Tuesday, 29 November 2005

It's a question many of us in the security field have been asking for some time. How is a user supposed to know they are on the correct web site when they enter their credentials or make an online purchase? How are they supposed to know when it's not the trusted site they're on?

I was having a side conversation about more ways to solve this problem with some coworkers today (common topic in our line of work), and this evening I ran across some details on the IEBlog discussing how Microsoft is dealing with it in IE7 (found via Mark Harrison). And other browser vendors are playing nicely, too. Ahh, solving problems is such a good thing to see... Nice!

IEBlog: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Here are some visuals that show what the user expeience looks and feels like in the dev versions. Visit the link above to get the complete details.

Fig 1, IE7 address bar for a known phishing website detected by the Phishing Filter 

Known Phishing Website 

Fig 2, IE7 address bar for a suspected phishing website detected by the Phishing Filter

Suspected Phishing Website

Fig 3.1, IE7 address bar for a site with a high-assurance SSL certificate
(showing the identity of the site from the SSL certificate)

Identity of Site from SSL Certificate 

Fig 3.2, IE7 address bar for a site with a high-assurance SSL certificate
(alternating in the name of the Certification Authority who identified the site)

Showing Name from Certification Authority

Tuesday, 29 November 2005 21:35:05 (Pacific Standard Time, UTC-08:00)
