Positive Indicators


Phishing attacks seldom use SSL certificates for their fake sites resembling Paypal, eBay or whatever, because they look as good without it. So far this apparently just worked fine because a somewhat careless user simply doesn’t pay attention to the microscopic indicators the browsers used to give us in the past. Well, that’s perhaps an overstatement, but we learned that attacks seem to work very well, because there were not enough prominent indicators which would make a user aware that a site is not secured and that the site isn’t even the one thought to be. I’ve complained in a previous article that the address bar in Firefox could look like this:

Firefox 3 Plain Text Mode

Or like this:

Firefox 3 Spoof Mode

Or like this:

Firefox 3 SSL Mode

Would anybody pay attention if a site is suddenly loosing the SSL status from above? Many would not - and depending on the circumstances the others wouldn’t either.

Luckily Mozilla decided to make the secured sites indicators more prominent in the upcoming 3.5 version of Firefox. More than that, the base domain is going to be highlighted in order to give even more clues:

New SSL indicator in Firefox version 3.5

Should there be no indicator on a site which is usually secured, something prominent goes missing. This makes it harder to fool a unsuspecting visitor. It also helps to distinguish and understand what the parent domain name is, when considering a URL like https://www.paypal.com.cgi-bin.webscr.cmd.fake.com?_login-run. The base domain prominently displayed in blue would be fake.com  and not paypal.com.

Actually Paypal would of course show the green EV UI which is even a more prominent indicator then the one above. The best thing about EV SSL certificates is that StartCom started to issue EV certificates as well - and for reasonable fees! The goal of StartCom is to make them affordable even for smaller on-line businesses  - and with it give their visitors the same protection as with the big calibers.

StartCom EV SSL

Soon StartCom’s own web sites will provoke the EV UI with most browsers. Check out the beta program for Extended Validation certificates of StartCom should you be interested in protecting your site with an EV SSL certificate as well. More power to the positive indicators on the web!

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
CA/Browser Forum
Tweet - Twits - Twitter?

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

Be the first to leave a comment!