Here's an excerpt from a "mid-level" educational/nutshell whitepaper I'm doing on the new shiny SSL certificates that are coming soon. If you want information from someone who REALLY knows what they are talking about, subscribe to Tim Callan's SSL Blog. Also, watch the IEBlog. If you're running IE7, you can download and install a sample testing certificate then visit the fictional https://www.woodgrovebank.com and see the new certificates it in action.
ASIDE: On a totally different (but, eh, slightly related) note (and I'll blog or Hanselminutes.com about this later), if you're running IE7 and .NET Framework 3.0, check this out.
SSL - Secure Sockets Layer
Every online banking site protects their user’s data while it is in transit on the wire using Secure Sockets Layer or SSL, running one layer below protocols like HTTP and FTP. Many end users are informed enough to look for the “s” in HTTPS in their browser’s address bar and most look for a lock in the browser status bar before sending private data across the Internet.
Early versions of SSL used comparatively weak 40-bit encryption but most sites now use at the very least 128-bit and in some cases, 256-bit AES encryption. Many impose this important restriction by default by allowing only SSL3.0/TLS1.0 over HTTPS.
This screenshot from the Mozilla Firefox browsers shows that the encryption strength of two different banking sites. This dialog is reached by the user clicking on the lock icon within their browser.
In these examples, both sites are using high-grade encryption.
Recently more and more phishers have been successful in fooling the public into giving up personal information with the use of so-called “domain-authenticated SSL Certificates.” These SSL Certificates go through virtually no background check to prove the site is who they say they are. They prove only the domain name, but as the general public rarely clicks on the lock icon to view more information about the company or organization behind a SSL connection, they assume that a secure connection equals a trusted connection. This, of course, is not the case. Unfortunately these SSL Certificates look essentially the same to the browser as one issued by a highly trusted certification authority, thereby causing a phisher’s site to look “as secure” as your bank’s site.
High Assurance or Extended Validation SSL Certificates are a new kind of SSL certificate that will be treated very differently by newer browsers. Internet Explorer 7 will be the first browser to take advantage of this new technology with others like Firefox and Opera very close behind. This standard is being actively developed by the CA/Browser Forum as of this writing and will be referred to commonly as EV SSL Certificates.
To quote from Tim Callan’s SSL Blog at http://blogs.verisign.com/ssl-blog/2006/03/a_new_kind_of_ssl_certificate_1.html:
If every Internet user in the world had a browser that recognized the difference between High Assurance SSL Certificates and traditional ones and if every legitimate site used a High Assurance certificate, then phishing as we know it today would essentially be eliminated.
A lofty goal indeed, but one worth striving for.
When visiting a test Banking Site that has an EV SSL Certificate using IE7, the address bar turns green and a new active lock icon appears showing the name of the organization this site claims to be.
The lock icon toggles back and forth also showing the Certificate Authority that issued the certificate.
If the user clicks anywhere in the secured area of the address bar, the identifying EV SSL Certificate popup is green and shows the user information they can use to make the decision to trust this site or not.
As of this writing EV SSL Certificates are not yet available for purchase, but they are expected within very soon as the standard is finalized. Within a year expect all major browsers to support the standard and within another year most e-commerce users will know to watch for the new browser behaviors when making their decisions. I predict some browsers will have settings that will only allow users to visit sites over SSL that use EV SSL certificates.
Educate your organization about the importance of having an EV SSL certificate when they are ready to be issued, and be prepared to meet the much more rigorous standards that will be expected by the Certificate Authority before they issue one. There will likely be a revised Certificate Authority WebTrust auditing standard (usually called CA Web Trust) that CAs will have to pass before they can issue an EV SSL certificate, and CAs will impose much stricter vetting procedures to verify the company or organization requesting the certificate is who they say they are.
Given the concerns on today's Internet around privacy and control over content, every e-commerce or banking site should be prepared to upgrade their SSL Certificates to EV SSL. There's no downside.