Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extended validation SSL March 2007 Tim Moses (chair, CA / Browser Forum)

Published byJavier Skiffington Modified over 9 years ago

Similar presentations

Presentation on theme: "Extended validation SSL March 2007 Tim Moses (chair, CA / Browser Forum)"— Presentation transcript:

1 Extended validation SSL March 2007 Tim Moses (chair, CA / Browser Forum)

2 © Copyright Entrust, Inc. 2005 Overview Browser security Site authentication The history of SSL Extended validation in the browser Extended validation certificates Not a silver bullet

3 © Copyright Entrust, Inc. 2005 There’s a problem with the Web Gartner reports … From mid-2005 until mid-2006, about 15 million Americans were victims of fraud that stemmed from identity theft –an increase of more than 50 percent from the estimated 9.9 million in 2003 The average loss of funds in a case of identity theft was $3,257 in 2006 –up from $1,408 in 2005 An average of 61 percent of funds were recovered, in 2006 –Down from 87 percent in 2005

4 © Copyright Entrust, Inc. 2005 New Phishing Sites Morgan Keegan/UBS Jul 2006

5 © Copyright Entrust, Inc. 2005 Web vulnerabilities Malicious code HTTP proxy caching Cross-site scripting Man-in-the-middle Site impersonation ISP eavesdropping DNS caching Local area eavesdropping

6 © Copyright Entrust, Inc. 2005 First-party accreditation Self-signed SSL certificate –Trust dialog –Help-desk calls Security toolbar

7 © Copyright Entrust, Inc. 2005 Browser toolbars

8 © Copyright Entrust, Inc. 2005 Third-party accreditation SSL certificates

9 © Copyright Entrust, Inc. 2005 The early years (mid 90s) Threats to the Web –Site defacement –ISP eavesdropping Netscape developed SSL Simple trust indicators –Look for the golden key or padlock to check that you are safe Computer-literate users URL that reflects the name of the organization Common issuing practices –VeriSign Class 3 Although … –There were no strict criteria for the use and management of roots in browsers

10 © Copyright Entrust, Inc. 2005 Mid-life (2000 – 2001) ABA 1 developed PKI Assessment Guidelines Audit profession recognized a need for criteria AICPA 2 & CICA 3 Audit criteria “WebTrust for CAs” Similar standard in Europe : ETSI 4 TS 101 456 Adopted by Microsoft as a requirement for including roots in Windows –Other browser suppliers followed Microsoft’s lead But … –There were serious omissions –Do not specify what identifying information has to be included in a certificate –Or how to validate that that information is correct –Users supposed review CPS 1 American Bar Association 2 American Institute of Certified Public Accountants 3Canadian Institute of Chartered Accountants 4 European Telecommunication Standards Institute

11 © Copyright Entrust, Inc. 2005 The SSL certificate marketplace Rigour (= cost, delay, inconvenience) Price GoDaddy GeoTrust VeriSign Entrust Other CAs: Comodo, CyberTrust, DigiCert, Ipsca, Notaris, QuoVadis, Trustis, XRamp All certificates cause the lock to display Domain-validate certificates Organizationally-validated certificates

12 © Copyright Entrust, Inc. 2005 Trust indicators Yellow address bar Golden padlock

13 © Copyright Entrust, Inc. 2005 Evidence of a problem Domain-validated SSL certificates have been issued to phishing sites User confusion –Does the golden padlock mean I’m secure? –Does SSL provide authentication or just confidentiality?

14 © Copyright Entrust, Inc. 2005 CA / Browser Forum (2005) Major CAs and browser suppliers got together Formed the CA / Browser Forum Objective – Improve trustworthiness of the Web Project to develop certificate issuance guidelines for new browser trust indicators Microsoft has adopted an interim draft of the CABForum guidelines as the criteria for inclusion in their root embedding program

15 © Copyright Entrust, Inc. 2005 IE7 Phishing filter and EV SSL Phishing, Suspected phishing, HTTP, HTTPS, EV

16 © Copyright Entrust, Inc. 2005 IE7 UI details Green address bar Golden padlock Assumed name, registered name and country alternating with the issuer’s name

17 © Copyright Entrust, Inc. 2005 Opera 9

18 © Copyright Entrust, Inc. 2005 The SSL Marketplace - after EV (two points of view) Very high thresholdModerate threshold Conventional SSL EV SSL

19 © Copyright Entrust, Inc. 2005 EV certificate Identified by … –Particular certificate policy identifier Verified contents … –Registered name e.g. ACE Aviation Holdings Inc –Assumed name e.g. Air Canada –Domain name e.g. www.aircanada.com –Place of business address –Jurisdiction of incorporation –Registration number Note: The CA must also retain verified name and contact details for the applicant

20 © Copyright Entrust, Inc. 2005 Verification requirements Legal existence –Government registry Operational existence –Trade accounts –Bank letter –Legal opinion –Accountant’s letter Physical existence –Trade accounts –Site visits Domain name –WHOIS –Practical demonstration

21 © Copyright Entrust, Inc. 2005 Other requirements Revocation –Browsers will check for revocation by default, using OCSP, once “stapling” becomes widely available Identification and authentication of requestor/approver Verification of authority of requestor/approver Warranty by CA to subscribers, users and browser suppliers Errors and omissions insurance

22 © Copyright Entrust, Inc. 2005 It’s no good if users don’t check! EV sites place this graphic on their publicity material, including the Web site The message isn’t ‘if you see green you are safe’ It just reminds the user to check the site identity in the location bar

23 © Copyright Entrust, Inc. 2005 It’s not foolproof – picture-in-picture

24 © Copyright Entrust, Inc. 2005 Conclusion Browser security has significant shortcomings EV SSL represents a dramatic improvement It isn’t foolproof User awareness remains a critical issue Initial marketplace reaction appears positive For more information:- http://www.cabforum.org/

Download ppt "Extended validation SSL March 2007 Tim Moses (chair, CA / Browser Forum)"

Similar presentations

+1 (801) 877-2100 Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.

+1 (801) Everything in PKI but the Kitchen Sink (in 30 minutes or less) Jeremy Rowley.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.

HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
Steps to Recover Private Encryption Keys

Steps to Recover Private Encryption Keys
DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.

DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Phillip Hallam-Baker Extended Validation Presentation to ISTTF September 23, 2008 VeriSign/Extended Validation ISTTF Presentation 9/23/2008.

Phillip Hallam-Baker Extended Validation Presentation to ISTTF September 23, 2008 VeriSign/Extended Validation ISTTF Presentation 9/23/2008.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.

The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.
In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8 th 2006.

In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8 th 2006.
Chapter 10: Electronic Commerce Security. Electronic Commerce, Seventh Annual Edition2 Impact of Security on E-Commerce In 2006 an estimated $913 million.

Chapter 10: Electronic Commerce Security. Electronic Commerce, Seventh Annual Edition2 Impact of Security on E-Commerce In 2006 an estimated $913 million.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition

Similar presentations

Ads by Google