JUN
20
2007

CA-Browser Forum Finalises Extended Validation Certificates

The CA-Browser forum, a group of leading Certificate Authorities and web browser developers, has approved the first version of Extended Validation certificates for use with web browser and other applications to certify a higher level of identity verification. This is a great step forward for security and trust on the web, and KDE is proud to have been a part of the process from the beginning to the end.

Comments

Thanks for your efforts. I remember when this all started and when the forum was created. Needless to say we're glad to have you around.


By Thiago Macieira at Wed, 2007/06/20 - 5:00am

Although I appreciate that there is an open process for defining security certifcates this won't improve the current situation with SSL in real life (Phishing etc).

Why that?

1. Usability:

Current web browsers inform you with a dialog box if you enter a web site with a valid certificate ("This web site has a valid certificate signed by foobar. [OK] [Don't show this again]"). There is also a dialog box on self signed certificates "This web site doesn't provide a trusted certificate. [Continue] [Cancel]")

What does an average user "see" in both cases? "Oh yawn yet another nasty dialog box with some harmless useless info text. I want to get my work done. I click on every OK/Continue without reading."

So please under any circumstances NEVER EVER show "info dialog boxes" in a browser unless the user explicitely requested one (for example only an explicit right click on the URL bar gives you some information about a certificate).

2. "Valid" SSL certificates aren't widespread enough:

How many user want their private web site secured via SSL but simply don't want to spend a lot of money on Versign and friends for something they can create on their own?

A lot. Probably everyone knows a web site of a friend or even pages of non-commercial authorities (university web sites, not-for-profit-organisations...) that provide self signed certificates which tell you: "Hey I am trustworthy; Click on "continue" and everything is fine". So in daily life you very often get the "invalid certificate" warning in case everything is fine. So when you click 100 times on continue, you automatically will do this (by routine) in the dangerous 101. case. EV certificates will improve NOTHING in that aspect.

There is an easy solution made from private people for the people: CA-Cert.

But not a single browser supports it. Why? Because CA-Cert cannot be made legally responsible for damage by harmfull people that tricked them and because SSL is confused with some imaginary Fort Knox security.

Please stop stop dreaming of imaginary Fort Knox security, start doing real world security. Supporting CA-Cert is something which will improve real world security on SSL pages dramatrically. And even furthermore: Importing CA-Certs root certificate by default into browsers will secure and strengthen the business of Versign and friends, because SSL in general will "start working" in daily life.


By Arnomane at Wed, 2007/06/20 - 5:00am

they did say "a great step forward" not "the final piece of the puzzle".

both the problems you note are real; in fact, i think the solutions to each are linked:

with better UI (e.g. one this is simultaneously more expressive and less modal) we might be able to start to provide feedback on varying levels of security, allowing for "less trusted but better than no signer" groups like ca-cert to play in the game.

this is, btw, why microsoft has been moving to putting more information in the toolbar (harder to fake, easier to see, less in the way)

still, the new certs are an improvement of one aspect of things and thus should be accepted as such. it's very cool that we were able to have a part in this process and that we were perceived as an equal player at this level.


By Aaron Seigo at Wed, 2007/06/20 - 5:00am

I didn't criticize EV certificate advocates for claiming to have the final piece of the puzzle, I did criticize EV certificates for beeing wasted money if not a lot of other more important steps are done in advance.

The concepts for UI improvements with regard to security are luckily solved in a similar fashion by all common browsers and I'm thankful to your great UI work (technically and in meetings with different browser vendors).

I interpretate your answer '"less trusted but better than no signer" groups like CA-Cert to play in the game' as being connected to EV certificates. I don't have a good feeling with the opinion that CA-Cert necessarily is less trustworthy than a company like Verisign and now as there is a better EV certificate available one can degrade the common SSL certificates and let the dirty CA-Certs join by default without harm. I bet a large group of Free Software people will disagree with that view.

IMHO this is not about less trustworthy against more trustworthy: It is about two different security models: Central authority versus web of trust (CA-Cert brought web of trust to SSL, which originally was designed for central authority model only). Whom you trust more is highly depending on your personal beliefs and philosophy.

So I'd advocate for something more honest and less biased:
* Per default neutral small UI differences for central auth and web of trust security (for example URL color) but do not make the one or the other more complicated to deal with by default (like extra dialog box or whatever).
* User defineable UI schemes for different security models and different Root CAs (I bet quite some people will like to be able to configure the URL bar red in case they come across a Verisign certificate ;-). This will also help companies *alot* in order to customize browsers to their own internal web security guidelines.
* And furthermore this is not only about browsers. Such a concept should also be considered for example at Email programs. There you also have the two security concepts (S/MIME vs. OpenPGP/MIME). And of course keyring applications like KGPG already show you a possibility of user customizable trust.


By Arnomane at Thu, 2007/06/21 - 5:00am

Watch George Staikos's talk about browser security from Akademy last year. Web browser developers do know about the issues you are raising, but they aren't necessarily easy to solve.


By Paul Eggleton at Wed, 2007/06/20 - 5:00am


By Paul Eggleton at Wed, 2007/06/20 - 5:00am

It's great to see KDE involved in making decisions that will help shape the future of the Internet! I'm just wondering if there are any plans to incorporate this technology into KDE 3 or if we will have to wait for KDE 4 to be released. I know that 3.5.7 has been announced as the final update for KDE3, but will that mean Konqueror will be the last browser to support the new certificates or will the other browsers take just as long?


By Ian at Thu, 2007/06/21 - 5:00am

Can someone explain in brief what it means to a layman like me. I know how current SSL certificates work. What changes will the Extended Validation certificates make?


By Anonymous at Fri, 2007/06/22 - 5:00am

EV certificates aren't brand new technology, technically they are as secure as normal SSL certificates.

They biggest difference is that you can only get such a certificate after you have passed much more requirements than currently needed for obtaining signed SSL certificates from a central authority.

Some technical differences are a special flag so that new browsers can distinguish EV certificates from other SSL certificates and some additional information embedded into the certificate.

See also: http://en.wikipedia.org/wiki/Extended_Validation_Certificate


By Arnomane at Fri, 2007/06/22 - 5:00am