Tim Callan's SSL Blog

Aetna goes live with EV SSL

2008-06-30T17:52:39Z

Readers of this SSL Blog will recall that there was a time when tracking the early adoption of Extended Validation SSL was one of this blog's main functions. As it has become more mainstream, I've left off mentioning deployment on individual sites unless they're very important.

Today I'm highlighting the fact that EV SSL is live on Aetna. This deployment is important because of Aetna's leadership position in both the insurance and health care industries. Both these industries deal in a great amount of personal information for which confidentiality is very important and which individuals want to ensure is secure.

Consider the consequences of a privacy breech on three types of sites: E-commerce, financial, and health care. In the first case a credit card number is stolen. The individual has to go through the hassle of disputing charges and getting a new credit card. Definitely a bummer. The second case is worse. The individual most likely is the victim of account takeover, meaning that money is stolen either directly or indirectly. Now the individual has to deal with a bank or trading firm or the like to see to it that his or her money is returned, usually at the expense of the financial service provider in question.

All bad. But let's talk about what happens when confidential health care information escapes into the public sphere. Now there is no recourse, no matter how hard you work at it. A bank account can be restored. Compensation can come to the victim of a pump-and-dump scheme. But once there's general knowledge of who uses which prescription drugs or who has been diagnosed with cancer or who has tested positive for a congenital disease, then no activity, no action of the court, no trick of law enforcement will ever put that genie back in that bottle.

Which is why it's been good to see health care leaders like Blue Cross/Blue Shield and now Aetna adopting Extended Validation. Because phishing isn't just about banks.

The list of EV compatible browsers expands considerably

2008-06-16T20:31:02Z

If you're reading an SSL Blog like this one, you probably already have heard that Firefox 3 is due for release tomorrow. What you may not have heard is that Opera 9.5 is released and available for download now. Adding these to Internet Explorer 7, in two days the industry has tripled the number of browsers compatible with EV SSL.

Greetings from the AOTA Summit

2008-06-06T15:56:25Z

I'm here at the AOTA (Authentication and Online Trust Alliance) Summit, and we've had a very lively and informative two days. In particular there were two highlights for me. One was my panel discussion on Extended Validation SSL Certificates, which I shared with PayPal CISO Michael Barrett. Michael is firmly convinced that EV SSL has been an asset to PayPal's combat against online fraud as well as a driver of improvement in business metrics.

The second high point is that VeriSign received the AOTA 2008 Safety Leadership Award. I had the good fortune to collect the award, and as I said to the room at the time, to receive that compliment from such a capable and informed community engaged in such an important and noble goal is an honor indeed.

See me speak at Discover YouTube

2008-06-06T01:20:24Z

I will be speaking at the Discover YouTube event in San Bruno, California on Monday, June 9. I will be discovering VeriSign's award-winning Cart Whisperer campaign. If you're coming to the event, make sure to introduce yourself.

Massive Japanese EV banking deployment

2008-06-05T18:31:20Z

One thing I've been meaning to write about for a while now is NTT Data's deployment of EV SSL across 80 Japanese banks. Because of the relationship this ASP has with its customer banks, NTT Data can affect EV SSL deployment across this huge number of online banks simultaneously. The Japanese banking industry has been a strong user of EV SSL, including early deployment by leaders like SMBC and Sony Bank.

The Cart Whisperer nominated one of MarketingSherpa's Top 10 Viral Campaigns for 2008

2008-06-04T00:10:48Z

I think the headline says it all. MarketingSherpa has selected Liberty Fillmore and his avocation of cart rescuology as one of the ten viral campaigns in its Hall of Fame 2008.

In other news, Liberty Fillmore the Cart Whisperer is back in his latest film. Be sure to check it out.

So how does EV SSL protect against the classic phish?

2008-06-02T16:41:04Z

I recently wrote an entry in which I stated that EV SSL is a powerful mitigator against the classic phishing attack. I have received an e-mail asking me to explain how I know that to be the case. Happy to oblige.

If you were a reader of The SSL Blog a little over a year ago when VeriSign premiered the Extended Validation SSL Certificate, you know about the Tec-Ed research. For newer readers or in case we all don't exactly remember how it went, here's a recap.

