Archive for January, 2010

Is Your Browser Safe?

Monday, January 18th, 2010 | Steve Duncan

An interesting article appeared on BBC today outlining how France and Germany are urging users to abandon Internet Explorer due to a vulnerability that allows malicious code to attack sites.  Those claims are bound to get headlines.

When you read further into the article however, its clear that the vulnerability affects version 6 of Internet Explorer, not the latest version 8.  In fact all older versions of browsers are susceptible to malicious software.  Rather than urging users to abandon their current browsers (which brings on a whole new set of challenges), users should be urged to update their browsers.

Older versions of browsers could be the greatest threat to online security.  Taking a look at the last 50,000 visitors to Entrust.net I thought it would be useful to see who’s using the latest version of which browser.  Of the Internet Explorer users, only 36% were using the latest version 8 of the browser.  Of the Mozilla Firefox users, 39% were using the latest version.  It’s a little better when you examine other browsers such as Safari, Chrome and Opera but their total share is just over 10% combined.

There was a time when CA vendors sold SGC certificates that would provide security for very old browsers (at least 9 years old!).   It’s possible some CAs still charge a premium for these.  The thinking was that there’s bound to be a small handful of users that need to conduct transactions securely on browsers that didn’t offer strong encryption.  In fact, websites would be doing these users a favor by not allowing the secure connection, given how risky their old browsers are.  Entrust wrote a white paper on this very subject.

The best defense whether you’re using Internet Explorer, Firefox or any other browser is to make sure you’re using the latest version that has been adequately patched.

Tags: , , , ,
Posted in Browsers, Uncategorized | Add Comment | No Comments »

Site Seals: Reasons to use them. Reasons not to.

Sunday, January 17th, 2010 | Steve Duncan

Every SSL vendor offers a site seal, a small graphic that can be displayed on the pages that offer SSL encryption.  But are they worthwhile displaying?  Here’s some reasons a website should consider using a site seal, and some reasons not:

Three good reasons to display a site seal:

  1. Just another trust indicator.  Savvy users know to look for the green colored address bar, the small lock, or the “https” at the beginning of a secure website address.  But does everyone know that?  A site seal may be the one thing that your customers look for as a symbol of trust.  In a perfect world users should be trained to look for all visual indicators of website security, but the reality is that you need to offer as many trust indicators as possible to keep customer confidence high.
  2. If there’s a look-up function.  Those savvy users know they can click on the green bar and the small lock in the browser.  Likewise those who look to a site seal for verification should know that if you click on it, a confirmation from the SSL vendor is shown from the SSL vendor’s website.
  3. Brand reinforcement. Displaying a site seal indicating security from a reputable vendor reinforces your own brand image.  You are essentially associating your brand with the brand you display.

So what are three reasons you wouldn’t want to use a site seal?

  1. Poor brand association.  The last thing you want to do is associate your company with one that doesn’t present the same positive brand identity.  You want to make sure you’re displaying a brand that doesn’t represent unprofessionalism, sexism, or values that you don’t want attributed to your brand.
  2. Just the graphic. A properly installed  SSL site seal lets users click on the graphic to get confirmation of the company and website.  If the site seal is just a graphic, it’s often a sign of a phishing site or an improperly installed seal.
  3. A Pseudo seal.  You don’t have to search the web too much to find questionable companies selling “site seals” that are nothing more than a graphic with little or no verification or security behind it.  Since consumers are becoming more educated that a true SSL site seal reinforces the other secure visual indicators, it stands to reason you’ll lose more customers than you’ll gain.

One can conclude that a site seal is a good way to reinforce your brand, enhance consumer confidence and decrease customer drop-outs.  But only if installed properly and from a reputable source.

You can find out more about Entrust’s site seal by visiting our FAQ here.

Tags: , ,
Posted in Site Seal | Add Comment | No Comments »

Is it Paypal? Or is it Paypal?

Monday, January 4th, 2010 | Steve Duncan

Can you rely on the website address to tell if you’re on a phishing site? Not anymore, according to some websites.

It seems that the International Corporation for Assigned Names and Numbers (ICANN) has recently allowed non-latin domain names to be registered.  This is in an effort to encourage internet content build-up from other countries.

Reacting to this news, some creative authors have found a way to display common website addresses using a combination of Cyrillic and English letters.  For example the Russian Cyrillic characters “raural” look exactly like “paypal”.   Check out the  Times Online article here and the Paypal example here.   This IDN homograph phishing attack is nothing new, just a lot easier according to some authors.

Some  potential issues have been addressed: depending what type of browser you use, you’ll likely get a warning;  IDN implementations won’t allow mixed-script URLs so a nefarious registrant can’t mash up a domain name using multiple scripts.  But one can’t help wondering what happens  on older browsers, or mobile browsers?

No matter what the case, it’s just become a bit more unreliable to depend on the domain name displayed in the browser address bar.  It’s too bad because that’s usually the best way to train non-technical users to be sure they’re on the right website.   Of course another way to rely on a website is through the SSL information.  But try explaining to your great aunt that she needs to click on the little lock icon at the bottom right of her browser.  And with the proliferation of certificates that only validate domain names (DV certificates), many SSL sessions just don’t offer the reliability.

Browser manufacturers and Certificate Authorities have taken the first step towards making it easier by introducing Extended Validation (EV) certificates.  The standardized EV Guidelines specifically mention that:

The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization.

In other words, this problem wouldn’t happen if sites were protected by EV certificates.  EV guidelines also dictate that  certificate providers validate the company name that owns the website as well as the true website name, and this  information is displayed in the “chrome” of the browser, such as in the menu bar.  Most browsers provide visual cues for EV certificates.  Usually the address or address bar turns green.  But is it enough?  Would your great aunt know to look for green visual cues and the name of the company?  Perhaps.  Perhaps not.  Perhaps the next step is for browsers to provide more dramatic visual cues.  Like “You are about to send information securely to <Insert verified company name here>”.    Let’s hope the browser vendors can stay ahead of the criminals on this one.

Tags: , , ,
Posted in Phishing | Add Comment | No Comments »