Video Screencast Help
Search Video Help Close Back
to help

Website Security Solutions

Showing posts tagged with Extended Validation SSL
Showing posts in English
VeriSign green EV program off to a good start
Tim Callan | 18 Dec 2012 | 0 comments

In conjunction with Earth Day we announced a limited-time program whereby VeriSign would plant a tree for each Extended Validation SSL Certificate we sold. I just saw the data for April 22, Earth Day, and our EV registrations were almost double what you would expect for that day. So good work, folks. We'll be planting a lot of trees because of you.

Read more
Making the Grade on the Annual OTA Online Safety Honor Roll
Tim Callan | 18 Dec 2012 | 0 comments

The Online Trust Alliance (OTA) just announced its Online Safety 2010 Honor Roll, on which only 8% of the 1200 analyzed companies made the list. The OTA evaluated these 1200 sites based on their usage of e-mail authentication standards, Extended Validation SSL Certificates, and the presence or absence of malware on their public-facing sites. OTA also reported that more than 26% of the Internet Retailer 500 and top 100 financial services companies have adopted EV SSL Certificates. Here's what the Wall Street Journal had to...

Read more
Go green with VeriSign EV SSL and give the gift of trees
Tim Callan | 18 Dec 2012 | 0 comments

Tomorrow is Earth Day, and in celebration VeriSign is kicking off our "Plant a Tree" promotion for EV SSL. Purchase a VeriSign Extended Validation SSL Certificate between Earth Day and May 22nd and you could grow your conversion rates at the same time you help grow new forests.

In honor of Earth Day 2010, VeriSign will plant a tree for every VeriSign EV SSL Certificate purchased between April 22nd and May 22nd. VeriSign has partnered with American Forests, a non-profit that works to protect, restore, and enhance the natural capital of plants and trees.

It's cool because online commerce is fundamentally a green technology. The more we can do our business online, the more we reduce printing and shipping paper...

Read more
Three years of EV
Tim Callan | 18 Dec 2012 | 4 comments

It was at the RSA Expo in 2007 that VeriSign officially held a coming out party for Extended Validation SSL. Now I'm at the RSA Expo again, and it's a good time for a milestone check.

Today, more than 20,000 EV SSL Certificates have been deployed worldwide, putting EV SSL into an elite category of ultra-rapidly deployed technologies. Likewise, browser ubiquity is pretty darn high. More than 75% of client systems on the Web use browsers that can display the green address bar. Compatible browsers include IE7 and above, Firefox 3.0 and above (2.5 with downloadable plug in), Safari 3.2 and above, all versions of Chrome, Opera 9.5 and up, Flock, and the iPhone.

Dozens of online businesses have measured the effect of green address bars on their visitors' behavior and have seen significant increases in key...

Read more
A best practice in consumer security education
Tim Callan | 18 Dec 2012 | 0 comments

I recently discovered the fantastic work PNC has done on its site to educate its users about secure online banking and use of financial services. This area of the site includes not just the standard basic advice but goes into truly deep content such as real examples of phishing e-mails, a place for customers to report fraud, and a detailed description of what green address bars (and other colors) mean on a site. Every site that...

Read more
EV importance increasing on mobile
Tim Callan | 18 Dec 2012 | 1 comment

Mobile devices continue to grow in importance as a platform for doing real business online. You may recall that the iPhone broke the EV glass as the first popular mobile device to specifically call out EV SSL Certificates in the interface. This recent article explains how German bank Postbank is using EV on its iPhone specific site. A Postbank official says,

With the launch of the VeriSign EV SSL Certificates for iBanking on the iPhone, we're taking a huge step forward in our efforts to build trust and reassurance for this fast-growing segment of our customer base.

Read more
More on the SSL renegotiation attack
Tim Callan | 18 Dec 2012 | 2 comments

A researcher has published an exploit that uses the SSL renegotiation attack to compromise Twitter logins. That appears to run counter to earlier assessments that this exploit wasn't aimed at the accounts of individuals accessing sites. So what's going on here, you ask?

This attack does indeed follow the parameters of the attack as previously described. It attaches exploit code to the encrypted stream and indeed cannot decrypt the data going to and from the site. What the inserted exploit code does is take advantage of a vulnerability in Twitter's API that allows it to command Twitter to publish the credentials of the currently active account. And of course the currently active account by definition is the same as the one operated by the site visitor who owns this...

Read more
It's a big week for phishing attacks and SSL
Tim Callan | 18 Dec 2012 | 0 comments

There's a lot going on this week. We've seen the widespread publicity of the theft of free e-mail accounts across a broad range of webmail providers. And at the same time we've seen the first detected instance of a null character attack in the wild. This story is still ongoing, the latest development being that PayPal has shut off the account of the researcher who created the null character certificate being used in this attack.

The connection between these two events is the ongoing need for knowledge of authentic identity and the role of EV SSL in providing that knowledge. In...

Read more
Busy day at Black Hat
Tim Callan | 18 Dec 2012 | 6 comments

Greetings from Las Vegas. Today we saw two presentations regarding attacks that affect the world of SSL. I'll give you a capsule summary of each and tell you how VeriSign certificates fit in. Lest this post become a tome, the summaries will have to be oversimplified. I'll strive to represent the subjects as accurately as I can.

First up was Moxie Marlinspike, detailing the latest additions to his sslstrip tool. The focus of this presentation was various ways to use null characters to fool browsers and other pieces of relying software into believing a certificate has been issued to a different domain than the one to which is was actually issued. The idea is that the attack would give the online criminal the ability to put up a certificate on what appears to be the exact same domain name as the targeted site. sslstrip accomplishes this feat through a Man-in-the-Middle attack and uses the null-character certificate to create its false certificates on the fly.

I'm...

Read more
EV SSL and iFrame attacks
Tim Callan | 18 Dec 2012 | 9 comments

We're seeing active discussion online about the possibility of hijacking a single frame in a production site to steal logins or PII. The scenario is that a criminal gang would redirect this frame (through DNS poisoning, let's say) and populate it with its own content from servers under its control. Presumably this content would involve form fields asking for information the criminals want to receive and which you would be willing to share in this context (such as your bank account login or social security number).

Now, the recent dialog is around the scenario where this proposed attack happens on a site with an Extended Validation SSL Certificate. The certificate identifies the controller of the top-level frame and does not report on the sources of any internal frames in that page. That is in keeping with near-ubiquitous practices in consumer Web applications...

Read more