Monday, November 27, 2006

Why EV SSL And The New Breed Of Anti-phishing Filters Won't Work

By Coenraad De Beer

Microsoft is planning to implement a feature in Internet Explorer 7, which will make the address bar turn green when the user visits a legitimate web site. Sounds good doesn't it? But there is a catch, to make the address bar turn green when people visit your site, you will need to have an EV SSL certificate. The new EV SSL certificate technology will have a negative impact on the small Internet business that cannot always afford such a luxury. Once again it is a case of everyone getting hit over the fingers because Internet authorities can't control the waves of computerised crime raging on the Web.

What is EV SSL? EV SSL stands for Extended Validation Secure Socket Layer. EV SSL certificates act exactly the same as your conventional SSL certificates, the only difference is the fact that the identity of each certificate holder will be verified and each one will be subject to a very strict, ongoing screening process. But this is nothing new, was that not the purpose of normal SSL certificates? Yes it was, but SSL issuers have become lazy and are not always adhering to the best security standards when they issue certificates for web sites. The problem does not lie with the initial issuing of the certificate, but with the lack of control and supervision over the web site thereafter. What certificate issuers are trying to achieve by creating a new type of certificate, is not clear to me. It is not going to solve the problem if you cannot improve your own security standards, in fact, why issue a new type of certificate when you only need to improve your standards and supervising methods? It is hard to believe that this is not only about money.

Developers of browsers like Opera and Konqueror are supporting the idea, while Mozilla, the makers of the very popular Firefox, is evaluating various solutions and looking for one that will suit everyone, not just high profile corporations. Supporters of the new technology use the ever-increasing threat of phishing scams as a reason to justify the importance of EV SSL. They are concealing their intentions with the smokescreen of “protecting” users against phishing attacks. But once again corporations are looking for ways to make money out of a corrupt system. They are not seeking a cure, but a way of making money by only treating the symptoms of the problem. The correct approach is to treat the root of the problem, namely ignorance. Swindlers will always find a way to circumvent anti-phishing filters and EV SSL protection, but it is hard to bypass common sense once the user has grasped the essence of phishing scams. Companies do not make money out of the common sense of witty users, they actually loose money because of them. The vigilance of informed users empower them to identify phishing scams easier without using advanced software or EV SSL protection.

The EV SSL approach is insulting the ethics of the honest small business owner running a decent web site. Law abiding web site owners are treated like criminals and criminals have the chance to break through the new technology to create an opportunity for another set of new SSL certificates, which means more money for certificate issuers. But in the end you are nowhere near the real solution. EV SSL is like having the burglar alarm of your retail shop activated during the day while consumers visit your shop. What is the use of EV SSL when people only browse your site for information? What is the use of encryption if there is no sensitive information to be transferred between the browser and the web site? What is the use of a green address bar if your site never engages in confidential transactions? I do not think software companies will like it when anti-virus companies start to demand that they buy a special signature to sign all their files with, only to have these files classified as safe by the anti-virus scanner. So what is the use of heuristic detection methods if everyone needs a certificate to comply with the safety criteria of an anti-phishing filter? How many people really know how to verify the validity of an SSL certificate?

The main reason why people fall victim to phishing scams is because of ignorance, curiosity, greed and lack of common sense. People blindly believe everything the computer tells them to do. You can make users click where you want them to, you can make users respond to e-mails in the way you want them to, you can make them visit web sites without letting them know what type of web site they will be visiting, you can even make them pay for things they do not really need. You see, people are computer slaves, they simply obey and believe without questioning the purpose of their actions. If the address bar does not turn green, users will simply believe that the site is not safe, or even worse, fraudulent, whether it is true or not. On the other hand, they will put their trust in a system that can always be bypassed, maybe not easily but there is always a possibility. Is a site really safe if the address bar turns green? How sure are you that a site with an EV SSL certificate was not maybe hacked? What if a malicious add-on hijacks your browser, making the address bar turn green for dangerous web sites without you even knowing it? You cannot put your trust in software that is constantly a target for hackers and hijackers. You cannot use artificial solutions for today's breed of computer criminals. Internet users need to stand on their own two feet, they need to be able to identify these threats on their own without counting on vulnerable software and security systems. You do not need to be a rocket scientist to identify a fraudulent site, but large corporations want you to believe that only they can tell you which site is safe and which site is not through their “wonderful” software. What happened to your freedom of choice, do you want a computer to make all the decisions for you?

Most of your common phishing scams start with an e-mail as the bait. No one will visit a phishing site at random, you need something or someone to take the user to that site. Taking this into account you soon realise that it is not the anti-phishing filter of the browser or an EV SSL certificate that is going to solve this problem. For instance, 419 scams can be done completely through e-mail without having the victim visiting a single web site, so no EV SSL certificate or anti-phishing filter is going to prevent a Nigerian 419 scam from succeeding. Spam is the vehicle of all types of scams on the Internet, but at the same time the least controlled problem in the online world. Authorities are aiming at the wrong target. The main purpose of EV SSL certificates is to reward ethical, trustworthy web sites with a status symbol of being safe and secure. But is it ethical to base your reasons for using this technology on the ignorance of people without combating the true root of the problem?

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against malicious software.


Anonymous said...

I have a lot to say, but not enough time, so First, I love it that you clearly dislike EV certs, but you advertise them via the right nav Google Advertising (I'm sure this isn't intentional, but it's clear you are profiting from EV Certs as well). Second, you say "What is the use of a green address bar if your site never engages in confidential transactions?" I don't believe anybody on the CABrowser Forum is forcing Web sites to purchase EV SSL Certs. Regular SSL Certs still work for what they're intended to do.

C++ Genius (old account) said...

Troy, sharp comment about the Google Adsense ads on the right :-). I would block these SSL ads, but it is a huge (rather impossible) task blocking all SSL ads from the site because I will need to block every domain individually. Removing the adsense code is another option, but there is no sense in that either, is there?

Visit the following page and you will understand why I say that EV SSL is being forced down our throats in a very subtle and psychological manner.

I will quote one line from this page:
"In the very near future sites without EV SSL will be at a serious disadvantage in the e-commerce marketplace."

Does this make a site without EV SSL insecure? Well this is the impression they are making with a statement like this. They may not be forcing you to buy EV SSL but they are certainly playing with your mind making you believe that your site is useless without EV SSL.