Posted by: kurtsh | January 24, 2008

INFO: IE 7.0, Extended Validation SSL certs, & why your company should purchase one

This is a message sent to me from Craig Spiezle, Director of Online Security and Safety for Microsoft Internet Explorer, on the topic of Extended Validation SSL certificates. 

It’s a very interesting read being that online fraud is becoming increasingly rampant and this is a great way mitigate much of this risk to consumers.

Internet Explorer integrates dynamic Phishing protection and support of the emerging Extended Validation SSL Certificate program, as just two of several investments to help of protect users, their data, their PC and their privacy.

The Microsoft Phishing Filter provides dynamic protection from known phishing sites and blocking nearly 1 million exploits each and every week.  This is an opt-in service that operates in the background and provides an early warning system to notify users of both suspicious websites that could be engaging in identity and data theft, as well as those confirmed to be phishing sites.  By design, user privacy has been at the forefront of this service and verified by third party audits that no personal information is collected by Microsoft or any third party.[1] It relies on browser-based heuristics to analyze Web pages in real time and warn users about suspicious characteristics as they browse. This client-side technology is combined with dynamically updated information that helps prevent users from interacting with confirmed phishing sites reported to Microsoft by a network of third-party data-provider partners and a community of users who help provide information on potential and confirmed phishing sites.

However, phishers have also been able to obtain ‘valid’ SSL certificates for their spoofed sites.  Looking for that gold padlock icon is important, but without the identity information users can end up sending their personal information to the wrong website.  Historically one way users used to help answer that question was the SSL padlock (the gold lock), which was the only indication of any security whatsoever. While helpful, SSL only means that I have an encrypted connection to someone.  So someone with malicious intent could set up a site that closely copied the look and URL of a legitimate business, get a SSL cert, and try to fool users into giving them sensitive personal information via a phishing or social engineering attack. 

Responding to these threats, the CA/ Browser Forum has developed the new Extended Validation SSL Certificates or EV SSL.  EV SSL leverages proven SSL technology, and adds a new process for vetting the identity of the business that is requesting the certificate, offering an improved level of authentication for securing transactions on their Web sites. Given the standardization and rigorousness of the process used, users can realize a higher level of online trust and confidence.

Internet Explorer 7 is the first browser to fully support EV SSL, and here’s what that looks like (in this instance when visiting You will notice that the address bar turns green, to notify users about the available identity information, and the name and country of the business are shown right there on the address bar (here “Microsoft Corporation [US]”). If a user wants to see more information about the company behind a website, he can simply click on the name of the company – the identification popup immediately shows the name and address of said company.


This is great news for Internet users: they now have an easy and reliable way to verify that they are on the correct site, and they don’t have to worry as much about phishing attacks or deceptive website, as long as EV SSL is used. Furthermore, when they are transacting with a new website that uses EV SSL  (say one they found through, they can easily identify the company behind the website, which helps them legally pursue their claim if the site doesn’t deliver as promised, helping add an element of accountability to the web. Remember that most sites will use a secure connection (https://, that will show you the green bar if they are using EV SSL), only when you are about to exchange with the sensitive information, such as when you login, or are about to check out your cart. If you wonder about the different colors of the address bar and how to use them in making trust decision, you will find this description of the Internet Explorer 7 Security Status Bar helpful.

Today there are nearly 3,500 sites are now protecting their customers with EV SSLs, including Alaska Airlines, AutoZone, British Airways, eBay, FedEx, PayPal, Microsoft, Royal Doulton, The Body Shop UK, and Travelocity. In addition leading financial services have been quickly adopting worldwide including the Banque National du Canada, Charles Schwab, Deutsche Bank, SunLife, Sovereign Bank, UBS, and Vanguard.   While the Microsoft Phishing Filter and EV SSLs alone will not solve all of the internet’s ills, combined they are important step to protect brands and consumers alike. 

[1] Third Party audit preformed by Jefferson Wells.  More information is available at


%d bloggers like this: