The little gold SSL padlock, that is.

VeriSign is reported to be saying some interesting things about changes they would like to see to increase user trust in SSL certificates. Most would agree that the level of protection from SSL encryption has made a huge improvement to online commerce for a very minimal investment (even “official” intermediary-signed SSL certs can be purchased for as little as $30/each). However the ubiquity of SSL, and lack of a unified standard root authority, has included a trade-off in terms of validity of the certificates. In other words, as the old adage goes, the lower the barrier to adoption the higher the rate of fraud.

So, if you are a certificate-selling company, you are probably debating how to introduce new controls to (re)establish the trustworthiness of the padlock (and raise prices). The browser companies are thusly also considering how to upgrade the padlock to represent the upcoming upgrade in “assurance”. Well, actually, to be fair they are considering how to represent the assurance that was supposed happen in the first place, now that the current icon has been watered-down to represent “RC4128” and not much more:

When the padlock was first invented by Netscape in the early days of the Web, it stood for a secured connection with an identified Web site. That changed when some certification authorities started lowering their verification standards and discounting certificates, said Judy Shapiro, vice president of marketing at Comodo. “Browsers did an end-run around this. Nobody expected anyone to delete what was a key part of the certificate issuance process, which was the business verification,” she said. “Browsers were unprepared to display high assurance and low assurance certificates in a different way.”

Kudos to Comodo for saying so…I guess if you have lost control of a currency’s value, you have to print new currency to restablish control.

F-secure has an excellent write-up on their blog that details an impending Sober attack, scheduled for January 06, 2006:

Sober.Y was the biggest email outbreak of the year. It still is responsbile for around 40% of all the infections we see. This variant is programmed to activate on January 6th, 2006. After this date all the infected machines will regularily try to download and run a file from a website, forever. The virus even synchronizes the machines via atom clocks so the activation will not happen before January 6th, even if the clock of the computer is incorrect.

Scan early, scan often. But the more interesting part of their log entry is this:

The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn’t want to talk about it publically then – we didn’t want to fill in the virus writer on this. But he must know this by now.

And then they give examples of the URLs. Nice work.

SecurityFocus has an interesting story about someone auctioning an Excel vulnerability on eBay. The auction was shutdown and Microsoft is investigating the vulnerability. Something tells me the author was the not the person running the auction, but stranger things have happened.