January 18th, 2010
By: Steve Duncan
closeAuthor: Steve Duncan
Name: Steve Duncan
Email: steve.duncan@entrust.com
Site: http://www.entrust.net
About: See Authors Posts (6)
An interesting article appeared on BBC today outlining how France and Germany are urging users to abandon Internet Explorer due to a vulnerability that allows malicious code to attack sites. Those claims are bound to get headlines.
When you read further into the article however, its clear that the vulnerability affects version 6 of Internet Explorer, not the latest version 8. In fact all older versions of browsers are susceptible to malicious software. Rather than urging users to abandon their current browsers (which brings on a whole new set of challenges), users should be urged to update their browsers.
Older versions of browsers could be the greatest threat to online security. Taking a look at the last 50,000 visitors to Entrust.net I thought it would be useful to see who’s using the latest version of which browser. Of the Internet Explorer users, only 36% were using the latest version 8 of the browser. Of the Mozilla Firefox users, 39% were using the latest version. It’s a little better when you examine other browsers such as Safari, Chrome and Opera but their total share is just over 10% combined.
There was a time when CA vendors sold SGC certificates that would provide security for very old browsers (at least 9 years old!). It’s possible some CAs still charge a premium for these. The thinking was that there’s bound to be a small handful of users that need to conduct transactions securely on browsers that didn’t offer strong encryption. In fact, websites would be doing these users a favor by not allowing the secure connection, given how risky their old browsers are. Entrust wrote a white paper on this very subject.
The best defense whether you’re using Internet Explorer, Firefox or any other browser is to make sure you’re using the latest version that has been adequately patched.
Tags: Firefox, France and Germany, Internet explorer, patching, SGC
Posted in Browsers, Uncategorized | Add Comment | No Comments »
January 17th, 2010
By: Steve DuncancloseAuthor: Steve Duncan
Name: Steve Duncan
Email: steve.duncan@entrust.com
Site: http://www.entrust.net
About: See Authors Posts (6)
Every SSL vendor offers a site seal, a small graphic that can be displayed on the pages that offer SSL encryption. But are they worthwhile displaying? Here’s some reasons a website should consider using a site seal, and some reasons not:
Three good reasons to display a site seal:
- Just another trust indicator. Savvy users know to look for the green colored address bar, the small lock, or the “https” at the beginning of a secure website address. But does everyone know that? A site seal may be the one thing that your customers look for as a symbol of trust. In a perfect world users should be trained to look for all visual indicators of website security, but the reality is that you need to offer as many trust indicators as possible to keep customer confidence high.
- If there’s a look-up function. Those savvy users know they can click on the green bar and the small lock in the browser. Likewise those who look to a site seal for verification should know that if you click on it, a confirmation from the SSL vendor is shown from the SSL vendor’s website.
- Brand reinforcement. Displaying a site seal indicating security from a reputable vendor reinforces your own brand image. You are essentially associating your brand with the brand you display.
So what are three reasons you wouldn’t want to use a site seal?
- Poor brand association. The last thing you want to do is associate your company with one that doesn’t present the same positive brand identity. You want to make sure you’re displaying a brand that doesn’t represent unprofessionalism, sexism, or values that you don’t want attributed to your brand.
- Just the graphic. A properly installed SSL site seal lets users click on the graphic to get confirmation of the company and website. If the site seal is just a graphic, it’s often a sign of a phishing site or an improperly installed seal.
- A Pseudo seal. You don’t have to search the web too much to find questionable companies selling “site seals” that are nothing more than a graphic with little or no verification or security behind it. Since consumers are becoming more educated that a true SSL site seal reinforces the other secure visual indicators, it stands to reason you’ll lose more customers than you’ll gain.
One can conclude that a site seal is a good way to reinforce your brand, enhance consumer confidence and decrease customer drop-outs. But only if installed properly and from a reputable source.
You can find out more about Entrust’s site seal by visiting our FAQ here.
Tags: Site Seal, SSL, visual indicators
Posted in Site Seal | Add Comment | No Comments »
January 4th, 2010
By: Steve DuncancloseAuthor: Steve Duncan
Name: Steve Duncan
Email: steve.duncan@entrust.com
Site: http://www.entrust.net
About: See Authors Posts (6)
Can you rely on the website address to tell if you’re on a phishing site? Not anymore, according to some websites.
It seems that the International Corporation for Assigned Names and Numbers (ICANN) has recently allowed non-latin domain names to be registered. This is in an effort to encourage internet content build-up from other countries.
Reacting to this news, some creative authors have found a way to display common website addresses using a combination of Cyrillic and English letters. For example the Russian Cyrillic characters “raural” look exactly like “paypal”. Check out the Times Online article here and the Paypal example here. This IDN homograph phishing attack is nothing new, just a lot easier according to some authors.
