Web 'safe' mark may elude new merchants

Companies known as certification authorities used to always perform a series of checks to make sure sites were really what they said they were.

But newer authorities have tried to cut costs and corners by checking only that the site owns the domain name — not the business said to run on that domain, security experts say. Scam artists — needing only a credit card and a domain name — have exploited the loophole to obtain the certificates necessary to appear legitimate.

Enter the Certification Authority/Browser Forum, a group of certificate issuers and browser manufacturers desiring to restore trust in the certificates.

Since its formation nearly two years ago, the forum has been hashing out standards that merchants and banks must meet to obtain EV certificates.

Those that fail could get only the regular certificates, for which the IE browser's address bar would remain white — just like most other sites, good or bad. Over time, Microsoft and others hope Internet users would know to look for a green bar, just like the padlock.

But the forum has figured out how to validate only larger companies, the ones incorporated by a government agency and thus listed in its databases. General partnerships, unincorporated associations, sole proprietorships and individuals are currently excluded.

Race, the Texas businesswoman, falls in between. Although her MadLeap.com was registered as a limited liability company in Delaware, it's so new that it might not appear in enough databases, making her business difficult to verify, according to officials at Comodo.

Smaller and newer companies could lose business if consumers leave for larger, established merchants with green bars.

"It is the small merchants who really need the ability to say, 'I am trusted. Come and do business with me,'" said Melih Abdulhayoglu, chief executive of Comodo. "The big guys who have the brands already have established trust because of brand awareness."

Comodo was among the companies that helped reject the draft guidelines in November, preferring to wait until the group could figure out how to validate smaller merchants.

But Microsoft announced it was moving forward anyhow, saying green bars would start to appear in late January. Comodo and other vendors responded by starting to sell the EV certificates to the larger companies — for hundreds of dollars more than regular certificates to cover the validation costs.

Markellos Diorinos, a product manager with Microsoft, said most phishing scams have mimicked the Web sites of larger banks and companies anyway.

MORE FROM SECURITY

Security Section Front

Internet activists push for greater democracy EU assembly adopts Internet, phone user rights 'Mr. Right' grifts widow's $50K in Web scam U.K. cops arrest people ‘just for the DNA’ Virus attacks ‘jail broken’ iPhones China attacks ‘biased’ U.S. cyber-spying report Chinese military Web site target of cyberattacks FBI: Hackers targeting law and PR firms House pushes ban on peer-to-peer software Facebook hit by ‘Control Your Info’ intruder Security Section Front   Add Security headlines to your news reader: