Microsoft to push new anti-phishing technology

Microsoft and industry partners are pushing ahead with plans to make the Web a little safer with a new technology to combat phishing.

At next month's RSA Conference in San Francisco, the software giant plans to announce that a number of Web sites have gone through a new certification process designed to make it harder for phishers to spoof them. The process gives third-party certification authorities like VeriSign and Entrust a more stringent set of guidelines to follow when they are authenticating Web sites.

The result of the process is something called an Extended Validation Secure Sockets Layer (EV SSL) certificate, which can be used by Web sites to help reassure Web surfers that they are handing over their private information to a legitimate site.

Microsoft is ahead of other browser-makers in supporting EV SSL certificates, which will work with Internet Explorer 7 by the end of this month. But for the technology to take off it must also be widely adopted by Web sites.

Microsoft plans to show that this is now happening, said Markellos Diorinos, product manager with the Internet Explorer team. "We're getting more and more names that are going to be supporting Extended Validation, and we'll be announcing the first ones at RSA," he said.

Sites that have been EV SSL-certified will look a little different from today's secure sites, which typically display a small "lock" icon in the Web browser.

When IE hits part of a Web site that supports the EV SSL standard, there will still be a lock icon but the address bar will also turn green. Users will also be able to see what country the Web site is based in and who has certified it. "What this really means is that someone went and made sure that this corporation is in good standing," Diorinos said.

Web sites buy these EV SSL certificates from certification authorities, who in turn follow the Web site company's paper trail: making sure it is registered with local authorities, that it has a legitimate address, and that it actually has control over the Web domain in question, for example. In some cases the certificate authority may even send out a representative to confirm that the business is who it claims to be.

"If you're a company without a reliable paper trail, you're not going to get one of these," said Tim Callan, a product manager with VeriSign's business unit. "If you're incorporated, if you're an LLP, or if you're a registered charity, you have nothing to worry about."

VeriSign has been offering EV SSL certificates since Dec. 11, and has over 300 businesses now going through the certification process. About 20 of them have been issued certificates so far, Callan said.

The certificates are certainly of interest to Web sites that have been targeted by phishers. Wells Fargo & Co. has helped develop the EV SSL standard, and Ebay Inc.'s PayPal has recently gone live with EV SSL certificates on its https://history.paypal.com and https://av.paypal.com/ Web sites.

Still, there are some issues to be worked out.

One unanswered question is whether or not smaller sites that haven't been spoofed will be willing to pay for these certificates.

There are also technical questions that have yet to be worked out by the browser makers. For example, how will EV SSL deal with international character types, and how will they deal with two companies in different countries that happen to share the same name.

"There are a lot of open issues," said Window Snyder, head of security strategy at Mozilla, via instant message. The Firefox team will probably wait until version 3.0 of its browser is released later this year so that these questions can first be addressed, she said.