The yellow security padlock in Web browsers, weakened by lax standards and loose supervision, will get reinforced next year with tougher requirements and browser updates.
The browser icon was designed to show that traffic with a Web site is encrypted and that a third party, called a certification authority, has identified the site and vouches for its validity. But in recent years, standards of verification have slipped, undermining the sense of security implied by the padlock.
To solve that problem, a group of companies that issue the Secure Socket Layer certificates are working with major Web browser makers to develop a new type of "high assurance" certificate. The informal organization, dubbed the CA Forum, has held three unpublicized meetings this year and plans to meet again next year, representatives from the companies involved told CNET News.com.
"We as an industry must look into trust threats," said Melih Abdulhayoglu, chief executive of Comodo, a certification authority based in Jersey City, N.J., that set up the first CA Forum meeting. "You want the padlock to be meaningful. At the moment the value is confused because some providers issue certificates willy-nilly."
The planned new security certificates, allied to Web browser changes, are meant to help rebuild trust in the Web and fight phishing in particular.
The lock icon was designed to assure consumers that online transactions, such as banking and shopping, are protected. As such, it's key to Web commerce, a big business: Forrester Research predicts online retail sales in the United States will grow from US$172 billion this year to US$329 billion in 2010.
The issue has become more urgent with the advent of phishing scams, which use phony Web sites to trick unsuspecting victims into giving up sensitive information. Some phishers have used valid certificates to give their fraudulent sites a sense of legitimacy with a padlock icon.
"The level of identification that certification authorities do today is subject to somewhat broad standards," said Rob Franco, lead program manager for IE security at Microsoft. "In a world where users get phished and sites try to misrepresent themselves, I think it is important to have a new standard with more identity backing."
Behind the padlock
Today's SSL certificates contain an encryption
key, which the certification authority attests belongs to the organization noted
in the certificate. Its task is to verify an applicant's credentials, so that
Web site users can trust the information in the certificates.
Initially, all certificate providers performed thorough checks of applicants before they issued a security certificate for a Web site. Several years ago, however, some providers relaxed their background checks in order to offer cheaper certificates, and the rest of the market followed, industry members said. Some companies will supply a certificate based on little more than a valid e-mail address, for example.
"The problem with a basic certificate is that the level of screening is too low, and the validation method at the browser is not easy enough for average user," said Jim Maloney, chief security officer at Corillian, which provides online banking technology to more than 100 banks, including Wachovia, JP Morgan Chase and Capitol One. Right now, people have to click on the padlock to get more information about who the certificate belongs to.
Global financial institutions lost at least US$400 million in 2004 due to phishing schemes, according to Financial Insights, part of analyst company IDC. Online threats have also instilled fear in consumers. Nearly half of U.S. voters in a survey said fear of identity theft was keeping them from conducting business online, the Cyber Security Industry Alliance reported in June.
Browsers are part of the certification problem. Certificates are regarded as equal by the applications, irrespective of the credentials and practices of the certification authority. All sites with an SSL certificate get the same padlock display.
"Web browsers have not been able to deal with the different kinds of certificates, which meant that it did not matter how strong the verification was by the certification authority, and
Play video
There are currently no comments for this post.