Chad Ghosn joins the online furniture retailer from Expedia.
Tim Callan of VeriSign details how high-assurance SSL certificates will give the green light to online buying.
Phishing and other forms of online fraud continue to be a growing problem, impacting online businesses and creating distrust among customers. According to a recent survey by Forrester Research, 84% of respondents-representing more than 119 million adults-believe businesses are not doing enough to protect them and 24% did not make purchases online at all due to security concerns. Security vendors and online retailers have been working tirelessly to bring trust to the Internet, and, as a direct response to the rise in Internet fraud as well as an effort to regain consumer trust and confidence, a new form of SSL certificate, referred to as a “high-assurance” SSL certificate, is due for release later this year.
This new standard is considered the biggest improvement in online trust infrastructure since 1995, when the original SSL standard and its implementation were created. That standard established a secure backbone that enabled the growth of e-commerce, online banking, and many other confidential online business applications as we know them today. It is only in the past few years that online criminals have made large exploits into some of the weaker parts of this secure backbone. The industry is establishing this new high-assurance standard to counter criminal progress and retain the high level of trust that SSL security has earned throughout the ecosystem.
The new certificates will demonstrate that a given site’s identity has been authenticated according to a specific process that the high-assurance standards committee has determined to be reliable based on the measured results of this process, so that consumers can be confident that the site they are connecting to is authentic and safe for shopping. Leading browsers will display these certificates differently than they do traditional SSL certificates, giving the online shopper increased information about the security decisions of the sites they connect to.
The first browser to take advantage of these new SSL certificates is expected to be Internet Explorer 7, which is available in beta release now and due in final release later this year. Consumers will see a distinct change in the browser when accessing a site that has been issued a high-assurance certificate, which will change the color of the address bar to green, the standard computer GUI color for “okay to proceed.” The browser also will display the name of the organization to which the certificate was issued and the name of the SSL certificate authority who issued the certificate (such as VeriSign or Thawte) immediately to the right of the address bar at the top of the browser.
“Standard authentication” SSL certificates will continue to appear in browsers the same way they do today. The address will begin with the letters “https,” and a lock icon will appear in the browser interface. But the address bar will not turn green and will not display the organization name. Site visitors, therefore, will know that the web site is secured by an SSL certificate and their communication with the site is encrypted, but without the green light they won’t expect the same high level of authentication indicated by a high-assurance SSL certificate.
In the absence of a high-assurance certificate, a retailer runs the risk of unnecessary abandonment. And in a competitive situation where one site has high-assurance SSL certificates but others in the same category do not, there’s a real chance of customers migrating away from the sites without the “green bar” in favor of those with one.
A group of leading SSL certificate authorities, or CAs, and browser vendors, is developing a standard practice of certificate validation and method of display. Once the standard is finalized and approved, a CA must adopt the new high-assurance practices and pass an audit by an approved third-party auditing firm in order to be able to issue high-assurance SSL certificates. Internet Explorer 7 already has support for these certificates built into the beta version that’s available for download today, and other leading browsers such as Mozilla Firefox and Opera are expected to support this new standard as well.
Since the new certificates are built upon the existing SSL protocol, they will be 100% backward compatible with browser versions and operating systems released prior to the high-assurance standard. That means retailers will be able to take advantage of the new high-assurance functionality without losing support for a single customer. Visitors using new browsers will get the “green light” while those using older browsers will have the exact same SSL experience they have today.
The browser and the certificate authority control the display of both the certificate’s high-assurance status and the certificate organization’s name. That makes it especially difficult for phishers and counterfeiters to build web sites that will appear to be high-assurance protected. Likewise, the standardized authentication will help ensure that criminals cannot obtain certificates for the sites they are attempting to imitate.
In order to qualify for high-assurance SSL certificates, online retailers will need to demonstrate the following:
l The retailer owns or has the right to use the domain in question.
l The retailer is a legally formed entity doing business under the appropriate name.
l The certificate requestor is in the employ of the retailer.
l The certificate requestor has the authority to obtain this certificate on behalf of the retailer.
There are some things a retailer can do to assist the CA in a smooth and speedy authentication. For example, as part of the industry specification for high-assurance certificates, an officer of the retailer may have to confirm the authority of the person requesting the certificate on the retailer’s behalf. Making sure the necessary officer is available to provide this confirmation can shorten the time required until your organization can begin using these certificates. This officer will have to be listed as an officer in public documents so that the certificate authority can confirm that this authority is validly given.