IE7's anti-phising scheme worries small business owners

John A 0 Tallied Votes 388 Views Share

Microsoft's new Internet Explorer 7 has a special bar that turns green when visiting "safe" sites, which it determines if it recieves a special strict security certificate from Microsoft. But, small business owners and corporations are worried that users will leave their sites feeling unsafe, as they are not eligable to smaller businesses.

A green bar isn't a seal of approval, it's just certification that the site is a legitimate business, says Microsoft. The bar also displays the name of company to further confirm with the user that they're at the site they intended to be at.

As Internet Explorer 7 usage increases, most significant will be after Windows Vista's launch, more people will trust those green bars that tell users that they're safe. Then they'll feel unsafe when they view "probable phishing" sites, and likely stop viewing them.

However, I think the prediction that traffic will be lost is partly untrue. For example, has anyone forgotten about all the other browsers that everyone uses? People using those browsers certainly won't stray away from sites that don't issue that special certificate. And there's a big chunk of users that don't use Internet Explorer: around 30%. So only 70% of the traffic could possibly be indangered.

Who is it that will most likely trust those green bars? Most likely older grannies and people that are over-concerned about their safety. And since those aren't in huge numbers, (just think about the number of people that get scammed everyday on the Internet) it's only going to be that small number that actually does and believes whatever the browser tells them.

Many people ignore IE's certificate warning on unsafe sites, and can get scammed. Those dumb people don't even deserve to be visitors on your site. Sorry if it sounds so harsh, but that's the way it is.

Another reason businesses don't have to be terribly concerned (yet) is that the green bar only goes into effect once Windows Vista is launched. And so then it will take a while for some people to switch to Vista, if ever. Windows XP is still pretty good, so they don't see a need to switch.

Lastly, I think it could work backwards in a negative way. If only large businesses will get these certificates, what does that mean for the rest of the web? That they will get no certificates, right. And I wonder how many people only visit large corporations/businesses when they surf the web. That's right, very few.

The rest will be constantly viewing sites without the green bar, and will soon get so used to it, they won't even notice it. I know that most sites you visit will not have SSL, but over time you will visit quite a number of sites that don't have a certificate. (Just a side thought: I wonder if DaniWeb will be eligable for this special strict Microsoft certificate... not that we actually need one ;)) There's so many e-commerce sites out there that aren't big enough, (more than 20 million) that it's inevitable you will need to buy from a site that doesn't issue a certificate.

So while many small corporations are worrying, I think it's Microsoft that should worry whether it's actually going to be that much good. And frustrated users may just go and switch web browsers. Who knows.

jwenting 1,889 duckman Team Colleague

The only thing about that functionality that annoys me is that even if you explicitly declare you want to trust a certificate that's for example expired or handed out by a non-trusted authority (like our self-issued certificate we use at work for the intranet/extranet which for some obscure reason uses SSL) it won't remember that and present you with the same "untrusted site, continue or not?" warning the next time you visit that site.
That might be a bug in IE7, or it might be part of the functionality that will only work fully in Vista, but it annoys me.
Apart from that, I think it's a great idea that there's an extra step involved in visiting sites that don't have a valid SSL certificate yet are using SSL. It will stop a lot of phishing attempts, which often work like that.
And as the kinks are worked out there will no doubt be ways for smaller businesses to also get that seal of approval.

MattEvans 473 Veteran Poster Team Colleague Featured Poster

My university's email site gets a red bar because of an exired certificate... IE7 sort of 'herds' you away from it, it asks a question, the gist of which is "do you want to continue to this site" but the wording is such that an answer "yes" is a "yes i do not want to risk visiting this site".

It annoys me, but then all browsers give me a similar warning : just worded more intelligably.

jwenting 1,889 duckman Team Colleague

in fact, that question is worded quite deliberately to have a "yes" stop you from entering the potentially insecure site.
Most people will click "yes" or "ok" on any question without reading it and this way those people are prevented from entering places that could compromise their systems.
If you don't read, tough luck. Better than people claiming that IE7 is bad because it doesn't stop them from visiting sites that deliver malware onto their machines...

MattEvans 473 Veteran Poster Team Colleague Featured Poster

Well, an invalid SSL certificate isn't malware; and i'm absolutely sure it's worded to stop me entering the site. however a site with a valid SSL certificate could be more dangerous than a site with an expired SSL certificate, all it means is some agency has confirmed that site's owner is who they say they are.

i think the best use of SSL is as a developer; you can ensure that a well made browser (including IE) will notify a user if any cross site scripting is about to happen. Java (JNLP and applets) have had a similar certificate thing going on for quite some time; but you can "buy" valid certificates legally and illegally, so it becomes quite meaningless.

With regard to that herding message, it's just plain rude to assume i'm not going to read it. it's big and bold enough already to notify me there's an issue. Admitadly though, I didn't read the message, so perhaps it's a good thing.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.