Web 'safe' mark may elude new merchants

NEW YORK - As an online shopper, Claudia Race knows she must look out for scams. So as an Internet entrepreneur working out of her home in New Braunfels, Texas, Race wants to use all the tools available to assure customers they can trust the vacation-rentals service she is about to launch.

But because her small business is so new, Race said she might not qualify for the online seals of approval that Overstock.com Inc. and other larger, established companies are getting to instruct Microsoft Corp.'s Internet Explorer browser to display a green address bar for "safe" when people visit her site.

"It would put me at a disadvantage," Race said. "I do not want anyone to have any questions, hesitate or have any fear factor. They have to know that I didn't just go grab a logo from somewhere and stick it on my site. I want them to know I'm a legitimate business."

What she's seeking is an extended-validation certificate, a response to the plethora of "phishing" attacks in which scam artists try to steal sensitive data by mimicking the Web site of a large bank or merchant.

Once Microsoft activates the feature in version 7 of Internet Explorer in late January, a green bar will appear when the browser sees an EV certificate, usually during a transaction or login. The tool complements a newly launched filter that displays a red warning for known phishing sites and yellow for suspicious ones.

"EV does not authenticate that your plasma TV is going to show up or that it won't have a crack through it," said Tim Callan, director of product marketing for VeriSign Inc., which issued its first EV certificate to Overstock this month.

Rather, Callan said, the EV certificate will tell consumers that the business does exist and operates at the location it says it does.

That's because VeriSign and its competitors will be required to perform extensive checks to verify that the business is legally recognized by a government agency and that the address registered for the certificate is valid, such as by matching it with a government filing or visiting the business in person.

Certificate issuers also must make sure that the company owns the domain name and that the individual requesting the certificate is authorized.

So a scammer can't register from overseas a domain name at "paypa1.com" — with a numeral "1" instead of letter "l" — and buy an EV certificate saying it is the eBay Inc. online payment service.

The certificate issuer would discover the person requesting it doesn't really work for eBay after obtaining eBay's contact information through independent means and asking directly, said Paulo Kaiser, vice president of operations for certificate vendor Comodo.

In the early days of e-commerce, merchants simply needed a standard security certificate for browsers to display a closed padlock. The makers of the Netscape browser, now owned by Time Warner Inc.'s AOL, developed the Secure Sockets Layer technology in the mid-90s, and many online shoppers over time knew to look for it.

Companies known as certification authorities used to always perform a series of checks to make sure sites were really what they said they were.

But newer authorities have tried to cut costs and corners by checking only that the site owns the domain name — not the business said to run on that domain, security experts say. Scam artists — needing only a credit card and a domain name — have exploited the loophole to obtain the certificates necessary to appear legitimate.

Enter the Certification Authority/Browser Forum, a group of certificate issuers and browser manufacturers desiring to restore trust in the certificates.

Since its formation nearly two years ago, the forum has been hashing out standards that merchants and banks must meet to obtain EV certificates.

Those that fail could get only the regular certificates, for which the IE browser's address bar would remain white — just like most other sites, good or bad. Over time, Microsoft and others hope Internet users would know to look for a green bar, just like the padlock.

But the forum has figured out how to validate only larger companies, the ones incorporated by a government agency and thus listed in its databases. General partnerships, unincorporated associations, sole proprietorships and individuals are currently excluded.

Race, the Texas businesswoman, falls in between. Although her MadLeap.com was registered as a limited liability company in Delaware, it's so new that it might not appear in enough databases, making her business difficult to verify, according to officials at Comodo.

Smaller and newer companies could lose business if consumers leave for larger, established merchants with green bars.

"It is the small merchants who really need the ability to say, `I am trusted. Come and do business with me,'" said Melih Abdulhayoglu, chief executive of Comodo. "The big guys who have the brands already have established trust because of brand awareness."

Comodo was among the companies that helped reject the draft guidelines in November, preferring to wait until the group could figure out how to validate smaller merchants.

But Microsoft announced it was moving forward anyhow, saying green bars would start to appear in late January. Comodo and other vendors responded by starting to sell the EV certificates to the larger companies — for hundreds of dollars more than regular certificates to cover the validation costs.

Markellos Diorinos, a product manager with Microsoft, said most phishing scams have mimicked the Web sites of larger banks and companies anyway.

"The current version of the EV guidelines ... probably covers most if not all of the phishing targets today," Diorinos said. "We felt we have a good technology and should get the technology out to consumers as soon as possible."

Diorinos added that smaller merchants not covered still could get EV certificates through a third-party payment processor that is verified.

Microsoft will recognize certificates only from authorities that are independently audited, details for which are spelled out in the 65-page draft guidelines.

Mozilla's Firefox and Opera Software ASA's Opera browsers also will eventually recognize EV certificates, though their makers committed to no timetable. Until then, an EV certificate would trigger a closed padlock like regular certificates, nothing more.

Window Snyder, Mozilla's chief security officer, said developers were trying to figure out the best way to highlight an EV-certified site — whether it's through a green bar or another means.

Unlike previous attempts by Microsoft to move forward with technologies before standards were ready, few criticized the Redmond, Wash., software company's moves, noting that the technical portions of the standards have largely been agreed upon. What's left deals mostly with procedures — how to validate smaller merchants.

Comodo believes it could be done within two months; VeriSign worries it could take longer and is reluctant to wait.

"It's unfortunate that it's not extended as far as it is right up front, but given the fact that identity theft is a very real thing, consumers need better tools in order to have confidence," said Greg Hughes, chief security executive with Corillian Corp., a provider of online banking technology. "This is the right thing to do and now is the right time to do it."