IE 7 Gives the Green Light

Microsoft announced EV SSL support today at the RSA show, but the certificates started appearing last month.

EV SSLs have been a long time coming and complete one of the most important visual security cues for Internet Explorer 7 users. Hitherto, the IE 7 address bar flashed yellow for suspect sites and red for those known to pose security risks. For sites using EV SSLs, users would see green, indicating what is supposed to be a safe site.

The motif is compelling, because it removes security complexity from the browsing experience. By my definition, good user interfaces should emphasize simplicity while hiding complexity. The green, yellow and red cues meet this standard, and they are a refreshing relief from UAC prompts and IE 7 security warnings.

"Many Certification Authorities (CAs), including VeriSign, CyberTrust, Entrust and GoDaddy, are already issuing EV SSL Certificates," wrote Jeremy Dallman, IE Program Manager, on the IE Blog.

The screenshot shows the green-highlighted address bar for GoDaddy, for the page for signing up for an SSL.

One concern about the certificates is their possibly generating a false sense security. I spoke with members of the IE 7 team about this last year, and they responded that the process for receiving a certificate would be fairly stringent. GoDaddy's EV SSL help page does make the certificates seem tough to obtain.

Right now, the certificates are available only to incorporated businesses. According to GoDaddy: "Any incorporated or limited liability company which is legally registered in the jurisdiction of its principal place of business and verified with a registered status of 'Good Standing,' 'Active' or equivalent can apply for an Extended Validation (EV) SSL certificate."

However, if phishers could obtain certificates, the green light could entice Web users to go through what really should be a Stop sign.

But managing and maintaining integrity of the process isn't Microsoft's responsibility. Certificate Authorities must ensure that only trusted businesses obtain EV SSLs. Trusted isn't the same as verifiable. A verified business in any geography could still be a front for Internet scammers, spammers or phishers. The green they see is money.