http://lwn.net/Articles/207070/?format=printableExtended validation certificatesA new 'security' feature being touted by Microsoft and Verisign has raised a number of red flags for the open source community, but it appears that the new "Extended Validation" (EV) SSL certificates are not some kind of attempt to squeeze out the competition. Neither of those two companies are known for their ability to play well with competitors, so any collaboration between the two requires some close scrutiny to try and ensure a level playing field. In this case, the field seems level, but the security provided by the new feature is somewhat dubious. SSL certificates are used by the HTTPS protocol for encrypted traffic between a web browser and the web server; they are issued by various certificate authorities (CAs) such as Verisign. An SSL certificate is generated for the domain at which it resides and then signed by a CA after it does some verification of the entity requesting the signature. Because CAs have traditionally done very little in the way of validation, a signed SSL certificate does not tell you very much about the identity of the domain; it essentially just verifies that the domain owner was willing to spend $50-100 to get the signature. When presented with a certificate, a web browser attempts to verify any signature using a set of public keys for the CAs that the browser developers have decided to trust. Verisign has generated a new set of keys to sign the EV certificates and Microsoft has already incorporated that public key into IE7. In addition, when presented with a properly signed EV certificate, IE will turn the address bar green to indicate some purported higher level of security. For browsers that do not support EV, Verisign will presumably still sign EV certificates with their current key and those browsers will still display the padlock icon. So, what does it take for a site to get this EV certificate? One would guess that more money would be involved and that is certainly the case. One would hope that more investigation of the entity requesting the signature would be part of it as well and that seems to be the case, but the actual requirements are, as yet, unspecified. The Verisign FAQ indicates that the requirements are soon to be released by the CA/Browser Forum. This organization (which appears to have no website) is a group of CAs and browser developers that is said to include both Microsoft and Mozilla (as well as Opera and KDE) and has been working on EV certificates for 18 months or so. The two big concerns about all of this are that either Verisign will monopolize the EV certificate generation or that Microsoft will monopolize the verification of them. Neither appears to be the case as Verisign clearly states that other CAs will be able to generate EV certificates and other browsers will be able to validate them and, presumably, turn their address bars green too. Mozilla has EV on its radar and it is listed as a feature to be added, but Verisign and Microsoft are the first to market. An article in The Register was the first to alert most people to the new feature; it quoted Tim Callan, a marketing director at Verisign, bemoaning the slow pace of adoption by Mozilla. Callan has since clarified his statements and says that he did not indicate any displeasure with the pace of adoption by the Mozilla Foundation. Commercial browser developers can move more quickly on adopting new CA keys because there is a financial motive, whereas open source browsers need to ensure that they have consistent policies about adopting new CAs and keys. It is interesting to note that the perceived inadequacies of current SSL certificates are a problem that the CAs created for themselves. Because they were willing to sign any certificate with extremely minimal verification of anything other than the credit card charge to pay for it, they made SSL certificates and the padlock icon relatively meaningless for anything other than an indication that the traffic is encrypted. Unless the verification of the entity is extremely thorough (which would be very costly), it is unclear that EV certificates will really do anything to change that. Even then, few people actually look at the name attached to an SSL certificate, and many might be surprised at the names that show up if they did. The end result is that anyone wanting to abuse HTTPS will figure out a way to get a signed EV certificate and, one day, the green address bar will be no more trusted for identity verification than the padlock icon is today. Identity verification is a hard problem and EV certificates are just a quick fix, the problem will need to be addressed again; perhaps we will see 'Super Extended Validation' certificates somewhere down the road. |
