Thursday, February 1, 2007

EV SSL - Was it really necessary?

There is a new security magic solution! It's called Extended Validation SSL certificates.

For me, this is extremely dumb. First, do you really know what kind of security a SSL certificate can provide?

SSL certificates can't provide security by themselves. The certificate role during a SSL session is to provide a way to ensure the identity of the peers, normally the server only. They are digitally signed by a company that is trusted by both parties in the communication.

What? Who is this 3rd party that I trust? I don't remember saying that I trust nobody to do that!

These companies pass through a process that allows them to be pre-installed on the most used browsers in the market. When you install IE or Firefox, for example, you are implicitly trusting on these companies to verify the identity of the web sites that you access through "https". This is that old "lock picture in the corner" thing, if it's there it means that the identity of site that you are accessing was verified by one of those companies (well, in fact it's not so simple, you have the choice to trust whoever you want, but let's keep it simple). If you click on that lock you will see the digital certificate that the site is presenting to you, with some information about the organization that acquired the certificate.

These companies that you trust are the Certificate Authorities. They need to check the identity of the organization that is requesting a certificate to put in its web site before issuing it. This verification process varies from each company to another.

That lock thing, however, was not being enough to avoid phishing sites. So some companies decided to create a "certificate on steroids", called EV-SSL. This new certificate could only be issued by CAs after a more thorough identity verification process, to avoid that company A will create a certificate for its site with the name of company B.

Besides that, new browsers would show more information about the web site being visited, as well as showing the address bar with a green color. That's nice. The company wanting to use it on its site just need to replace its current SSL certificate by an EV-SSL certificate paying an additional fee and passing through the verification process.

OK, so the EV-SSL brings more security by two ways:

- Better identity verification before the certificate issue
- More information about the site being visited presented by the browser

Hey, did somebody noticed that there wasn't a need to create (and to make companies pay more) a new kind of certificate to do that??? Why didn't the CAs just start following more strict verification processes for the regular SSL certificates? I bet that if Microsoft start threatening those CAs to remove their certificates from the Trusted Root CAs from IE if they don't improve their processes it would have the same effect. That green bar and more identity information presented could be done for any SSL certificate too.

But the CAs wouldn't be earning a few hundred bucks from every company with a SSL website with this approach...

No comments:

Post a Comment