diligence prior to approval of certificates has fallen," said Wilson, who spoke on an RSA Conference 2006 panel that focused on the hot topics in information security law in 2006.
The ABA and a key group of SSL certification and web browser players intend to address this problem by establishing a new level of SSL certificates that provide better standards for site identity verification. Wilson said that the hope for these extended validation certificates is to make the verified information more meaningful, as well as easier to recognize and understand by the average web user.
By working concurrently with developers of browsers, such as Internet Explorer, Firefox and Opera, the goal is to create interfaces that make a site's trustworthiness more visible based on the status of its SSL certificate. The padlock icon will continue to be used for all pages retrieved using SSL/TLS connections, no matter the type of certificate presented, Wilson said. But in the future, browsers will likely change the color of the address task pane, depending on the level of the certificate, with green likely to signify the most trustworthy sites. In addition, some browser developers are considering continuing this color-coded scheme by alerting users to suspicious addresses by lighting the pane yellow or red. Implementation of these new standards is many months away, with working groups still being refined as still other debates already loom.
"We have to find balance between the need to distinguish high impact sites such as banks, while retaining the accessibility of SSL for smaller organizations," Wilson said.