Microsoft’s EV SSL Validation to Authenticate Websites

Microsoft and its partners are planning to introduce a new anti-phishing technology in order to improve the level of security of the Web.

The software giant is preparing to announce at the RSA Conference in February at San Francisco. It would declare names of those websites that have undergone a new process of certification meant to make spoofing a tough job for phishers. Accordingly third party certification bodies like Entrust and VeriSign will be required to abide by stricter guidelines while authenticating websites.

The process will render certificates called EVSSL (Extended Validation Secure Sockets Layer). Websites can use them to assure surfers that they're submitting their personal information only to legitimate sites.

An Extended Validation SSL Server Certificate is a new kind of SSL certificate that evolved to combat the increasing threat of 'phishing' and 'man- in- the- middle' attacks. Websites can acquire EVSSL certification after satisfying the new stages of validation.

Armed with this validation process and the EVSSL certificate, organizations can provide a recognizable and visible way to prove that their site involves in legitimate business and that consumers were using an authentic website rather than a phished one.

At the time of surfing a certified website, address bar in IE7 for example will turn green. This would mean that validation specialists have researched and certified the website and its owner's identity. Sites that do not show a green address bar indicates they are not EVSSL certified and users need to be cautious with their online transactions.

However, there is need to address some issues. For instance it is not certain whether smaller web sites that were never attacked by phishers would be ready to spend money for such certificates. As regards technical issues the problems could be how would EVSSL handle site addresses with international characters, and two companies with the same name in different parts of the world?

Another problem relates to ineffectiveness of these new certificates in IE7 as a study claimed. After conducting user testing the study found that EV certificates do not enhance user's ability to spot attacks, as it is possible to spoof the interface.

Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails

» SPAMfighter News - 1/30/2007