Some potential issues have been addressed: depending what type of browser you use, you’ll likely get a warning; IDN implementations won’t allow mixed-script URLs so a nefarious registrant can’t mash up a domain name using multiple scripts. But one can’t help wondering what happens on older browsers, or mobile browsers?
No matter what the case, it’s just become a bit more unreliable to depend on the domain name displayed in the browser address bar. It’s too bad because that’s usually the best way to train non-technical users to be sure they’re on the right website. Of course another way to rely on a website is through the SSL information. But try explaining to your great aunt that she needs to click on the little lock icon at the bottom right of her browser. And with the proliferation of certificates that only validate domain names (DV certificates), many SSL sessions just don’t offer the reliability.
Browser manufacturers and Certificate Authorities have taken the first step towards making it easier by introducing Extended Validation (EV) certificates. The standardized EV Guidelines specifically mention that:
The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization.
In other words, this problem wouldn’t happen if sites were protected by EV certificates. EV guidelines also dictate that certificate providers validate the company name that owns the website as well as the true website name, and this information is displayed in the “chrome” of the browser, such as in the menu bar. Most browsers provide visual cues for EV certificates. Usually the address or address bar turns green. But is it enough? Would your great aunt know to look for green visual cues and the name of the company? Perhaps. Perhaps not. Perhaps the next step is for browsers to provide more dramatic visual cues. Like “You are about to send information securely to <Insert verified company name here>”. Let’s hope the browser vendors can stay ahead of the criminals on this one.
Tags: EV, Extended Validation, ICANN, Phishing
Posted in Phishing | Add Comment | No Comments »
December 14th, 2009
By: Steve DuncancloseAuthor: Steve Duncan
Name: Steve Duncan
Email: steve.duncan@entrust.com
Site: http://www.entrust.net
About: See Authors Posts (6)
I guess its not that surprising, but a new report indicates that .47 percent of banking customers fall victim to a phishing site every year. This clearly demonstrates that phishers have a large market to address and are obviously seeing a return on their investments. That means we can expect to see even more phishing attempts going forward. Financial institutions already are facing an average of 16 attacks a week. One wonders how many more they can cost effectively deal with?
Naturally, the targets of these phishing attacks are becoming educated about phishing so that will mean phishing attacks will become more sophisticated. Case in point: some phishers have taken to social media such as Facebook and Twitter (“friending” the wrong person in Facebook can provide enough information for identity theft).
One defense against phishing is EV SSL certificates. It’s a step in the right direction that applies stringent verification standards on those that want to use one. When deployed, EV SSL certificates display the verified company name in the “chrome” of the browser, along with other trust indicators such as turning the address bar green. It’s up to the browser manufacturers to decide how to display that trust. Some turn the entire address bar green while others only shade address text green. I wonder if consumer pressure will bring them to be more aggressive displaying verified company information. Time will tell.
Posted in Uncategorized | Add Comment | No Comments »
December 11th, 2009
By: Steve DuncancloseAuthor: Steve Duncan
Name: Steve Duncan
Email: steve.duncan@entrust.com
Site: http://www.entrust.net
About: See Authors Posts (6)
On the surface, wildcard certificate might make sense: they allow you to secure multiple subdomains belonging to the same organization with the same domain name. For example, if a company owned the domain for anycompany.com, a wildcard certificate could be used to secure the subdomains of *.anycompany.com. Now that company could use that single wildcard to secure vpn.anycompany.com, contracts.anycompany.com and payment.anycompany.com.
The potential cost savings of wildcards have to be weighed against the security weaknesses of them:
- If one server or sub-domain gets compromised, all sub-domains and servers would be compromised. That’s just not a good security practice
- There is no way to revoke the SSL digital certificate for one sub-domain without having to revoke the digital certificate for all of the other sub-domains.
- Not all applications may be compatible with wildcard certificates. In particular, many mobile applications will not work with wildcards.
If the reason for going for a wildcard certificate is to reduce the complexity of managing multiple certificates, then customers are better off buying certificate within free certificate management services such as Entrust’s CMS. It’s lower risk than a wildcard certificate and a better way of managing certificates.
Tags: CMS, Wildcards
Posted in Wildcards | Add Comment | No Comments »
December 11th, 2009
By: Steve DuncancloseAuthor: Steve Duncan
Name: Steve Duncan
Email: steve.duncan@entrust.com
Site: http://www.entrust.net
About: See Authors Posts (6)
Anybody want a really technical description of what happens when an SSL session starts? With the help of some network tools and a special version of Firefox, Jeff Moser details exactly what happens to change the address bar color and put a lock in the corner. It’s not as simple as you might think. Check out Jeff’s article here
Tags: Technical
Posted in Technical | Add Comment | No Comments »
