Not true.... 1) The GeoTrust quickSSL offering does lesser identity verification. In fact, from there own Certificate Practice Statement it reads that the Organizational Unit is not Validated. Given that the verification process on the traditional certificate makes up the bulk of the cost (faxes back and forth -- making sure that the Incorporation Documents and the whois record match -- very labour intensive) this gives these certifcates an inherent cost advantage. The price to be paid for that efficiency is less certainty around identity (If I have phony whois info with an anonymous e-mail address I can get a certificate for that domain, if there is then any trouble with the information collected using that certificate at that domain, there is not necessarily any easy way to track down my identity -- Conversely, if full authentication is done I would have to send in my incorporation documents or a copy of my passport, thereby resulting in greater certainty about my identity if something untoward should be done with the data collected at my site).
This lessened-certainty is sacrilege among the big security players in the industry. Hard to say how much of this is righteous indignation and how much of this is blatant self-interest. In any event it has become clear to me that some of our resellers are not fussed by this lessened certainty/security certificate. It is up to you to decide for your applications whether you and your customers are willing to accept this lowered level of authentication. 2) The quickSSL certificate has a claimed 90% browser recognition, i think it is lower but, in any event, is not 99% browser recognition. The comparable certificate offering from Geo-Trust (full authentication and 98% browser recognition) is their e-business id which they retail for $175 (packaged with another one of their services). That's why i said "for those applications that require full identification we now have the cheapest solution on the market"...and i stand behind it... Regards Darryl Green [EMAIL PROTECTED] Tucows Inc. Phone:(416)538-5461 Fax: (416)-531-5584 96 Mowat Avenue Toronto Ontario M6K 3M1 > -----Original Message----- > From: ezgoing8 [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 19, 2001 5:13 PM > To: Darryl Green; [EMAIL PROTECTED] > Subject: Re: Digital Certificates > > > While I would not challenge most of what you say, the simple truth is that > you do not have the cheapest solution on the market for your > resellers. End > users, maybe. Resellers, no. > > Just sign on as a Geotrust reseller and you are provided lower prices that > what Tucows offers, with less hassle in securing the cert. That includes > the full cert, not just the quick cert. > > Sorry but $99 as the wholesale price of a cert is not a good deal. Which > is probably why you hide the price till the very bottom of the reseller > agreement. > > > > > ----- Original Message ----- > From: "Darryl Green" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, December 19, 2001 10:47 AM > Subject: FW: Digital Certificates > > > > Point taken.... > > > > I am working on a "Real" answer.. This is one of the reasons I > have been a > > little quieter on the list these days. > > > > It became clear from our discussions a couple of weeks ago that, at > best -- > > the 'identity' component of the certificate is not as critical to you as > the > > incumbent market leading Certificate Authorities would have us > believe and > > at worst, the whole idea of web certificates is an inadequate > solution to > > the problem they are intended to solve (namely non-repudiation of > commercial > > transactions). > > > > I was particularly moved by the observation that it is really > the merchant > > that is taking the risk of repudiation -- this is true. For credit card > > transactions the provider of the payment gateway/merchant account is > trusted > > third party enough for the purposes of non-repudiation -- leaving the > value > > of a web-certificate only in the encryption component. Personal identity > > that would benefit the merchant is accomplished through personal > > certificates and e-commerce merchants have thus-far chosen to accept the > > risk of not requiring them and/or verifying identity in off-line methods > > (only shipping to the same address as listed on the credit card, phoning > the > > listed phone number on the credit card etc.). > > > > However, without the identity component the end-user is not protected > > against fraudulent collection of information from an imposter (I have > posted > > an article from today's Wall Street Journal below -- it shows a > situation > in > > which a fraud would have been prevented if users demanded a properly > > authenticated certificate -- ultimately that may have been what > tipped the > > users off in the first place -- spelling errors and healthy scepticism > were > > noted in the article). This is of greater concern for some applications > > than others. The message I clearly received from our discussion is that > you > > do not feel you need full identity verification for all > applications. Just > > as long as the browser error message is avoided. > > > > As stated before, I am working on a "Real" answer to your > concerns. In the > > mean-time, for those applications that require full > identification we now > > have the cheapest solution on the market and you should find the > > verification process running smoothly. If you don't you can let me know > > immediately and we will get it sorted out. Given some of the troubles in > the > > last month we are on high alert right now to ensure that > verification runs > > as smoothly and smoother than it did previously. > > > > Regards > > Darryl Green > > [EMAIL PROTECTED] > > Tucows Inc. > > Phone:(416)538-5461 > > Fax: (416)-531-5584 > > 96 Mowat Avenue > > Toronto Ontario > > M6K 3M1 > > > > > > > > 'Spoofer' Tries Unsuccessfully to Snag > > Credit-Card Numbers of PayPal Users > > By STEPHANIE MILES and STACY FORSTER > > THE WALL STREET JOURNAL ONLINE > > > > Ben Cichanowicz received an e-mail Monday evening purporting to be from > > online payment service PayPal Inc. The note promised a $5 credit to his > > account if he visited Paypal-Secure.com and updated his account > information, > > including his credit-card number. "All you have to do to claim your $5 > gift > > from is update your information on our secure Pay Pal site," the e-mail > > claimed. > > While the e-mail had a PayPal return address, the Web site didn't quite > look > > right. Mr. Cichanowicz, a systems administrator in Lexington, > Ky., quickly > > suspected fraud. He and his wife were tipped off by several spelling > errors, > > as well as by the fact that the site was missing security > information, he > > said. "This was the first thing that caught our attention," he said. > > Indeed, PayPal-Secure.com was a "spoof" site -- a fraudulent Web page > > designed to trick PayPal users into giving up their credit-card and > personal > > information. Mr. Cichanowicz, along with other recipients of the e-mail, > > alerted PayPal about the existence of the site. PayPal then asked > > DigitalSpace.net, the company hosting the site, to shut down the site, > which > > it did. DigitalSpace said it is company policy to shut down sites when > > alerted of possible fraud. > > The PayPal-Secure incident is a twist on an old con. For years, giant > > America Online has warned users not to give out passwords or personal > > information, and online investors know to carefully check their news > sources > > after fake articles buffeted stocks in several incidents. > > This isn't the first time PayPal (www.paypal.com), of Palo Alto, Calif., > has > > been targeted by a spoof site. Last year, a site called > PayPai.com was set > > up with the intent of stealing user names and passwords from users who > typed > > the Web address by mistake. > > With spoofers, companies "can't control that they're under attack," said > > Avivah Litan, vice president of financial services for technology > consulting > > and research firm Gartner Inc. "There's nothing you can do > about it except > > educate consumers." > > "There's all types of scams and fraud that people try to pull in the > online > > world -- just as they do in the offline world," said Vince Solitto, > > spokesman for PayPal. PayPal was alerted by a "few" customers about the > > site, Mr. Solitto said, declining to specify how many people > contacted the > > company or received the e-mail message. He speculated that the > PayPal-Secure > > entity probably sent out e-mail messages haphazardly to millions of > people, > > hoping to hit some PayPal users. He added that there had been no > indication > > that the PayPal network had been hacked or broken into. > > > > Image of "spoof" PayPal site > > According to domain-name registration records at VeriSign Inc., the > > PayPal-Secure.com address is registered to an entity called > PayPalSecure. > > The record lists a phony phone number and address for the > company. PayPal > > said it could subpoena the account information for the site from > > DigitalSpace.net, but that information would most likely be > faked as well. > > "One of the problems with the Net is that it's easy to dummy > something up > to > > look like a legitimate entity, and you might have to click > through further > > to ensure that it is the place that you think you are visiting," said > Susan > > Grant, director of the Internet Fraud Watch for the National Consumers > > League. These types of scams make it harder for legitimate companies to > gain > > users' confidence, she added. > > PayPal does warn its customers about fraud and says it is vigilant about > > protecting its users. The company says its customers are safe > because they > > are reimbursed -- either by PayPal or by their credit-card company, > > depending on the situation -- for any fraudulent charges to > their account. > > Online Service PayPal Sets Range for Its Proposed IPO (Dec. 14) > > The PayPal-Secure scam played on PayPal's earlier viral marketing > campaign, > > which helped to fuel its exponential growth. The company, which launched > in > > October 1999, had 10.6 million accounts as of Sept. 30, 2001, and > processes > > an average of 171,000 payments per day totaling $8.5 million in daily > > volume, according to the company. During its early days, PayPal > would give > > $10 to any user who signed up a friend, and gave the friend $10, too. > > PayPal still provides some bonuses, but the requirements for > receiving one > > have become much stricter. Now, according to the PayPal Web site, > customers > > must verify their account with a credit card, deposit $250 and > sign up for > a > > money-market account to receive the new account bonus. > > The attack comes at an inopportune time for PayPal, which last week set > the > > range for its proposed initial public offering. The company is already > under > > scrutiny from investors nervous about its exposure to liability from > > credit-card fraud, in part because PayPal promises to reimburse any > customer > > whose credit card or account is fraudulently used. PayPal is used > primarily > > by users of eBay Inc. and other auctions to process payments for online > > transactions. > > In the past, customers have complained to the Better Business Bureau and > > Federal Trade Commission about PayPal's fraud protections. Over the last > > year, however, the company has aggressively worked to combat credit-card > > fraud at the site. "They have very good fraud protection," said > Gartner's > > Ms. Litan. PayPal's fraud rates are better than average, with > about 0.87 % > > of its sales lost to fraud, according to its SEC filing. > > Neither PayPal nor Digital Space said they notified law enforcement > > authorities after PayPal-Secure.com was taken offline. "We certainly > > wouldn't bother the FBI about it," said Mr. Solitto, who called the > "spoof" > > category of fraud "not particularly novel or sophisticated." > > PayPal said it hasn't received any reports from customers who were > actually > > tricked into entering their personal information. Mr. > Cichanowicz, for his > > part, said he didn't give up any account information, but is still > disturbed > > that he was targeted for fraud. "This is a terrible time for > unsuspecting > > people to be had by this, especially so close to the holidays," he said. > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Allen > > Sent: Wednesday, December 19, 2001 11:14 AM > > To: Matthew Feinberg > > Cc: [EMAIL PROTECTED] > > Subject: Re: Digital Certificates > > > > > > That's why I am REALLY considering, and more than likely > signing up today. > > It has been a week with no "Real" answers from OpenSRS. Just a statement > > saying they are working with EnTrust with a new procedure.. > > > > Mike Allen, 4CheapDomains.Net > > [EMAIL PROTECTED] > > http://www.4CheapDomains.Net > > (812) 275-8425 - Office > > (815) 364-1278 - Fax > > ----- Original Message ----- > > From: Matthew Feinberg > > To: 'Mike Allen' ; [EMAIL PROTECTED] > > Sent: Wednesday, December 19, 2001 10:55 AM > > Subject: RE: Digital Certificates > > > > > > I have already switched over to Entrust and it it going well. > > I could no longer spend 5 to 8 hours of time on SSL Cert issue > per Cert to > > only make $25. > > > > Entrust, never once delivered a certificate without us chasing them > around. > > 1 customer took 4 weeks to get the Cert... Terrible! > > > > Matthew > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Allen > > Sent: Tuesday, December 18, 2001 4:06 PM > > To: [EMAIL PROTECTED] > > Subject: Digital Certificates > > > > > > Hi Guys... About this digital certificate thing and our current > problems... > > If open SRS is going to fix things, it better be fast. GeoTrust just > > contacted me and they are making us a very sweet offer for re-selling. > > Chuck, you may even want to re-consider the prices for these > certificates > > and maybe offer also the QuickSSL with a GOOD price... > > > > Mike Allen, 4CheapDomains.Net > > [EMAIL PROTECTED] > > http://www.4CheapDomains.Net > > (812) 275-8425 - Office > > (815) 364-1278 - Fax > > > > > >
