Small Online Merchants Seek 'Safe' Tag

Established Companies Could Have Advantage When New Validation Program Is Activated

(AP) 
Since its formation nearly two years ago, the forum has been hashing out standards that merchants and banks must meet to obtain EV certificates.

Those that fail could get only the regular certificates, for which the IE browser's address bar would remain white — just like most other sites, good or bad. Over time, Microsoft and others hope Internet users would know to look for a green bar, just like the padlock.

But the forum has figured out how to validate only larger companies, the ones incorporated by a government agency and thus listed in its databases. General partnerships, unincorporated associations, sole proprietorships and individuals are currently excluded.

Race, the Texas businesswoman, falls in between. Although her MadLeap.com was registered as a limited liability company in Delaware, it's so new that it might not appear in enough databases, making her business difficult to verify, according to officials at Comodo.

Smaller and newer companies could lose business if consumers leave for larger, established merchants with green bars.

"It is the small merchants who really need the ability to say, 'I am trusted. Come and do business with me,'" said Melih Abdulhayoglu, chief executive of Comodo. "The big guys who have the brands already have established trust because of brand awareness."

Comodo was among the companies that helped reject the draft guidelines in November, preferring to wait until the group could figure out how to validate smaller merchants.

But Microsoft announced it was moving forward anyhow, saying green bars would start to appear in late January. Comodo and other vendors responded by starting to sell the EV certificates to the larger companies — for hundreds of dollars more than regular certificates to cover the validation costs.

Markellos Diorinos, a product manager with Microsoft, said most phishing scams have mimicked the Web sites of larger banks and companies anyway.

"The current version of the EV guidelines ... probably covers most if not all of the phishing targets today," Diorinos said. "We felt we have a good technology and should get the technology out to consumers as soon as possible."

Diorinos added that smaller merchants not covered still could get EV certificates through a third-party payment processor that is verified.

Microsoft will recognize certificates only from authorities that are independently audited, details for which are spelled out in the 65-page draft guidelines.

Mozilla's Firefox and Opera Software ASA's Opera browsers also will eventually recognize EV certificates, though their makers committed to no timetable. Until then, an EV certificate would trigger a closed padlock like regular certificates, nothing more.

Window Snyder, Mozilla's chief security officer, said developers were trying to figure out the best way to highlight an EV-certified site — whether it's through a green bar or another means.

Unlike previous attempts by Microsoft to move forward with technologies before standards were ready, few criticized the Redmond, Wash., software company's moves, noting that the technical portions of the standards have largely been agreed upon. What's left deals mostly with procedures — how to validate smaller merchants.

Comodo believes it could be done within two months; VeriSign worries it could take longer and is reluctant to wait.

"It's unfortunate that it's not extended as far as it is right up front, but given the fact that identity theft is a very real thing, consumers need better tools in order to have confidence," said Greg Hughes, chief security executive with Corillian Corp., a provider of online banking technology. "This is the right thing to do and now is the right time to do it."

[bobbbieb]

THANK YOU to Microsoft and Verisign and everyone else involved in bringing me safe on-line shopping.

I'm a busy mom, and I buy ALL our clothing, hard-to-find toys, even an original toilet tank lid for a 50 year old toilet online, often at 3am.

ITS A MIRACLE!

[alphaa10-2009]

Another reason to love Microsoft-- though claiming to be the friend of every small business person willing to shell out for MS Office, the MS resolution of the EV problem will not be done "before its time", presumably with as much energy and concern as some of the other IE flaws MS took its time to address.

The concern here is a half-baked security measure-- no matter how popular-- remains inadequate. Like a "white-list" spam filter, the EV filter will identify good guys with a green bar, but that leaves everybody else in the "unknown" white bar. That, in turn, leaves the "commit to buy" decision to be made with no more reliable information than before for any of the smaller firms which comprise an increasingly hefty share of the web metropolis. EV certification is like having a street map of Minneapolis, with only larger residences and (paying) businesses listed-- you may not find your destination safely.

[alphaa10-2009]

Make EV Work for Real People, First-- 2
Meanwhile, smacking their lips in sympathy, Verisign and other EV vendors just "cannot wait any longer"-- especially when the EVs are selling as a premium price.

The Texas web business owner does pose a puzzle, though. Why is she worried about assuring her visitors with EV certificates, when they knowingly choose her address address from a printed source or trusted site, to begin with? The only scenario in which EV assurance would be especially important is when a user responds to an email link (hyperlink)-- say, in a spam message. Our little lady from Texas is not planning to spam her way into the hearts and minds of prospects, is she? Hmmmmm?

[nothappyatall]

"starting to sell the EV certificates to the larger companies %u2014 for hundreds of dollars more than regular certificates to cover the validation costs."

Of course, and THAT is what the whole thing is about- charging merchants hundreds of dollars in annual FEES for this scheme. It also excludes the little guys, not only due to costs but the lack of incorporation and being on their database.

It's not the big companies who need this- most have 800 numbers and other published information on their web site and in Google to call and do business with, the little mom/pop operation and "Joe Blow" selling crafts on a web site can't afford $500 a year for a fee for some schlocky green bar, nor would they likely make enough income to qualify as a "business" to be incorporated, have an 800# and thus be verified.
I see the crooks getting around this too before long. The better way may be credit card verification connected to a physical billing address and used to pay for the domain and web site hosting.