Verisign buys Geotrust

Well, what did you expect?

Geotrust, as I always said, never had a long term business model to be in the game nor did they care about the stakeholders in the industry they were selling in. Afterall, selling low assurance certificates are a big dis-service to the e-commerce industry, period! So Geotrust’s only play was to give away as many certs as possible to gain market share so that they could sell out! Selling out they did!

Lets look at the landscape, who is innovating? who is bringing new and innovative products to solve the “Trust Threats” we face daily basis? Who cares about the industry and users? (making money and caring for the security and trust of the industry does not have to be mutually exclusive). Well the answer is Comodo! Neither Verisign, nor any other CAs or bigger players in the security field has brought any notable innovation if any to us. Anyway, last year in May Comodo setup the CA Forum and held the very first CA Forum meeting in NY in a hotel paid for by Comodo. We had full industry turn out, from Microsoft, to AOL, from Verisign to RSA and Entrust. Everybody who had to be there was there. This forum was to enable new standards in issuance of SSL certificates. It was an idea I had to setup a “committe”, “standards settings body” (the A team or whatever you want to call it) to start identifying and mitigating “Trust Threats” that we face daily, old ones, new ones and the ones that are yet to hit us. If we wanted ecommerce to flourish we had to do something about it. The industry was doing nothing and worse what little security and trust was being eroded by companies like Geotrust by issuing digital certificates without properly validating applicants. So this forum was a great success at bringing the industry together and unanimously agreeing to the need of a High Assurance(HA) SSL certificates. Soon browser providers will be able to display HA SSL different than Low assurance certs. Of course, this was another catalyst in Geotrust’s destiny as the Low assurance market was not a long term business model and now there were standards for HA SSL. The reason why HA or LA (Low Assurance) SSL did not matter initially was because end users couldn’t differentiate between HA or LA SSL when they only saw a yellow padlock. It is that inability that Geotrust was able to bank on. Issue certs willy nilly and grab a market share. Good for them but not good for ecommerce! This is why we had 461 phishing attacks using SSL and you can guess which SSL certificates these attackers used! Of course there is also a problem with SSL, that the “Purchasers of SSL are not the beneficiaries of SSL”. What I mean by that, all the merchant wants is to show that yellow padlock on their site, they want (at least people who buy low assurance certs) the cheapest, quickest and the least hassle solution. They don’t want to send their papers in, they just want to pay and get the SSL. So that misunderstanding by merchants about the implication of low assurance certs in the future of their online businesses combined with Geotrust’s offering created a “transient niche” and thats what Geotrust was able to exploit. So they came with a ■■■■ and went out with a ■■■■! or did they?

Now that Geotrust have revealed that they don’t necessarily care for that stakeholders, what if this deal does not go thru? What if there is an objection to this deal? Geotrust played and showed their hand (well they had to as time was running out on that business model due to High Assurance standards coming into force soon and Geotrust’s customer base are the type of people who want SSL certs and don’t want to be verified or validated about their legitimacy so it is highly unlikely that they will buy this new High Assurance certs) that they are not in for the long run. What will happen to Geotrust if this deal does not go thru? Well, its going to be an interesting few months :slight_smile:

Melih

The reason why HA or LA (Low Assurance) SSL did not matter initially was because end users couldn't differentiate between HA or LA SSL when they only saw a yellow padlock.
Soon browser providers will be able to display HA SSL different than Low assurance certs
Melih , how do I know which this is HA or LA. thanks , tim

[attachment deleted by admin]

Tim

check out this link Endpoint Detection and Response, Free - What is EDR Security?
you will see 2 things

1)how Verification engine helps you identify these
2)how you can take a look inside the cert to identify what is low or high assurance

basically, low assurance certificates has the domain name and does not mention the company name in the certificate. So you haven’t got a clue as to who the owner is. SSL is to offer encryption! But unless you know who you are encrypting it for, what is the point of encryption? For what you know, you could be encrypting it for the fraudsters. That is why its important to check whether its LA or HA. These are the little tucked away “Trust Threats” that threaten ecommerce.

Melih

When Low Assurance certificates hit the market, thanks to Geotrust in 2002, Verisign made their position very clear

“They’re not doing the same level of authentication that VeriSign does,” Golub said. “If domain ownership is unauthenticated, as it is today, you need to go to the next level of authentication.” A VeriSign statement said the company wants to “notify consumers and online merchants about risky practices of ‘quick’ or reduced authentication that doesn’t adequately identify online merchants.”

Now they control this Low Assurance, lets see if they will “Practice what they Preach” and stop issuing Low Assurance Certificates. Afterall they are a “Trust” company, right :wink:

Melih

Some more stuff I said in an interview:

http://www.computerwire.com/industries/research/?pid=4B8ADDE5-A687-4E16-BFEA-4DA14F449B64

Melih

Thanks Melih, if I read this correctly [url]Endpoint Detection and Response, Free - What is EDR Security?, then the screenshot I posted is HA. BTW I,ve seen some certs that that show 256 AES encryption. So thats better,right?
I do online banking/ shopping and just assumed that the yellow padlock or closed padlock(depending on browser) meant good to go. Thanks for the info,tim

Yes the cert you pointed out was HA.

Well, yes 256 bit is better than 128 from encryption point of view, but I am yet to see practical attacks on 128bit that will cause concern. Its like saying travelling to a galaxy 8 million light years away is easier than travelling to a galaxy that 9 millions year away. Technically that statement is correct, but we are still far far away from travelling to both. So this is why what is important about an SSL cert today is whether the Identity of the applicant has been validated or not. The threat is not someone can break the 128bit encryption and read the content, but you don’t know who you are encrypting that content for!

That is one of the reasons why we have Verification Engine www.vengine.com which is a free tool that helps verify good padlock from a bad one.

Melih

Interesting read, nicely wored.

Hi,

Could somebody please tell me what HA and LA which market does Comodo compete in (At the moment I think it may be High Assurance but not sure)

Thanks,

Justin

Definitely HA!

Ewen :slight_smile:
(WCF3)

Hi,

What is the difference between High Assurance and Low Assurance?

Thanks,

Justin

(WCF32)

Does it make sense to encrypt something without knowing who its encrypted for?
After all you could be encrypting it for a fraudster.

HA certs are only issued to authenticated/validated entities so that when a user sees the Yellow Padlock they know that the people they interact with do actually exist.
with LA certs, you can buy a cert by simply paying money. No validation of the entity is performed. So you see a padlock your details are encrypted but you don’t know who to.
thats the basic difference.

Melih

How would Comodo find this information to issue a HA certificate?

We have a huge “Validation Team” whose job is to collate all this information in order to certify the identity of an applicant! This is a fairly involved process.

Melih

Melih,

Thanks for explaining that, I always ask about thinks I don’t know even if it is a noob question. (warning ahead of time)