Is it Back to Green-Bar for the Profession?

Article Tools

• April-May 2008 Issue
• Post a Comment
• Print This Article
• Email This Article to a Friend
• Save This Article
• Order a Reprint

From the April/May 2008 Issue

If you’re old enough to remember the “pre-laser printer days” (and the profession’s demographic says nearly 80 percent of you are), you’ll no doubt recall that old dot-matrix and line printers were often loaded with lined paper that we loving dubbed green-bar. We’d print box after box of reports and pass them around, mark them up, and generally try to find information in all those data. Mercifully, Hewlett Packard came along with its LaserJet+, and we all very quickly ended our affair with green-bar. Well, now it’s back.

The Modern Green Bar
The green-bar of 2008, however, is very different from its earlier namesake. This latest version, in fact, has nothing to do with printers or reports but has everything to do with Internet security. The “green bar” to which I refer is techno-slang for an emerging anti-phishing standard called “extended validation.” What?

A Little Background
Let me provide some background. Computers don’t deal well with names, but rather only with numbers. The basic design of the Internet requires that each machine connected to the Internet have a unique “address.” While we humans see these address URLs [Unique Resource Locater] as text, as in www.Microsoft.com or www.Google.com or www.CPATechAdvisor.com, our computers actually need help. The solution is hidden in a process referred to as the Domain Name System [DNS], which associates these so-called domain names with the more computer-like IP [Internet Protocol] address (i.e., 204.737.188.166) that networking equipment needs to establish a connection.

While that sounds perfectly benign to honest people, it opened the door for a new style of scam — popularly referred to as phishing — in which the bad guys pretend to be someone they are not. As contrasted with fraud in the physical world, mimicking a website in the digital world proved to be all too easy. The early solution to this was SSL or Secure Sockets Layer (SSL). This cryptographic protocol ensured secure communications on the Internet and provided a visual indicator of that security via the familiar “padlock” icon being displayed. The SSL indicator could only be displayed if a site was registered and had received a special kind of “certificate.” Consumers quickly adapted. Problem averted.

But crooks are ingenious and have refined those early attempts to mimic, and by 2005 the Internet was seeing large-scale phishing attacks using low-authentication (read: current version) SSL certificates to fool people into assuming the legitimacy of every SSL site.

The problem is that even the bad guys can register a current version SSL certificate. It ensures security, but with WHOM? Do you really CARE if your transaction is “secure” when you’re sending money to a crook?

The New Security Certificate
Enter green bar! There is now a new kind of SSL certificate called an Extended Validation (EV) SSL certificate. These new “super certificates” can only be issued by a select few very high-level “certificate authorities.” Each of these high-level issuers must undergo independent audits to confirm their compliance with special standards relative to their business verification practices.

These select authorities then extend those special verification processes, including verification of the organization’s identity, the validity of its request and the overall legitimacy of the business to each EV-SSL they issue. The fee for this “special service” is usually several hundred dollars as opposed to less than $10 for the traditional domain registration. The expected result is that every website showing an EV-SSL certificate will have been thoroughly vetted to make absolutely sure that they are, in fact, exactly who they say they are AND that the transaction you’re about to make is, in fact, secure. In other words, Internet users get every bit of the security they get today, plus the new system ensures that the organization with whom they’re about to transact business is bona fide.