Usability research firm Tec-Ed created a pair of usage scenarios for test subjects to go through. Each subject was asked to walk through simulated purchasing scenarios on a pair of fabricated but convincing consumer electronics online retailers. One retailer had the interface conventions on an EV certificate, while the other did not. Since IE7 was the only browser to support EV at the time, Tec-Ed performed the tests using images of that browser.

Tec-Ed gathered feedback from the subjects about these two sites and the browser interface conventions. The full Tec-Ed writeup is here, and there were lots of interesting data the testing company found, but I'll focus on a couple of them here.

First, 100% of test subjects noticed whether or not a green bar was present on the site. That's important because of course the green address bar is only present when an EV certificate is on the site. And that's important because the EV certificate depends on a high level of authentication that so far has proven immune to trickery by the online fraud community. Therefore the presence of a green bar is a highly visible indicator of a site's authenticity, certainly a useful tool for any participant in the online world.

Second and more interestingly, 77% of test subjects stated that they would be reluctant to proceed on a site that had previously displayed a green bar and now no longer did so. Let me interpret this statistic and what it means. A popular bank stands up EV on its site. A certain customer (let's call him Sam) uses Internet Explorer 7 to visit this site in order to check his balance, pay his bills, make stock trades, and the like. Since 100% of site visitors notice the EV interface conventions in IE7, we can rely on the fact that Sam sees the green address bar and the name of his bank in the chrome of the browser.

Now, one day Sam receives an e-mail that appears to be from his bank. It states that there has been suspicious activity on the account and for his own protection the account has been frozen. It includes a link he can use to unfreeze the account. In a panic Sam clicks on the link and access a Web page that appears to be from his bank, a page containing form fields asking for a his login ID and password.

You and I know it's a phishing page. Ordinarily Sam may or may not clue in as well, but the fact that he already clicked on a link in the e-mail puts him in grave danger of falling for the rest of the scam. However, you may recall that Sam's bank has already used EV to demonstrate its identity unambiguously to him. We know from the Tec-Ed research that there's a 77% chance of Sam stopping and thinking before proceeding at this point. Before proceeding to give his login to an online criminal.

Now, had it been a real communication from the bank (and many banks won't even send a message like this one, but let's set that aside), the bank would have included EV on the login page, and therefore Sam would have seen the green address bar he expects to see and the name of his bank at the top of his browser. And thus Sam would have been able to proceed with this business worry free.

Debian Web seminar

2008-05-25T00:58:01Z

VeriSign SSL principal architect Rick Andrews and I recently gave this Web seminar explaining the Debian Open SSL flaw and what to do about it.

Some more coverage of the Debian OpenSSL flaw

2008-05-23T18:29:31Z

There's been a great deal of press and blogging around the Debian OpenSSL flaw, most of which has simply explained the basic facts as already reported on The SSL Blog. Here are few articles that take in a different direction.

Network World has commentary on VeriSign's specific response to the Debian OpenSSL security flaw. Blush.

eWeek's Larry Seltzer explains some of the real-world risks of this flaw.

taint.org shares a caclulation about how quickly one could detect Debian-tainted (get it?) SSH keys.

H&R Block goes green in Canada

2008-05-21T00:05:18Z

Well it finally happened. Not in time for the tax season, but it finally happened that a leading tax site has deployed EV SSL. The site in question is the Canadian branch of H&R Block. I'm very happy to see that because as I've written in the past, tax returns are chock full of personally identifiable information that an identity thief would love to possess. This year we have seen some EV adoption among online tax filing sites such as FileYourTaxes.com. Well, now H&R Block is on board, and we should anticipate that the rest of the online filing world is not far behind. I expect next year's tax season to be very green.

Dilbert on random number generation

2008-05-20T16:24:53Z

Let's put a lighter note on the Debian key-pairs security flaw. Check out this Dilbert strip.

