Wednesday, February 14, 2007

Green Means Trust, But Does It Mean Security?

By Coenraad De Beer

Green means "Trust", the catchphrase for EV SSL certificates, the new authentication standard for secure web sites. Lets be clear on one thing. SSL encryption is a necessity for any web site collecting sensitive information from its visitors and it is great to see that certificate authorities are making it harder for swindlers to obtain these certificates. But does it mean that an already trustworthy web site, owning an EV SSL certificate, is now even more trustworthy and an already trustworthy web site, not owning an EV SSL certificate, is no longer trustworthy?

The one thing that makes EV SSL stand out from normal SSL certificates is its colour coding system. Green means trust, yellow means suspicion and red means danger. The address bar of Firefox turned yellow for secure web sites using SSL encryption, long before Microsoft came with the idea to make Internet Explorer's address bar green for sites owning an EV SSL certificate. Internet Explorer 7 added tabbed browsing, something that was already part of Firefox, Internet Explorer 7 added an anti-phishing filter, something you could always add to Firefox with the Google Toolbar, so it was of no surprise to me when Internet Explorer 7 suddenly started to make use of colour codes to classify the safety status of web sites.

In a study done by Rachna Dhamija, a Postdoctoral Fellow at the Centre for Research on Computation and Society at Harvard University, it was found that most phishing attacks succeed because of the human factor and not because lacklustre security standards, bugs in the operating system or a faulty browser. Many people simply ignore the warnings and messages given to them, they are not aware of the security features of a browser and therefore don't care if the address bar turns purple for that matter (You can read more about this study at http://www.securityfocus.com/columnists/407). So the colour coding system will only work if people are properly educated about it. But I still have a problem with this system. It can make people completely paranoid when browsing the web. If they don't see the address bar turning green, they will immediately have a negative attitude towards the web site they are visiting. Isn't the main purpose of EV SSL to build trust and customer confidence among Internet users?

Green means "Trust", is only another way of saying a little padlock in the bottom-right corner of your screen means secure. It is a good thing to know that applicants for EV SSL certificates undergoes a very strict validation and authentication process, but this will only last until the standards are weakened again. EV SSL is like normal SSL certificates combined with rigorous validation procedures and a colour coding system, so the core of the certificate itself stays the same. Lets say the user starts to depend on this "Trust" built by EV SSL certificates. Will the user learn how to identify dangerous web sites without this technology? No. What happens if someone bypasses the rigorous validation procedures of EV SSL certificates, will the user blindly trust this site because it has an EV SSL certificate? Yes, most definitely. A driver of a car has an unconditional trust in its brake pedal and will not be able to identify sudden brake failure until it is too late. The trust is placed on an object that cannot guarantee your safety. It is not the pedal that provides the safety, but the mechanical system behind it. The same holds true for EV SSL. You need to teach people how to identify a dangerous web site without the fancy colour coded signs of EV SSL, just like teaching someone on how to identify brake failure without relying on the brake pedal to warn you about it.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software.

No comments: