I’ve been meaning to mention this for a while, and today I got another reminder when I went to eBay to see how much I could get for a Dell PowerEdge 600SC server:
In IE7, the Address bar turns green to indicate that the secure connection is backed up by an “extended validation” certificate from a trusted certification authority (in this case, Verisign). So far, I’ve seen these certificates at PayPal and eBay, both of which are prime targets for phishing attacks.
When these certificates were announced, there was a bit of a brouhaha about how they would turn mom and pop retail outlets into second-class citizens. But organized criminals aren’t aggressively attacking those little sites; they’re going after the big names. So this approach makes sense. (Not only that, but many small businesses use PayPal or eBay stores for payment and order processing, which means they get the enhanced security without having to pay for an expensive certificate.)
Have you seen these certificates anywhere else?
Update: If you’re running IE7 on Windows XP, you’ll need to go to Windows Update and get the Root Certificates update (in the Optional section) before this feature will work.
Ed Bott (@ wordpress.com) 
yes i’ve seen one at overstock.com
hum:
is this a vista thing? i am running xp home with ie7 but my address bar dose not turn green on ebay or paypal.but i have the ebay toolbar and the account guard turns green.please advise.thks ron
Rob,
You need to go to Windows Update and get the Root Certificates update for Windows XP.
update”
after just playing i found that just some ebay sites turn green https: like sign in page,bidding.when you are doing most things like looking at my ebay page it is white and not s on the http:or looking at items up for bidding.guess just the https: pages are green.
Yes, the only time a certificate is onvolved is when you’re on a secure page.
thks ed:
you had me scared for a min.there.you might be a little more clear in what makes a sight go green,or maybe i should my home work a little more thorough.thks ron
My one worry about this sort of thing is more behavioral than technical. If someone doesn’t know that they should look for this when they’re hit with a spoof site, how will something like this help them?
“When these certificates were announced, there was a bit of a brouhaha about how they would turn mom and pop retail outlets into second-class citizens. But organized criminals aren’t aggressively attacking those little sites; they’re going after the big names. So this approach makes sense.”
You don’t get it.
The “brouhaha” is not about the potential for people to say “I don’t trust this mom-and-pop store because it’s yellow instead of green”. It’s that the “extended validation” is basically just the CA (certificate authority) verifying that the business exists at a certain (postal) address and that the company owns any trademarks required to own the domain name.
That’s the entire point of the CA in the first place. The CA is supposed to get me that level of trust for /every/ website, not just those that have paid extra $$$ for this “protection money”. As a consumer, what use is an non-EV (extended validation) SSL certificate to me? It merely tells me that the person who owns http://www.oaypal.com (sic) was willing to pay a few hundred dollars to make his site look authentic.
By allowing the CA’s to create the new EV certificates, and by seperating EV and non-EV certificates in the browser, we are accepting that the certificate authorities’ meagre effort to protect consumers is somehow O.K. We are saying, “yes! Of course the certificates you have been producing are useless to consumers! Instead of actually fixing it by requiring more stringent measures, you can continue your gravy train /and/ open a new service which is actually useful!”
That is why the Mozilla Foundation isn’t putting in support for EV SSL (a website with EV SSL will appear to the user just like a website with normal SSL). On principle.
Digicert, a CA: “In the very near future sites without EV SSL will be at a serious disadvantage in the e-commerce marketplace.”
Not only is it a great money-making opportunity for the CAs, it also allows Microsoft to claim that Mozilla (etc) “is not committed to security”.