DISQUS

Asa Dotzler · 1 year ago

SSL just tells you that the connection between you and that website will be encrypted. It doesn't tell you much about the actual website you're connected to. EvilSite.com can get an SSL certificate for less than $100 with little or not background check. With EV Certs (extended validation certificates) the site must go through a more substantial audit and that audit should give you more confidence that you're connecting to the real PayPal, for example, and not PayyPall (a fictional bad guy site.)

For EV Certs, the issuers must pass an independent audit and they must all follow the same guidelines when issuing an EV Cert:

* Establish the legal identity as well as the operational and physical presence of website owner;
* Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
* Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

This should make it more difficult for the bad guys and give users more information about those who do get issued an EV Cert (their physical address, for example.)

The other issue that's got PayPal concerned (and many others, including Mozilla) is phishing. Firefox has a built in Phishing Protection feature that warns you when you've ended up on a site known to be a phishing site. This is another way that you can know you're at the real PayPal and not PayyPall. IE 7 has a some protection against phishing too.

Safari has many great attributes, but helping users stay safe on the Web of 2008 isn't at the top of that list and I hope they release an update soon that has both EV Certs and some form of phishing protection. They're the third most popular browser and with a user base in the millions, they've got a real responsibility to stay competitive with the leading browsers.

Firefox and IE have both stepped up on this and so should Safari.

- A

Asa Dotzler · 1 year ago

SSL just tells you that the connection between you and that website will be encrypted. It doesn't tell you much about the actual website you're connected to. EvilSite.com can get an SSL certificate for less than $100 with little or not background check. With EV Certs (extended validation certificates) the site must go through a more substantial audit and that audit should give you more confidence that you're connecting to the real PayPal, for example, and not PayyPall (a fictional bad guy site.)

For EV Certs, the issuers must pass an independent audit and they must all follow the same guidelines when issuing an EV Cert:

* Establish the legal identity as well as the operational and physical presence of website owner;
* Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
* Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

This should make it more difficult for the bad guys and give users more information about those who do get issued an EV Cert (their physical address, for example.)

The other issue that's got PayPal concerned (and many others, including Mozilla) is phishing. Firefox has a built in Phishing Protection feature that warns you when you've ended up on a site known to be a phishing site. This is another way that you can know you're at the real PayPal and not PayyPall. IE 7 has a some protection against phishing too.

Safari has many great attributes, but helping users stay safe on the Web of 2008 isn't at the top of that list and I hope they release an update soon that has both EV Certs and some form of phishing protection. They're the third most popular browser and with a user base in the millions, they've got a real responsibility to stay competitive with the leading browsers.

Firefox and IE have both stepped up on this and so should Safari.

- A

Paul · 1 year ago

Hey Asa, thanks for dropping by and commenting. I didn't realise potentially how little a SSL certificate means when it comes to certifying a site is what it purports to be. I almost expected that there was some sort of verification process in the background and I am a bit surprised that there isn't really. Support for EV certificates seems to be a sensible thing for sites that rely on security and want to inspire confidence in their visitors.

Paul · 1 year ago

Hey Asa, thanks for dropping by and commenting. I didn't realise potentially how little a SSL certificate means when it comes to certifying a site is what it purports to be. I almost expected that there was some sort of verification process in the background and I am a bit surprised that there isn't really. Support for EV certificates seems to be a sensible thing for sites that rely on security and want to inspire confidence in their visitors.

Saulk · 1 year ago

As an aside it seems Paypal has changed their ruling on the matter according to this article:
http://www.tuaw.com/2008/04/21/paypal-says-it-w...

Saulk · 1 year ago

As an aside it seems Paypal has changed their ruling on the matter according to this article:
http://www.tuaw.com/2008/04/21/paypal-says-it-w...

eddiepetosa · 1 month ago

If ssl was created to help, now it only makes things harder. I understand why Paypal would adopt this change. They guarantee their users total security. Imagine what would happen if someone got their hands on the Paypal database...