The home improvement chain also said the malware responsible for the breach has been removed from all stores.
(Page 2 of 2)
Before a retailer can order an SSL certificate, it must submit a certificate signing request, or CSR. The CSR must state exactly how the retailer wants its name to appear in the browser interface, including accurate capitalization and the correct use of suffixes such as Inc. or Ltd. For instance, a merchant might officially use the name Buy Lotsa Stuff, Inc., but market itself under the name Buy Lotsa Stuff. In that case, it’s important to make sure that the CSR contains the business name as “Buy Lotsa Stuff” as opposed to “Buy Lotsa Stuff, Inc.” or “Buy lotsa stuff” or even “BUY LOTSA STUFF.” All these versions would be acceptable representations of the merchant’s name by the standards of the high-assurance specification, and the certificate authority would be able to issue the high-assurance SSL certificate. On the other hand, only one of them represents the specific brand this retailer has decided to show to the public. That’s the brand the retailer should make sure appears in the browser.
One problem in particular can come about if a retailer has multiple certificate types deployed across a site simultaneously. Often businesses stagger their certificate validity periods across servers to reduce the risk of downtime. In the case of a visible security upgrade like a high-assurance SSL certificate, however, this presents what can be called the Tuesday-Wednesday problem.
Say BuyLotsaStuff.com is a fairly sizable e-commerce site with multiple servers providing different parts of service. If it pursues a staggered deployment of certificates across its servers, there will be a time during which some of the servers will have high-assurance SSL certificates and others will not.
If a visitor comes to the site on Tuesday and winds up on one of the servers with a high-assurance SSL certificate, she’ll receive a green light in her browser, know she’s on the right site and feel confident enough to make a purchase. But say she then puts something in her shopping cart and decides to wait until the following day to make a purchase. When she returns on Wednesday to finish her transaction, she winds up on a different page that does not yet have a high-assurance SSL certificate. Without the green light in her browser, she may think the site has lost its high-assurance status and abandon her purchase.
As adoption of high-assurance-enabled browsers increases, the magnitude of the Tuesday-Wednesday problem will also increase. In particular, when Windows Vista comes out of beta early in 2007 and becomes the default operating system on all new personal computers, it will contain IE7 as its installed browser, and at that time adoption rates should increase dramatically. Other leading browsers such as Firefox are also likely to take advantage of these certificates, so businesses should transition their public-facing servers over to high-assurance SSL as soon as they can.
High-assurance SSL certificates are the next step in combating the activities of phishers and other cybercriminals and will offer a fundamentally new and better browsing experience for online shoppers. As these certificates become visible on banks, top e-commerce sites, and other sites that lead the way in online security, online shoppers will expect to see them on all sites. Online retailers who do not participate with these new high-assurance SSL certificates will miss out on the opportunity to increase customer confidence and sales.
Tim Callan is director of product marketing for VeriSign Inc.