NEW YORK – As an online shopper, Claudia Race knows she must look out for scams.
So as an Internet entrepreneur working out of her home in New Braunfels, Texas, Race wants to use all the tools available to assure customers they can trust the vacation-rentals service she is about to launch.
But because her small business is so new, Race said she might not qualify for the online seals of approval that Overstock.com Inc. and other larger, established companies are getting to instruct Microsoft Corp.’s Internet Explorer browser to display a green address bar for “safe” when people visit her site.
“It would put me at a disadvantage,” Race said. “I do not want anyone to have any questions, hesitate or have any fear factor. They have to know that I didn’t just go grab a logo from somewhere and stick it on my site. I want them to know I’m a legitimate business.”
What she’s seeking is an extended-validation certificate, a response to the plethora of “phishing” attacks in which scam artists try to steal sensitive data by mimicking the Web site of a large bank or merchant.
Once Microsoft activates the feature in version 7 of Internet Explorer in late January, a green bar will appear when the browser detects an EV certificate, usually during a transaction or login. The tool complements a newly launched filter that displays a red warning for known phishing sites and yellow for suspicious ones.
“EV does not authenticate that your plasma TV is going to show up or that it won’t have a crack through it,” said Tim Callan, director of product marketing for VeriSign Inc., which issued its first EV certificate to Overstock this month.
Rather, Callan said, the EV certificate will tell consumers that the business does exist and operates at the location it says it does.
That’s because VeriSign and its competitors will be required to perform extensive checks to verify that the business is legally recognized by a government agency and that the address registered for the certificate is valid, such as by matching it with a government filing or visiting the business in person.
Certificate issuers also must make sure that the company owns the domain name and that the individual requesting the certificate is authorized.
This prevents a scammer from registering overseas a domain name at “paypa1.com” – with a numeral “1” instead of the letter “l” – and buying an EV certificate saying it is the eBay Inc. online payment service.
The certificate issuer would discover the person requesting it doesn’t really work for eBay after obtaining eBay’s contact information through independent means and asking directly, said Paulo Kaiser, vice president of operations for certificate vendor Comodo.
In the early days of e-commerce, merchants simply needed a standard security certificate for browsers to display a closed-padlock icon. The makers of the Netscape browser, now owned by Time Warner Inc.’s AOL, developed the Secure Sockets Layer technology in the mid-’90s, and many online shoppers over time knew to look for it.
Companies known as certification authorities used to always perform a series of checks to make sure sites were really what they said they were.
But newer authorities have tried to cut costs and corners by checking only that the site owns the domain name – not the business said to run on that domain, security experts say. Scam artists, needing only a credit card and a domain name, have exploited the loophole to obtain the certificates necessary to appear legitimate.
Enter the Certification Authority/Browser Forum, a group of certificate issuers and browser manufacturers that want to restore trust in the certificates.
Since its formation nearly two years ago, the forum has been hashing out standards that merchants and banks must meet to obtain EV certificates.
Those that fail could get only the regular certificates, for which the IE browser’s address bar would remain white – just like most other sites, good or bad. Over time, Microsoft and others hope Internet users would know to look for a green bar, just like the padlock.
But the forum has figured out how to validate only larger companies, the ones incorporated by a government agency and thus listed in its databases. General partnerships, unincorporated associations, sole proprietorships and individuals are excluded.
Race, the Texas businesswoman, falls in between. Although her MadLeap.com was registered as a limited liability company in Delaware, it’s so new that it might not appear in enough databases, making her business difficult to verify, according to officials at Comodo.
Smaller and newer companies could lose business if consumers leave for larger, established merchants with green bars.
“It is the small merchants who really need the ability to say, ‘I am trusted. Come and do business with me,’” said Melih Abdulhayoglu, chief executive of Comodo. “The big guys who have the brands already have established trust because of brand awareness.”
Talk to us
> Give us your news tips.
> Send us a letter to the editor.
> More Herald contact information.
