The CA/Browser Forum wants to bring increased safety to web banking and e-commerce by developing a new digital certificate that can better verify a site's legitimacy. The technology is already included in Internet Explorer 7 and Opera 8 and certainly looks like a step in the right direction—for the companies that are able to get a certificate.
The Forum has developed guidelines for Extended Validation SSL certificates that are far more robust than traditional SSL certificates. They will suddenly become much more important to consumers in January, when Microsoft begins using them with IE7 to verify that sites are safe to use. A green address bar will alert consumers to the fact that the site is approved with an EV certificate, and the CA/Browser Forum has made sure that these are not simple to obtain. That's good news for sites that can get one, but not so good for small businesses, which generally cannot.
The draft guidelines (PDF) go into excruciating detail about what certificate authorities (CAs) like Thawte and RSA must do before issuing an EV certificate to a business. To give only a single example, certificate authorities must ensure that the address they are given by the company is its actual place of business. If the CA is unable to verify this using public records, it must send "a reliable individual" on a site visit to the address. The visitor must look for a permanent sign, must note whether the building is a condo, office building, strip mall, etc., look for evidence that ongoing business is taking place at the location, and must take photos of the exterior and the reception area. Holy verification process, Batman!
The goal is to prevent common phishing scams in which a crook signs up for an SSL certificate using nothing more than a P.O. box and thereby gets the "padlock" icon for his site. The new system is far more thorough, but because of the way that it works, many small businesses will be excluded. They can still get an SSL certificate, but their sites won't get the green "safe" bar in IE7 and Opera.
Because of this, there has been some controversy over the specification, which remains in draft form. It does not actively hurt businesses without an EV certificate, though, so Microsoft will start recognizing the certificates in January. Opera already does so, and other browsers may soon follow suit.
Although it's too bad that small businesses cannot currently be validated for EV certificates, the vast majority of phishing attacks involve large financial institutions or e-commerce sites. Does anyone really worry that sallyshouseofcookies.com could become a phishing target? Small business owners aren't as concerned about the risk of a real phishing attack as they are about the perception that their sites are "unsafe" because they don't have the green bar. If the program gains widespread public acceptance and casual web users come to associate the green bar with a safety guarantee, this could prove detrimental to those sites that can't get a certificate. The CA/Forum is aware of the issue, though, and will hopefully find a safe way to validate smaller vendors in the future.
The Opera developers have let us know that their support for EV certificates is actually a work in progress; they currently have a yellow security toolbar, but this only shows the "Organization" field from a traditional certificate.