IE 7 to gain a better padlock for secure browsing

A new standard for Secure Sockets Layer (SSL) certificates is on the way, designed to combat phishing attacks and raise public confidence in ecommerce sites. According to certification specialist VeriSign, the current solution isn't stringent enough and could be undermining the industry.

At the Infosecurity Europe event, VeriSign product manager Tim Callan explained that there has been an erosion of trust in the padlock symbol displayed during an encrypted browsing session, because some certification authorities (CAs) have reduced or eliminated the authentication required to positively vet applicants, allowing phishers to obtain apparently legitimate credentials.

"The existing SSL standard is lacking now – most CAs do authenticate very well, but if a user can't tell which don't, they're out of luck," argued VeriSign's Tim Callan. "Certification authorities and browser manufacturers [are] creating a new standard for a higher assurance certificate and the CAs will be audited against that [standard]."

The upcoming technology will be supported by new features in the next generation of browsers, including Internet Explorer 7, added Callan. These changes will include a colour-coded address bar to show when a site supports the high assurance certificates, with the name of the web site owners' organisation and the issuing authority displayed in a section of the address bar.

"It's about making it easy for users to use and enabling them to make smart decisions about how to treat various web sites, and not simply opting out [of online services] and going back to the [high street]," said Callan.

Web managers and IT directors should plan ahead now to ensure their public-facing web servers benefit from switching over to the high assurance certificates, which will also require 128bit encryption or higher, Callan added. "They should think about planning for it now, so they are not surprised when their [customers start asking them why] they aren't using [the new certificates]," he advised.

The new standard is expected to be published in around two months, with the relevant upgrades in IE7 likely to be included in the beta version of the browser.