gregh 2006-11-08 16:45 hosting_services identity Internet Website
'Supercerts' Aim to Highlight Legit Web Sites:
Over the past couple of years, dozens of companies have rolled out technologies designed to help computer users and companies better spot 'phishing' scams -- Web sites that try to trick people into giving away financial and personal data. But what about helping users tell for certain that when their browser tells them that they are at, say, BankofAmerica.com, that they're really at the bank's official Web site and not at some scam site?
That's precisely the aim of CA/Browserforum, a security effort by the major Web browser makers and certificate authorities, or companies who sell and issue Web site security certificates.
Today, pretty much any Web site owner can plunk down between $150 to $400 and purchase a secure sockets layer (SSL) certificate, a technology designed not only to protect the integrity of data submitted by customers but also to give visitors a modicum of assurance that the site takes their security seriously. By clicking on the little padlock icon in the browser that accompanies all SSL certified sites, visitors also can gain more assurances that the SSL holder is a legitimate company and that it at least has been vetted by a certification authority to some degree.
It wasn't too long ago, I was having a discussion with someone about this topic. The first time I tried to purchase a server certificate (from VeriSign), it was actually a labor-intensive process. I was working for Instinctive Technology (the makers of eRoom, bought by Documentum, who in turn was bought by EMC) and we had maybe 20 employees at the time. VeriSign rejected the application initially, because they couldn't verify that we existed. I had to come up with a D&B number, and I had to have a letter from an officer on company letterhead stating who we were and that the company was indeed requesting the certificate. Finally, I had to make several phone calls to finally get the thing processed. In the end, I was left pretty convinced that they knew who I was.
Obviously, that process wasn't going to work on a larger scale, and things became something of a joke. Now, certificates do little more then authenticate that someone presumably legitimate signed the data contained in the certificate. So, with this proposal, I guess we're taking some queues from the past. Imagine; people might actually have to get involved in an effort to prove identity.
