RSA : Microsoft Champions New Antiphishing Technology

Microsoft and industry partners are pushing ahead with plans to make the Web a little safer with a new technology to combat phishing.

At next month’s RSA Conference in San Francisco, the software giant plans to announce that a number of websites have gone through a new certification process designed to make it harder for phishers to spoof them. The process gives third-party certification authorities like VeriSign and Entrust a more stringent set of guidelines to follow when they are authenticating websites.

The result of the process is something called an Extended Validation Secure Sockets Layer (EV SSL) certificate, which can be used by websites to help reassure Web surfers that they are handing over their private information to a legitimate site.

Microsoft is ahead of other browser makers in supporting EV SSL certificates, which will work with Internet Explorer 7 by the end of this month. But for the technology to take off, it must also be widely adopted by websites.

Microsoft plans to show that this is now happening, said Markellos Diorinos, product manager with the Internet Explorer team. “We’re getting more and more names that are going to be supporting Extended Validation, and we’ll be announcing the first ones at RSA,” he said.

Sites that have been EV SSL-certified will look a little different from today’s secure sites, which typically display a small “lock” icon in the Web browser.

When IE hits part of a website that supports the EV SSL standard, there will still be a lock icon, but the address bar will also turn green. Users will also be able to see what country the website is based in and who has certified it. “What this really means is that someone went and made sure that this corporation is in good standing,” Diorinos said.

Websites buy these EV SSL certificates from certification authorities, which in turn follow the website company’s paper trail: making sure it is registered with local authorities, that it has a legitimate address, and that it actually has control over the Web domain in question, for example. In some cases, the certificate authority may even send out a representative to confirm that the business is what it claims to be.

“If you’re a company without a reliable paper trail, you’re not going to get one of these,” said Tim Callan, a product manager with VeriSign’s business unit. “If you’re incorporated, if you’re an LLP, or if you’re a registered charity, you have nothing to worry about.”

VeriSign has been offering EV SSL certificates since Dec. 11, and has more than 300 businesses now going through the certification process. About 20 of them have been issued certificates so far, Callan said.

The certificates are certainly of interest to websites that have been targeted by phishers. Wells Fargo & Co. has helped develop the EV SSL standard, and eBay’s PayPal has recently gone live with EV SSL certificates on its https://history.paypal.com and https://av.paypal.com/ websites.

Still, there are some issues to be worked out.

One unanswered question is whether smaller sites that haven’t been spoofed will be willing to pay for these certificates.

There are also technical questions that have yet to be worked out by the browser makers. For example, how will EV SSL deal with international character types, and how will they deal with two companies in different countries that happen to share the same name?

“There are a lot of open issues,” said Window Snyder, head of security strategy at Mozilla, via instant message. The Firefox team will probably wait until version 3.0 of its browser is released later this year so that these questions can first be addressed, she said.

-Robert McMillan, IDG News Service (San Francisco Bureau)

Related Links:

• After Phishing? Pharming!

• Phishing Scams Increase Dramatically

• The ABCs of Phishing and Pharming

• RSA Conference 2007