Do you know who checked that gold padlock in your web browser? Names like GeoTrust, Comodo, Starfield Technologies and Thawte will likely become more familiar to Internet users as browsers begin displaying the names of the issuers of SSL certificates that secure e-commerce web sites. These companies, known as certificate authorities, will gain visibility as the padlock icon indicating a secure connection moves to the address bar in Internet Explorer 7 and other new browser releases.
The move is part of a broader effort to improve Internet security, with Microsoft working with the developers of Firefox, Opera and Konqueror browsers to simplify the display of SSL certificate information. The unusual collaboration is driven by concerns about phishing, and is likely to bring changes in the SSL market, which has become more competitive lately following years of dominance by VeriSign.
While browsers makers hold considerable sway over SSL standards, certificate authorities are critical players in developing unified approach to certificate security. A priority for browser makers is the development of a new tier of high-security SSL certificates to identify "high impact" secure sites such as financial institutions. The major challenge is finding a workable standard. "Certification Authorities offer certificates with broadly different levels of background checking for the website," notes Microsoft's Rob Franco. "Unfortunately, there is no industry standard method for anyone to tell what level of background checking was performed for a given site."
Some CAs check the applicant's ownership of the associated domain name ("domain validated"), while others verify the applicant's business details as well ("organization validated"). Methods vary, with some providers contacting applicants by phone to verify their information, while others automate the process using databases from credit bureaus. Several CAs don't disclose their validation methods, saying the details are proprietary - a stance that doesn't meet the browser makers' vision for enhanced certificates.
"For this to work … there should be some common validation guidelines for rigorous website identification," writes Microsoft's Franco. "There is a lot of preliminary agreement but also a lot of work to do."
As they press for a new level of high-security certificates, the browser developers are offering a tasty carrot to the CAs - the opportunity to build their brands by having the issuing CA's name displayed alongside the golden lock on SSL-enabled sites. Internet Explorer 7 will alternate the name of the business and the name of the certificate authority in the address bar for secure sites.
Enhanced branding opportunities will be welcomed by certificate authorities, whose key role in most Internet transactions hasn't yet translated into wide visibility beyond the web hosting industry. The two companies with the highest name recognition, VeriSign and Go Daddy, are best known to the public for their role in the domain name business. The branding opportunity could nonetheless present a challenge for VeriSign, which in recent months has been shifting certificates issued under several of its less-familiar brands (including Thawte and RSA Digital Security) to ones listing the issuer as "VeriSign Inc." Go Daddy's certificates are issued as Starfield Technologies Inc.
A new tier of high-value certificates would offer CAs an opportunity to develop new, high-margin products at a time when prices for SSL certificates are trending steadily lower. But can leading CAs put aside their competitive issues and reach a consensus on a validation standard that can be used with high-security certificates?
That is one of the issues tracked by Netcraft's monthly Secure Server Survey, which provides detailed information about encrypted transactions and e-commerce, including the growth rate for SSL-enabled sites, and which operating systems, server software and certificates are most widely used on these sites.