[LINK] OzIT: 'Making online shopping safer'
Roger.Clarke at xamax.com.au
Tue Sep 8 09:52:26 AEST 2009
[Comments interspersed and at end]
Making online shopping safer
September 08, 2009
The Australian IT Section
INTERNET shoppers are being urged to look for a green cue that shows
a website is legitimate, thanks to a breakthrough intended to give
greater confidence in online payments.
VeriSign authentication services director Armando Dacal said a new
industry agreement on website security standards and verification of
transactions would make it easier for consumers to avoid fake sites
set up by criminals.
In the past computer users have looked for the padlock icon and the
web address to change from http:// to https:// on a transaction page
(the s means the site is encrypted, so information entered is secure)
but next-generation browsers will turn the whole address bar green.
The Extended Validation (EV) Secure Sockets Layer (SSL) standard has
been developed by leading digital certification authorities,
including VeriSign, and browser vendors such as Google, Mozilla,
Apple and Microsoft, as a technical response to the rise in internet
"Five years ago, criminals used pretty basic techniques like the
Nigerian email scam, where they asked for your bank account details
and promised to send you millions in return," Mr Dacal said.
"But criminals are now creating phishing websites that ... are
identical to the real site and it's virtually impossible for the
average consumer to tell the difference."
A study based on VeriSign's Phish or No Phish website -- where people
are challenged to pick the fake -- found that nine out of 10 were
[It would be interesting to know how the 1 out of 10 avoided being
fooled. A properly designed scam presumably has only two differences
from 'the real thing':
- a different domain-name (e.g. sydneyoperahouse.com cf.
- a different bank account to send the funds to
To detect the first requires effort and technical knowledge.
The second is undetectable because it's hidden inside the server]
"In Australia, 86 per cent failed to tell the difference between a
legitimate and a phishing website, in line with results from Britain
and the US, although Europeans did better," Mr Dacal said.
[As far as I can see, these stats are about as relevant to the
discussions as '9 out of 10 people prefer Omo''.]
"Scare tactics by fraudsters remain an effective form of phishing,
and despite education efforts by banks and retailers warning
customers not to share their personal information online, many still
fall into this trap."
Because of the need for a technical solution, the CA/Browser Forum
was formed to strengthen SSL authentication procedures and make it
easier for users to recognise trustworthy websites.
The forum says all new internet browsers will display EV SSL websites
in a way that allows visitors "to instantly ascertain that a given
site is indeed secure".
Certification authorities have agreed to more rigorous standards for
processing certificate requests, while a new vetting format will
"EV SSL will prove particularly useful for companies whose internet
domains are at high risk of being targeted by phishing schemes, such
as banking and auction sites, and popular retailers," the forum says.
"Internet users will be able to trust that particular websites are
what they claim to be, rather than fraudulent mirror sites operated
Mr Dacal said more than 1500 local businesses were using VeriSign's
EV SSL offering, including Commonwealth Bank, National Australia Bank
and Westpac, Virgin Blue, JetStar and online travel retailer Best
Flights, among more than 13,000 customers globally.
"Now there is a consistent, simple visual cue that consumers should
look for when shopping online," he said.
[I should look into the details, e.g. here:
[But my first impression is that this initiative is only a fractional
improvement, and hence PKI as a means of providing assurance of the
legitimacy or otherwise of web-sites will remain inadequate.
[I summarised the reasons why PKI has been a failure here:
[The key issues in this context are:
- inadequate authentication processes applied to the companies
when they apply for certificates (addressed by EV, but how well?)
- inadequate warranties provided by the CA (not addressed?)
- inadequate management of revocation and expiry of keys and certs
(I'm unclear whether it's addressed)
- inability to provide user interfaces that users can understand
(as will emerge below, I suspect this hasn't been solved either)
[The EV initiative appears to do two things:
- improves the (hitherto quite useless) authentication processes
But that needs to be checked, because the improvements may be
just superficial, or 'commitments' rather than 'requirements'
- changes the visual display from a padlock or key to the colour green
But the old padlock/key sign confirms only that channel encryption
is in use, i.e. an eavesdropper can't see the content. It doesn't
assure you that you are talking with the site you think you are
The colour green will presumably declare that (some specific?)
level of authentication has been performed on the site-operator
[But what about the missing aspects?
- does the EV initiative upgrade the warranties?
(There seems to be no mention of it, so probably not)
- does it require real-time checking of the currency of certificates
and rapid processing of revocations?
(I'd need to dig to find out)
- what will be displayed when you go to a scammer's site?
(As far as I can see, the danger signal is just the absence of green)
- what will be displayed when the cert is unsatisfactory in some way?
(Presumably the same old incomprehensible and ignored displays?)
[Here's an article from nearly 3 years ago:
[So implementation has been delayed for 2-1/2 years ...
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link