Will the New SSL Safety Features in IE7 Hurt Small Merchants?

Last Updated on December 26, 2006

40mm-padlock.GIFSmall merchants who rely on channels such as affiliate marketing could possibly be feeling some unwanted side effects of the adoption of IE7 and other web browsers such as Opera in January when Microsoft will begin to use a new verification feature to stop phishing scams.

The problem could be in a new digital certificate that can better verify a site’s legitimacy than the older “SSL padlock” which was readily available for large and small merchants and included a rather simple approval process.

The new system is far more thorough, but because of the way that it works, many small businesses will be excluded. They can still get an SSL certificate, but their sites won’t get the green “safe” bar in IE7 and Opera.

The new platform will be called “EV” which is short of Extended Validation SSL Certificate and includes a lengthy and purposely more difficult approval process in an attempt to stop the rise of scams and phishing sites who can currently obtain SSL certificates.

Here are the draft guidelines (pdf file) which go into exhaustive detail about what certificate authorities must and must not do when issuing EV’s.

To give only a single example, certificate authorities must ensure that the address they are given by the company is its actual place of business. If the CA is unable to verify this using public records, it must send “a reliable individual” on a site visit to the address. The visitor must look for a permanent sign, must note whether the building is a condo, office building, strip mall, etc., look for evidence that ongoing business is taking place at the location, and must take photos of the exterior and the reception area.

Small merchants (especially pertinent to our niche) need to develop a way to deal with such rapid changes to make sure visitors and potential customers to their sites know they are on a “safe site” for purchasing items and giving away private or credit card information. Otherwise, www.jennifersbakedgoods.com (I’m not sure if that’s a real site or not) won’t be able to compete.

One possibility could be a dual or split program where smaller merchants have different amounts of hoops to jump through in order to gain EV status rather than going through the same exhaustive process as Forbes 100 companies. However, such dual programs might allow the phishing sites the CA/Forum is attempting to head off access to certification.

Ars Technica has more here.

Yahoo News has more here.

Leave a Reply

Scroll to Top