As part of Mozilla’s on-going commitment to provide you with a safe browsing experience, meet Larry, the passport dude. He is going to part of the forthcoming Firefox 3 and a new way to verify a site’s identity (and if it is “safe”). Many people (including the humble Guru here) are misled into thinking that just because a site is identified as ‘secure’ (has the little padlock in the status or address bar) that it is also ‘safe’ As Meandering Wildly explains, the padlock only means the site has an SSL certificate, which in of itself does not make the site ‘safe’:
The padlock has a lot of problems, though. First of all, it is misleading; it doesn’t mean “safe” at all. The padlock appears when a website presents a valid SSL certificate, issued by a company that your browser thinks is trustworthy. But the bar for getting one of these can be as low as $10, and the validation the companies do varies from excellent to non-existent. Even back in 2005, there were over 400 phishing attacks using SSL. So clearly, the padlock is not equivalent to safety.
We also, difficult as it is, need to get out of the “safety” game. We can’t tell users “this site is safe” because we don’t know that. Even ignoring the liabilities that might come with such a claim, there isn’t a good technological way to tell, right now, whether a particular site is safe in the way users care about. Do they handle credit card information properly? Do they ignore angry customers? Are they a front for stolen goods? These kinds of naughty people could get SSL certificates (and accompanying padlocks) and even the extended validation practices being discussed wouldn’t really stop them.
The example above is the Sandbox portion of the Firefox Add-ons site. Larry has verified the site by checking the SSL certificate validity. Since this site is verified as safe Larry will…
- Show the user a meaningful, verified business name, giving the user something other than only the domain name to work with.
- Identify the party responsible for verifying that identification, since there has been, until now, very little way for a user to make informed decisions about which CAs they trust – the supposed root of the entire public SSL infrastructure.
Keep in mind Larry is still evolving, he has already changed some what since Meandering Wildly first wrote about him in March. If you like, you can try out Larry even if you are not yet using any of the Fx 3 builds (he will work with Fx 2.0-3.0a6). However, to do so you will need to be registered user with Firefox Add-ons since the add-on is currently in the Sandbox. Firefox Addons >> Identity Feedback