I keep hearing about this idea and every time I hear it I kind of cringe. In a recent blog post the folks at Internet Explorer talk about high assurance SSL certificates for Internet Explorer, Firefox, Opera, and Konqueror (I guess Netscape was left out?). The concept is pretty simple and I encourage you to read the IE blog for more details. Webmasters buy a high assurance SSL certificate which shows the public that they are trustworthy and for their troubles the browser community thanks them with a nice green URI field.
So I have to go out and buy updated SSL certs for every single SSL server I have so that we are actually trusted - because only phishers use that normal SSL stuff I guess. Now everyone has these high assurance SSL certs and only the chumps who are doing dev work or just can’t afford it have the snakeoil or non-assured SSL certs. And now there will have to be a lowered bar so that everyone can buy them (quickly too). And lastly you end up with SSL certs all over again, only this time you’re paying 10x more for them.
And let’s not forget our dear friend XSS which totally obviates the need for me building my own phishing site or buying my own SSL cert. Oh, and don’t forget that MOST phishers don’t use SSL enabled sites, since users don’t know the difference anyway.
Okay, I get it… they’re trying to build a whitelist and they can’t think of any “fair” way to do that. Using that whitelist they want to educate the users (I’d argue that that hasn’t worked super well in the past so I don’t know how this will help). There’s just got to be a better way to do it that doesn’t make us end up with the same thing we all started with in the first place.