Actually, I forgot about GE Money Bank

2008-05-19T23:47:21Z

In my posting from earlier today, I stated that three of the world's four largest businesses use EV SSL. Well, I'm wrong. You see, #2 on the Forbes list is GE. GE is the owner of GE Money Bank, a significant worldwide bank without a big footprint in the US. And of course, GE Money Bank has EV. So that makes it the world's four largest companies that protect their customers with EV SSL.

Here the inevitable bias of one's own home geography comes into play. I apologize to my neighbors in other parts of the world for forgetting about GE Money. It is a bank that matters to a lot of people, and it certainly is very important.

Bank of America deploys Extended Validation SSL

2008-05-19T20:27:19Z

Bank of America, the world's third largest company has deployed EV SSL on its personal banking site. And you may have noticed that HSBC has done the same thing. That matters because HSBC is the largest company in the world according to Forbes. And JP Morgan Chase is the fourth largest, which is noteworthy considering that Chase also recently deployed EV. So, three of the four largest companies in the world are protecting their customers with Extended Validation SSL. All the way down at number nine we see ING Group, which has EV SSL on its ING Direct sites. So that makes it the four largest banks in the world using EV SSL.

When you look at these facts together, I dare to venture that the Bank of America deployment marks the crossing of a threshhold. We've crossed over from the era where EV SSL represents a potential advantage for businesses and into an era where it is expected and the lack of EV SSL is a disadvantage. The market leaders have embraced it in an unambiguous way. Customers will quickly learn to see it as a minimum requirement, for those who haven't already. That means we're out of the early adopter part of the adoption curve and into the mainstream.

Where is your business on this curve?

Free reissuance for code signing also

2008-05-16T22:52:22Z

In yesterday's posting on the Debian security hole and VeriSign's response, I neglected to mention that we will be offering free reissuance for code signing certificates just as we will for SSL.

The Debian key-pairs security flaw

2008-05-16T07:08:45Z

Big news broke earlier this week when a security researcher revealed that all key pairs generated on a rather broad set of Linux platforms are extremely crackable, resulting in the complete loss of a secure profile for any associated certificate. VeriSign has confirmed that all trusted roots and intermediates from all brands of digital certificate provided by the company (VeriSign, thawte, GeoTrust, and RapidSSL) are unaffected. Note that this potential problem exists for any application that uses key pairs, which in addition to SSL includes the likes of SSH and code signing.

However, with more than a million active SSL Certificates (first time ever for this milestone, by the way), it is a sure thing that some VeriSign customers will have generated the key pairs for their individual certificates on one of the systems in question. Those systems are versions of the Debian operating system and its derivatives (such as Ubuntu) released between September 17, 2006 and May 12, 2008, unless an appropriate patch has been installed to rectify this problem. Even after that patch is installed, key pairs created prior to patching continue to be unsafe. The only solution is to revoke and replace the tainted certificates.

To facilitate this security update and help ensure the continued trustworthiness of the e-commerce infrastructure, for a limited time VeriSign will be offering FREE revocation and replacement for all active VeriSign, thawte, GeoTrust, and RapidSSL SSL Certificates. Ordinarily revocation and replacement is free for a period of time and then can involve a fee for the remainder of the certificate's lifespan. Since the security error lies not with the end customers but with the operating system vendors in question, and since the continued security of the World Wide Web is of utmost importance, we will be temporarily waiving our fees on this activity.

VeriSign has robust revocation and replacement functionality available to its customers.
For VeriSign branded SSL Certificates, you can access that functionality here.
thawte customers can reissue certificates here.
GeoTrust customers can reissue certificates here.
RapidSSL customers can reissue certificates here.
We're still implementing the free replacement functionality on some of our certificate brands. It should be in place shortly.

We have not yet evaluated whether or not the trusted roots of other CAs are similarly free of compromise. For the continued security of online business worldwide, we recommend the owners of all such certificates scrutinize them immediately to determine whether or not they are safe for continued use. Likewise, we recommend the immediate investigation of all self-signed CAs for similar vulnerability. Site operators should contact the CA to determine whether or not its trusted roots and intermediates were issued off Debian or derivative operating systems. If the CA's roots prove to be compromised by this security flaw, the recommended practice is for that administrator to immediately discontinue use of those certificates and replace them with certificates from another, uncompromised CA.