This is jensentime's Typepad Profile.
Join Typepad and start following jensentime's activity
Join Now!
Already a member? Sign In
jensentime
Recent Activity
Interesting thoughts here. I'm no expert on this, despite writing on occasional IT issues -- one thing that comes to mind is, isn't the technology already out there? Wouldn't it just be a matter of legally mandating companies to encrypt their pages with extended validation ssl and individuals to use some kind of personal ID system? It seems like individuals have the hardest time here (it's easy to steal a credit card number; hard to hijack a green url and padlock) and I can definitely see the need for some universal (and possibly free) form of identity management. But it seems like the tools are out there, they just aren't as prevalent as they should be.
--However, I'm reminded of an old adage: if you install a bank vault door at the front of a canvas tent, you don't get kudos for the strong door. True, true, and as I said, I think a lot of folks treat SSL like a solution to everything when truly it needs to be treated like one tool in the bag of e-security tricks. The browser ecosystem, as you eloquently put it, is a rather treacherous one, and both the problems and their solutions are more complex than most realize. --(By the way, I've gathered input from many users critical of EV certs--I used to be in the PKI industry myself. Just last week I had a conversation with a large enterprise IT manager who offered an unsolicited critique.) Very interesting! Thanks for clarifying that, as I've not heard the same critiques.
I understand the appeal of knocking EV SSL certs, or security technology in general, and I applaud those who are forcing us to acknowledge just how vulnerable we really are. That having been said, however, the point of ANY kind of SSL has always been one thing, and one thing only -- to create a secure connection between two points (and ordinarily those points are exchanging some kind of private data). Can it be bypassed? Yes. Does that mean the secure connection is broken? No. It means that users are being diverted from the secure connection (ie, Man in the Middle attacks), and that requires a different sort of protection entirely separate from SSL (EV or otherwise). I think it's funny how every attack on EV SSL from black hat folks so far has involved exploiting some other weakness in a website (for example, the CanSecWest DNS hit). Yes, mixed security level sites do present problems, but blaming SSL for them is like blaming Masterlock when a thief gets in through the back (unbolted) door. I think SSL gets a lot of flack for this because it has a reputation for being THE security solution, even with people who don't know what the acronym stands for. But, again, getting EV SSL protection isn't like placing your website in a gleaming green tank. It simply provides more secure connections between a site and its customers, and the additional vetting process proves to customers that you are you who say you are. Beyond that we're in another area. Oh, and when you say "More than one person has stated that the green bar really doesn’t matter to users; it’s just a way for CAs to make more money," do you just mean in the UK Register comments? Most of the data I've read has suggested the opposite (re: users noticing the difference and feeling safer), but browsers have been slow to adopt EV...