[x]Blackmoor Vituperative

Monday, 2006-12-18

High Assurance SSL

Filed under: Security,The Internet — bblackmoor @ 17:49

Apart from the actual security provided by digital certificates in a Web environment, in terms of encryption of data and authentication of participants, they are meant to be a confidence-boosting measure.

That little lock icon in the browser and the “https” in the address tell the user that the communications are secure. Users can also click through some dialog boxes linked from the icon to see specifics of the certificates for the site they are viewing and make a decision about the authenticity of that site. Of course, 99% of users never do any such thing, and probably very few even notice the relatively obscure lock icon.

Even the value of the lock icon has been diminished lately. There have been recent examples of scammers obtaining a certain kind of SSL certificate, called a domain-authenticated SSL certificate, that can be obtained with very little in the way of verification of the bona fides of the applicant. Even if the user takes care to look for the lock symbol, he or she can be fooled by such a certificate.

A new standard hopes to address this situation with a new class of certificate. Some reports indicate that the final official name for these certificates will be “Extended Validation,” but they are more widely known as “High Assurance” SSL certificates.

(from IIS Zone, High Assurance SSL)