Verisign touts EV SSL features in Firefox 3 and IE 7

LAST WEEK we reported about a web site displaying the Verisign seal yet apparently using no SSL encryption to handle customers' entry of credit card data. Here, Verisign confirms the site's wrongdoing and says what it will do about it.

After our story went live, Tim Callan, Director of Product Marketing at Verisign got in touch with us through its PR firm Weber Shandwick and explained the inner workings of seal misuse reports, confirmed the irregular situation at the Skybox site and told us what mechanisms are in place to verify SSL certificates, and how IE 7 and Firefox 3 support "Extended Validation" SSL certificates.

Callan first told the INQUIRER that VeriSign "receives thousands of seal misuse reports each month" and that "99 per cent of them are false reports, some obviously so and some only after investigation".

Asked about the Skybox case in particular he said "You are correct that the Skybox site does not use any SSL at all, collects information that should be protected by encryption, and displays a counterfeit version of the VeriSign Secured Seal. We are not okay with that, and our anti-fraud team has begun a case against this site.”

He explained what consumers should do when they spot a Verisign seal on a web page, and that basically is: click on it, it should take you to a Verisign page showing information about the site and its certificate: "If you click on any legitimate seal, you will see a verification page with the name and location of the company that owns the site. Visitors can confirm that this page is form VeriSign by checking the URL of the verification page, which should start with https://seal.verisign.com.", said Tim, who highlighted the firm's Consumer Education site available over here.

He recognized the reporting and seal verification process is not for the average Joe: "We do understand, however, that this process might not be one that every site visitor can navigate successfully" and says features built into the Vole's IE 7 web browser make spotting real secure sites from fake ones easier, specially if the site uses "Extended Validation" SSL certificates: "Extended Validation SSL Certificates put a highly visible indicator into a compatible browser (a green address bar in IE7) to show that the authentic identity of the site has been confirmed using known, reliable methods. IE7 also displays the name of the organization next to the URL, and because this information is up in the chrome of the browser, it's outside the reach of a phisher or other perpetrator of false sites".

He says that IE 7's green address bar "only appears on pages that have SSL enabled, so you can also confirm that this page has a certificate in place to encrypt your transmissions." We told Tim that this scribbler for instance uses Linux, and that as such Volesoft's Internet Explorer is not a software I can use, so we asked him what happens with Mozilla derived browsers, like Firefox or SeaMonkey. He told the INQ that help is in the way in the form of the upcoming Firefox version three.

"VeriSign and Mozilla are both founding members of the CA/Browser Forum, the industry consortium that created the Extended Validation specification" explained Callan, pointing out that "EV SSL will be included in Firefox 3. Mock-ups are available to see." He added that "Firefox will support EV in a later beta. The beta 1 release notes state, "Identity verification is prominently displayed and easier to understand. In later versions, Extended Validation SSL certificate information will be displayed.

According to Verisign's Callan, other browsers will follow: "Opera has announced support in its next version (9.5). We're encouraging other browser manufacturers to support EV SSL as well. It's an open standard, so any of them can". He said that the firm's approach with regards to cheaters and fake seals is two-pronged and involves both user reporting and also actively looking for seal abuse offenders: "people can use forms to report suspicious seals when they see them. We also have a process of proactively discovering fake seals. When we find them, we are able to take legal action against these sites and have done so in the past".

Finally he described the nature of the cheating when it comes to SSL certificates and the Verisign seal: "Misused seals generally fall into two camps. The first is customers who aren't fundamentally dishonest but are either sloppy or maybe just cutting corners a little bit. For instance, maybe the site had a VeriSign certificate when it put up the seal image, but the certificate has expired. Outreach by a sales or support representative almost always solves this problem immediately. The other camp is legitimate cheaters, some of whom are actively trying to defraud site visitors."

Callan told the INQUIRER that the worst offenders can get their sites unplugged from the Net. "Our best course of action in this case, as it happens is site takedown. Hosting providers pretty universally reserve the right to take down any site at any time, and an easily confirmed complaint of brand abuse from a highly credible source like VeriSign is usually sufficient to do the job."

As of today, we couldn't help noticing that the Skybox web site was still on-line, and continued showing what Verisign calls "a counterfeit version of the Verisign Secured Seal". We couldn't help but wonder aloud if perhaps the fact that the firm is phisically based in Miami, U.S. but the site's administrative contact is based in Santiago, Chile complicates its enforcement action against it. µ