Your summary of the EV Guidelines as merely requiring proof of incorporation and a business address is a massive oversimplification of the actual requirements. If you think it would be very easy for a criminal to obtain an EV certificate, perhaps you would care to outline the sequence of steps they would go through to get one, and the approximate cost (both financial and in terms of revealed true information) to the phisher of each?

No one doubts that a criminal organization can create a legit front company and obtain an EV cert (one reason I think IE's "Green means Go" symbolism is extremely misguided). It would hopefully be impossible for criminals to create a legit company called "Bank of America" or "eBay"

I thought this was supposed to show the country of the incorporated company to further prevent confusion and juridictional name issues, as Opera does already (e.g. https://www.wellsfargo.com/)

Having a truely trackable legal entity tied to the SSL cert creates an environment for tracking the culpable parties.

With today's SSL certs, all you have is an email address, which gives the federal agencies and lawyers nothing to work with.

By forcing SSL certs to be associated with a legal entity, the lawyers can get involved. They can track down and sue whoever incorporated the phoney business or provided the business documentation (be it Zango, some mycorporation website, or whoever).

There will be a clear path from a phishing site with an EV SSL cert to the CA that issued that cert, to the legal documents vetted by the CA to issue the EV SSL cert. The CA can then be sued (or at least discredited, legally and/or publically), along with whatever entity vouched for the phoney business as part of the CA vetting process. I would expect federal entities like the FBI will be able to get much farther investigating EV SSL cert related fraud than they can get with today's, mostly worthless, SSL certs.

Another requirement for EV certificates is for the CA to have a problem reporting capability for the public and to promptly revoke certificates should they be misused.  It seems that is a certain improvement over existing practice.

However, your analysis of the Google blacklists shows that few SSL are being used at all and most of those are low validation certificates for which none of this applies, (or the phishing site has been dropped on a server that has a legitimate high assurance certificate).

In other words, EV creates a new assumed-secure "bastion" without fixing the known existing problems with SSL.  Is that the best way to approach this?

<blockquote>Overall, EV SSL certificates are based on the assumption that criminals would not qualify or be willing to apply for the certificates. That second assumption can be written off immediately. </blockquote>

I have to ask, Michael: Do you have a reference for this statement?  

It appears to me that the new EV certs are based on a solid assumption that raising the bar with more rigorous vetting processes will make it harder for criminals to get SSL certificates for fraudulent domains.  From the cabforum.org website:

<blockquote>A new vetting format, which all issuing Certification Authorities (CAs) must comply with, ensures a uniform standard for certificate issuance.</blockquote>

You replied to Gerv that "A company can be incorporated for a minimal cost and an EV SSL cetificate can be obtained for a few hundred more while millions of dollars in profits are available to phishers."  

It's not as easy as just incorporating and ordering an EV cert.  The EV process requires real humans to do the vetting: calling phone numbers, even requiring physical site-visits in cases where the address can't be verified through external business and government registries.  The addresses have to match, the phone numbers have to match, there have to be real people on the other side of the phone, and most importantly, as I stated first--real humans are involved in the vetting process.  People who have been trained to be wary of anything suspicious.  It's too easy to fool computers.  See the example from this washington post blog where GeoTrust's automated systems were easily fooled. One big problem: no human involvement.  http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html

Reference: http://www.cabforum.org/EV_Certificate_Guidelines.pdf on pages 24 and 25.

We're in this mess because of what has happened with current SSL vetting practices.  Certain CAs began offering domain-only certificates for ultra-cheap, as in $20/year.  These cheapo certs have no business vetting behind them.  They just make sure you can click on a link they send to the whois contact e-mail addresses.  It's ridiculous, fully automated, and full of vulnerability.  Phishers used these domain-only certs to get quick SSL certs to look trustworthy.  

Unfortunately, none of the modern browsers will tell you or warn you that you are on a site whose underlying business was not vetted.  In my opinion, domain-only certs have no business being on public IP space.  On RFC1918 space they could fill a need, but CAs like GeoTrust and GoDaddy issuing domain-only certs has helped phishers along, and in turn, tarnished the whole industry.

It's ironic how many people only want cheap certs.  The market provided cheap certs, and look what happened.  Phishing fraud exploded, because it was easy to get a cert.  Just register paypa1.com and go get a cert.  EV vetting will make that *much* more difficult.

Nobody will argue that EV will make phishing impossible.  Nothing will make fraud impossible.  But EV makes it much harder.  The phishers have been using domain-only certificates.  I'm unaware of a case of phishing fraud where the phishers were able to get a real business-vetted certificate.  If you know of a case, please educate me.

I disagree with your conclusion that only the CAs and the bad guys will benefit from more rigorous vetting standards.  Trust was lost due to domain-only certs and phishing, and efforts should be made to improve the situation.

How long will it be before we start seeing trojans appearing that change the colour of the address bar to green to fool the user into thinking they are accessing a secure site?  It's difficult enough getting folk to check an SSL certificate (it only takes a click these days) if they are suspicious.

I reckon the CA marketing boys will have a difficult time convincing us that it will be worth the extra money to purchase an EV SSL cert.  The pressure will come more from other companies in the same business sector "if they have it, we'll need to have it too otherwise our customers will think we're not legit".

There is nothing wrong with existing 128-bit SSL certs (not LV ones), it's just that CAs are happy to sell them with little verification of the purchaser.  This has diluted their value to the consumer, hence driving the need for EV SSL certs.

What is funny is that when I originally got my first SSL cert for my business years ago, there WAS a vetting process that Verisign put me through. I needed company letterhead, proof of business legitimacy, Dun and Bradstreet number, etc... Ironically, now they want to sell me on the idea that I should pay 10 times the cost for the same service (which I have to now repeat) just for this green bar (which ironically is saying the same thing that the lock said years ago).

Their EV cert is $2000 compared to the $249 I was originally paying per year. For a small retailer it's just not worth the price. It is an awful lot to ask for something that can be created with a command line tool and a few characters. I don't see any difference in the vetting process and I think GREEN IS GO is a mistake because there is no doubt that competing CAs will begin to offer these certs with more automated vetting processes in order to REDUCE THE PRICE FOR THE CONSUMER. Because in the end, there will be those that want in on the action, and as long as human greed exists, we should see a lowering in price for a product that essentially costs nothing to produce.

And you go ahead and post some examples of people from Verisign doing 'site visits' to vet an EV certificate-- yea right.

IMHO another slimy tactic for a struggling company riddled with failures up to this point. The whole premise of 3rd party verification hinges on the blanket integrity of CAs, and that, as we know is impossible to guarantee, so the purpose is lost. Just encrypt your data and be an educated computer user and you'll have no problems.