EV Certificates and Web 2.0 Security
Computer Weekly posted about Web 2.0 security. Particularly intersting is how EV SSL certificates can help deter phishing: "We have also introduced, and believe it should become an industry standard, extended validation SSL certificates (EVSSL). This will work with the user's browser to allow them to know when they are on a validated site, by showing them a green URL bar," says Greer. The EVSSL initiative has been driven by Verisign since a 2006 Harvard/UC Berkley study showed that 90% of consumers could not tell the difference between a website and its fraudulent counterpart. Such knowledge is essential to prevent phishing, which remains a constant threat. But Web 2.0 with asynchronous coding can make phishing much harder to detect. "By just browsing to a website you have got something running. We started shouting warnings about phishing and cross site scripting being used together, and, lo and behold, a bank was phished with an XSS attack," said Munro. Munro is referring to January's Banca Fideuram attack, which was the first XSS-phishing attack to run on a bank's own website, using a genuine SSL certificate, making it very difficult for the user to know the login screen was fraudulent. "Sadly, I think EVSSL is an irrelevance, and will probably just accelerate the use of XSS in phishing attacks, as conventional phishing attacks become less effective as a result of EVSSL," says Munro. This is no reason, of course, not to make it difficult for standard, non-XSS, phishers. "Research indicates that EV is definitely effective as a deterrent against phishing, and companies have every reason to take advantage of EV to combat phishing," says Tim Callan, vice-president of product marketing at Verisign. "Companies can also take steps to protect their sites against XSS, and they should go ahead and do that as well," says Callan. Can Web 2.0 cope with second class security? - [ComputerWeekly.com]