Green Address Bar
Some of you may already have seen the “green address bar” in your browser while buying something on the Internet. The version 7 release of Internet Explorer adds support for Extended Validation certificates (EV certs), and pages that are served using these certificates show up with a green address bar as a visual indicator of “additional security”.
The idea behind EV certs is to prevent phishing attacks. Presumably, sites with EV certs would have been vetted by the Certificate Authority (Verisign, Thawte, etc.) to ensure that they are legitimate, incorporated entities with a real world presence. Newer and future browsers will have the ability to distinguish between a regular SSL cert and an EV cert by showing a green address bar, among other things. In theory, this will give the consumer an additional visual cue to determine whether the site they are transacting with is legitimate.
In reality, this will only prevent one type of phishing attack, one in which the rogue site pretended to be a legitimate site by having a similar looking or sounding domain. For example, someone could register the ebey.com domain, get an SSL cert, and put a web-front that looks like ebay.com. Most of the time, the rogue-site operators don’t even get a regular SSL cert from a legitimate Certificate Authority. They use what is called a self-signed certificate (anyone can sign a certificate). This causes the browser to first asks the user if the site should be trusted. Most users click “OK”, then they see the golden lock on their address bar, which they have been trained to trust that everything is good, even though the address bar says ” ebey.com”.
Another attack is to show a .jpg image of a browser application in a popup window. To the untrained eye, this is undistinguishable from an actual browser window. At that point, the attacker can photoshop the golden lock, and even the green address bar to fake the presence of an EV certificate.
Security is an arms race, and hackers will always find a way around the system. More often than not, the successful attacks function on a pyschological and social level, rather than breaking state-of-the-art technology.
As to whether an e-commerce website should start using EV certificates, I think the market will bear the answer. It’s ridiculous to insinuate that a site using an EV certificate is more secure for the reasons mentioned previously. However, browsing habits do change over time, so if people get used to the idea of looking for that green address bar before clicking the “buy” button, then all arguments regarding security are moot.
My personal opinion, having spent years in the digital certificate industry, is that EV certs is a great way for Verisign, et.al. to extract more revenue from online merchants. After all, EV certs cost around $2500 per year. If you’re making a profit of $25 per bottle, you’d have to sell 100 more bottles just to recoup the cost of the EV certificate. Clearly, this is not an option for a lot of boutique wineries.