IE 7 gives secure sites the green light

Microsoft has quietly flipped the switch on a new feature in Internet Explorer 7 meant to combat phishing scams.

In early January, the software giant made a change on its computer systems that allowed websites fitted with a new type of security certificate to display a green-filled address bar in IE 7, Markellos Diorinos, a product manager for Windows at Microsoft, said in an interview.

Diorinos said: "We have rolled out many of the parts that are required to get it working. We're coming close to the point where all the moving parts are in place." Microsoft plans to promote the green bar at this week's RSA Conference in San Francisco, an annual security confab kicked off by Microsoft chairman Bill Gates.

The coloured address bar, a new weapon in the fight against phishing scams, is meant as a sign that a site can be trusted, giving web surfers the green light to carry out transactions there. The green bar already appears on the secured sites of Overstock.com and VeriSign.

VeriSign has about 300 customers, including online retailer Overstock.com, that have signed up for the green bar certification process, said Spiros Theodossiou, a senior product manager at VeriSign. The company plans to unveil the names of more participating websites at the RSA Conference, he said.

Phishing scams cost businesses millions of dollars and hurt consumer trust in the internet. Nearly $2bn in US ecommerce sales were lost in 2006 due to security concerns, a recent Gartner survey estimated.

Diorinos said: "We want users to build up their confidence and feel safe again about transacting online. EV [extended validation] is one of many things we're doing to achieve that."

IE 7, Microsoft's newest web browser, will show a green address bar only when displaying a website that has an "extended validation certificate", or EV SSL. This is a new type of security certificate being sold by the same companies that sell Secure Socket Layer, or SSL, certificates which allow traffic to be encrypted and are indicated by a yellow padlock in web browsers.

There is broad industry agreement that web browsers need to better identify trusted sites. The padlock icon used today was designed to show that traffic with a website is encrypted, and that a third party, called a certification authority, has identified the site. However, the system has been weakened by lax standards and loose supervision.

EV SSL certificates are just like those that allow encrypted connections between browsers and sites. The difference is that the identity of each certificate holder has been verified. Requestors will be subject to a strict vetting process that all issuers must follow. As a result, EV certificates cost more than traditional SSL certificates.

Microsoft is the first browser maker to adopt the EV SSL certificates. Some say Redmond even jumped the gun by adopting an unfinished standard for issuing the certificates. Other browser makers are still contemplating how to support the new certificates in their products.

Initially, only incorporated entities will be able to get the trust indicator - a rule that shuts out smaller businesses. The CA Browser Forum, the organisation that drafts the rules for EV SSL certificates, is still working on guidelines that would include all legitimate websites.

Joris Evers writes for CNET News.com