• United States



by Paul Kerstein

Browser Makers to Give Trusted Sites a Green Look

Nov 23, 20054 mins
CSO and CISOData and Information Security

Developers of four of the most widely used Internet browsers haveagreed to make a number of changes to their products to make Webbrowsing a more secure and trustworthy experience.

Among the changes, which were informally agreed to during a recentmeeting, are plans to create a new way of informing Web surfers thatthey are visiting a trusted Web site and major changes to the look ofpop-up Windows.

Developers representing the Internet Explorer, Firefox, Opera and theKonqueror browsers had been discussing ways to combat phishing andimprove security in their products for about eight months, but theyagreed to the new ideas during a meeting held in Toronto on November17, according to George Staikos, president of Staikos ComputingServices Inc., and a Konqueror developer.

The most noticeable change will be in the way that certain high-profileWeb sites are displayed. Developers would like to make the browser’saddress bar turn green when browsers are visiting popular Web siteslike or, much in the same way that the Firefoxaddress bar goes yellow and displays a padlock when visiting a secureWeb site.

The green address bar will contrast with the red address bar thatInternet Explorer (IE) 7’s Phishing Filter will display on known andsuspected phishing sites.

To make this happen, developers would introduce a new, and as yetundetermined, more rigorous way of creating digital certificates.Digital certificates are a kind of electronic identification card usedby Web sites to prove that they are, in fact, who they claim to be.They are issued by “certification authority” companies, includingVerisign Inc. and EnTrust Inc.

Developers at the Toronto meeting agreed to create a way of making anew type of “high assurance” certificates, said Staikos. “We want tocreate a stronger identity mechanism for sites that require a strongeridentity,” he said. “We need to be able to tell the users, ’Yes, you’reactually at your bank,’ as opposed to, ’You’re at a site that lookslike it might be your bank and you’re using encryption.’”

Current digital certificates are supposed to reassure users, but thattrust is undermined by the fact that these certificates can befraudulently obtained, Staikos said. “There have been organizations inthe past that have abused the system,” he said. “It’s not widespreadyet, but we know it’s not hard to abuse.”

Developers from the Mozilla Foundation, which develops Firefox, andMicrosoft Corp. endorsed the concept. “This is pretty much atheoretical idea at this point, but something that would be interestingfrom a browser point of view,” wrote Mozilla developer Frank Hecker, inan e-mail interview.

“We want to take the experience in the address bar a step further andhelp create a positive experience for rigorously identified HTTPS(HyperText Transport Protocol Secure) sites,” wrote Microsoft developerRob Franco in a post to Microsoft’s Internet Explorer blog.

Franco has posted examples of how these Web sites might appear in the upcoming IE7 browser on the blog.

In addition to the green background, IE would show the name of thecompany being visited along with the name of the certificate authoritythat vouched for the Web site, Franco wrote.

Developers in Toronto also agreed to no longer allow pop-up windows tobe displayed without an address bar or a status bar, making it harderfor them to be mistaken for other types of Windows messages, Staikossaid. “You’ll always know that a window belongs to a Web browser,” hesaid.

Internet Explorer will adopt this practice in IE7 and, like Firefox, itwill show a lock icon in the address bar when it is viewing secure Websites, Franco wrote.

There is much work to be done before the new types of certificates willbe broadly adopted, but with the idea approved, at least in concept, bythe browser makers, Staikos was confident that it would also be pickedup as a profitable new product for certificate authorities. “If weprovide a facility for this, I think it would be downright silly forcompanies not to jump in and start issuing these things,” he said.

But it’s still going to be awhile before IE or Firefox users are seeinggreen, he said. “I would not be surprised if it takes at least a yearand a half.”

Additional information concerning the Toronto meeting can be found at:

By Robert McMillan – IDG News Service (San Francisco Bureau)