Web business faces a crisis in confidence. Trust in site security is declining, and in increasing numbers consumers are scaling back their online transactions—or opting out entirely. Starting early in 2007, online companies will be able to definitively demonstrate their identity to customers—and customers will be able to confirm this identity before trusting sites. This opportunity comes as a result of the greatest development in the Web’s secure backbone in over 10 years. It is the introduction of a new kind of SSL Certificate, the first since the technology’s origin more than a decade ago.
W H I T E PA P E R
Maximising Site Visitor Trust Using
Extended Validation SSLW H I T E PA P E R
C O N T E N T S + The Erosion of SSL's Identity Promise 3
+ Introducing Identity Visitors Can Trust 4Internet Explorer 7: Green for Go 4
+ How Extended Validation Works 7
+ EV Upgrader Extends Protection to Windows XP Clients 8W H I T E PA P E R
Web business faces a crisis in confidence. Trust in site security is declining, and inincreasing numbers consumers are scaling back their online transactions-or optingout entirely. According to Forrester Research on December 8, 2005, an astonishing24 per cent of Internet users reported that they would not be shopping online thatholiday season because they did not feel safe. A full 61 per cent reported that they hadat least reduced online purchases for the same reason. While this phenomenon has beenmasked by the overall increase in online activities like banking, trading securities, andfiling taxes, the fact remains that many online retail businesses are less effective thanthey could be and are leaving money on the table.Starting early in 2007, online companies will be able to definitively demonstrate theiridentity to customers-and customers will be able to confirm this identity before trustingsites. This opportunity comes as a result of the greatest development in the Web'ssecure backbone in over 10 years. It is the introduction of a new kind of SSL Certificate,the first since the technology's origin more than a decade ago.These new certificates are called Extended Validation (EV) SSL Certificates, and theyrepresent more than a year's effort by the CA/Browser Forum, an industry consortiumof leading Web browser manufacturers and SSL certification authorities (CAs) suchas VeriSign. Starting late in 2006, members of the CA/Browser Forum have made thesenew certificates available for the benefit of Web businesses and site visitors alike. Thecertificates can facilitate online commerce in all its forms by increasing visitor confidencein legitimate sites and greatly reducing the effectiveness of phishing attacks.
The Erosion of SSL's
Identity Promise
Ask your typical online shopper what the little lock icon on her Internet browser means,and she will tell you it means that transmissions are encrypted and therefore protectedfrom spying eyes. While that is technically correct, it is not all that the original pioneersin e-commerce intended it to signify.The original purpose of SSL Certificates was to validate the identity of a site when auser connected to it. That is because although it is difficult to mimic physically theidentity of a business, it is quite easy to mimic one online. The industry understood thisprinciple as early as 1995 and therefore invented SSL Certificates. The creators intendedthe certificate to vouch for site identity and therefore protect online shoppers fromscams. In the beginning the identity promise of a standard SSL Certificate was enough.Today, however, it is not. The widespread use of the Web by laypeople with no speciallevel of computer education-combined with the low visibility of the lock icon on popularbrowsers-have made it possible for phishing to become the phenomenon we see today.Despite original intentions, traditional SSL Certificates are not the solution. While someCAs do a very good job of authenticating identity, others do very little or employ easilyfooled practices. A site can even use a self-signed SSL Certificate with no identity authenticationwhatsoever. In the second half of 2005 online users began to see large scale phishingattacks that used low authentication, "soft-target" SSL Certificates to further the illusionof legitimacy.
3W H I T E PA P E R
Introducing Identity Visitors
Can Trust
For SSL Certificates to reclaim their authority as a source of site identity information forvisitors, industry leaders needed to shore up two weaknesses in the existing system. First,the industry needed a new category of SSL Certificate that carries a high level of promiseregarding a site owner's identity. Then it needed a browser interface that makes it easy forusers to see that identity when it is known-and recognise when it is not. These newcertificates are the EV SSL Certificates mentioned previously. Some users also refer to themby their working name, which is High Assurance (HA) SSL Certificates. These differ fromgeneric "high assurance certificat... [download for more]
