Microsoft Internet Explorer Extended Validation SSL Update

Craig Spiezle, Director of Online Security and Safety for Microsoft Internet Explorer.  While I am new to this role, I’ve been at Microsoft for over 10 years, and very involved on usability and online safety, helping users realize their potential, while being confident that their data and privacy are maintained.   In response to mounting online threats, […]

Craig Spiezle, Director of Online Security and Safety for Microsoft Internet Explorer.  While I am new to this role, I’ve been at Microsoft for over 10 years, and very involved on usability and online safety, helping users realize their potential, while being confident that their data and privacy are maintained.   In response to mounting online threats, Microsoft recently launched a $250,000 Sweepstakes communication to show users how Internet Explorer and innovative technologies can enhance online trust and confidence.  Leveraging the stop light metaphor of red for stop and green for go, the interactive site demonstrates this to users, while providing them chances to win one of 25, $10,000 shopping sprees with PayPal.  Visit the site today, download Internet Explorer 7 and enter to win.www.microsoft.com/ie/confidenceHurry entries must be received by January 31, 2008.

Internet Explorer integrates dynamic Phishing protection and support of the emerging Extended Validation SSL Certificate program, as just two of several investments to help of protect users, their data, their PC and their privacy.

The Microsoft Phishing Filter provides dynamic protection from known phishing sites and blocking nearly 1 million exploits each and every week.  This is an opt-in service that operates in the background and provides an early warning system to notify users of both suspicious websites that could be engaging in identity and data theft, as well as those confirmed to be phishing sites.  By design, user privacy has been at the forefront of this service and verified by third party audits that no personal information is collected by Microsoft or any third party.[1]  http://www.jeffersonwells.com/client_audit_reports/Microsoft_PF_IE7_IEToolbarFeature_Privacy_Audit_20060728.pdf It relies on browser-based heuristics to analyze Web pages in real time and warn users about suspicious characteristics as they browse. This client-side technology is combined with dynamically updated information that helps prevent users from interacting with confirmed phishing sites reported to Microsoft by a network of third-party data-provider partners and a community of users who help provide information on potential and confirmed phishing sites.

However, phishers have also been able to obtain ‘valid’ SSL certificates for their spoofed sites.  Looking for that gold padlock icon is important, but without the identity information users can end up sending their personal information to the wrong website.  Historically one way users used to help answer that question was the SSL padlock (the gold lock), which was the only indication of any security whatsoever. While helpful, SSL only means that I have an encrypted connection to someone.  So someone with malicious intent could set up a site that closely copied the look and URL of a legitimate business, get a SSL cert, and try to fool users into giving them sensitive personal information via a phishing or social engineering attack. 

Responding to these threats, the CA/ Browser Forum has developed the new Extended Validation SSL Certificates or EV SSL.  EV SSL leverages proven SSL technology, and adds a new process for vetting the identity of the business that is requesting the certificate, offering an improved level of authentication for securing transactions on their Web sites. Given the standardization and rigorousness of the process used, users can realize a higher level of online trust and confidence.

Internet Explorer 7 is the first browser to fully support EV SSL, and here’s what that looks like (in this instance when visiting www.login.live.com). You will notice that the address bar turns green, to notify users about the available identity information, and the name and country of the business are shown right there on the address bar (here “Microsoft Corporation [US]”). If a user wants to see more information about the company behind a website, he can simply click on the name of the company – the identification popup immediately shows the name and address of said company.

Full Article

Internet Explorer, IE6, IE7, SSL, Security, Validation, Microsft