Reply-To: <[EMAIL PROTECTED]> From: "Ray Everett-Church" <[EMAIL PROTECTED]> To: "'Declan McCullagh'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject: More VeriSign problems
X-UIDL: 968c9b776221209877520c929468a9c2
According to http://www.theregister.co.uk/content/55/33779.html, on November 4:
> VeriSign today unveiled a redesign of its ubiquitous > Trust Mark seal symbol. Instead of a static GIF image, > the new Trust Mark features a Flash-based animated > design to make it more recognizable online. > > By clicking on the new VeriSign Trust Mark, consumers > can verify a business's legal name, determine the > validity period for the Secure Sockets Layer (SSL) > certificate, and view their place of incorporation. > > Mike Foley, vice president of VeriSign Security > Services, explained that the underlying technology > behind the design had changed so that this information > could be validated in real time - unlike earlier > versions of the seal where information wasn't served > dynamically. This also means that VeriSign can strip > off the revamped Trust Mark seal from a site when a > digital certificate expires, he added. > > The newly designed VeriSign Trust Mark is positioned > as a way for VeriSign's customers to better communicate > the authenticity of their site to potential consumers > online.
Unfortunately (but not surprisingly) they implemented it very poorly. My partner, a Flash designer and developer, analyzed their implementation and found numerous problems, including several ways in which it can be trivially spoofed. His analysis, with a live demonstration, appears at: http://www.infinitumdesign.com/verisign.html (Flash 6 required).
Regards, -Ray _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
