From the April/May 2008 Issue
If you’re old enough to remember the “pre-laser printer days” (and the profession’s demographic says nearly 80 percent of you are), you’ll no doubt recall that old dot-matrix and line printers were often loaded with lined paper that we loving dubbed green-bar. We’d print box after box of reports and pass them around, mark them up, and generally try to find information in all those data. Mercifully, Hewlett Packard came along with its LaserJet+, and we all very quickly ended our affair with green-bar. Well, now it’s back.
The Modern Green Bar
The green-bar of 2008, however, is very different from its earlier namesake. This latest version, in fact, has nothing to do with printers or reports but has everything to do with Internet security. The “green bar” to which I refer is techno-slang for an emerging anti-phishing standard called “extended validation.” What?
A Little Background
Let me provide some background. Computers don’t deal well with names, but rather only with numbers. The basic design of the Internet requires that each machine connected to the Internet have a unique “address.” While we humans see these address URLs [Unique Resource Locater] as text, as in www.Microsoft.com or www.Google.com or www.CPATechAdvisor.com, our computers actually need help. The solution is hidden in a process referred to as the Domain Name System [DNS], which associates these so-called domain names with the more computer-like IP [Internet Protocol] address (i.e., 204.737.188.166) that networking equipment needs to establish a connection.
While that sounds perfectly benign to honest people, it opened the door for a new style of scam — popularly referred to as phishing — in which the bad guys pretend to be someone they are not. As contrasted with fraud in the physical world, mimicking a website in the digital world proved to be all too easy. The early solution to this was SSL or Secure Sockets Layer (SSL). This cryptographic protocol ensured secure communications on the Internet and provided a visual indicator of that security via the familiar “padlock” icon being displayed. The SSL indicator could only be displayed if a site was registered and had received a special kind of “certificate.” Consumers quickly adapted. Problem averted.
But crooks are ingenious and have refined those early attempts to mimic, and by 2005 the Internet was seeing large-scale phishing attacks using low-authentication (read: current version) SSL certificates to fool people into assuming the legitimacy of every SSL site.
The problem is that even the bad guys can register a current version SSL certificate. It ensures security, but with WHOM? Do you really CARE if your transaction is “secure” when you’re sending money to a crook?
The New Security Certificate
Enter green bar! There is now a new kind of SSL certificate called an Extended Validation (EV) SSL certificate. These new “super certificates” can only be issued by a select few very high-level “certificate authorities.” Each of these high-level issuers must undergo independent audits to confirm their compliance with special standards relative to their business verification practices.
These select authorities then extend those special verification processes, including verification of the organization’s identity, the validity of its request and the overall legitimacy of the business to each EV-SSL they issue. The fee for this “special service” is usually several hundred dollars as opposed to less than $10 for the traditional domain registration. The expected result is that every website showing an EV-SSL certificate will have been thoroughly vetted to make absolutely sure that they are, in fact, exactly who they say they are AND that the transaction you’re about to make is, in fact, secure. In other words, Internet users get every bit of the security they get today, plus the new system ensures that the organization with whom they’re about to transact business is bona fide.
Now, back to green bar. New browsers, like Internet Explorer 7.0 (there’s a plug-in for Firefox, too), will automatically recognize these super certificates, and the address bar will actually TURN GREEN when it’s “safe to proceed,” yellow when caution is warranted and red when danger is apparent. Older browsers behave exactly as they would with a non-EV certificate. Since last year’s launch of these new certificates, banks and other financial organizations have been quick to adopt them and also quick to advertise the benefit to their customers.
The Importance to Practicing Public Accountants
To those of us practicing public accounting, this will soon become very important. We’re facing a perfect storm in the confluence of the general media beginning to cover this new “Internet thing-y,” security experts continuing to warn of increasingly effective phishing attacks, certificate issuers like VeriSign and Network Solutions and major Internet vendors like PayPal and eTrade touting the advantages their extended validation sites offer, and Microsoft promoting IE 7 and Vista. Our clients will most certainly hear the message, and the message will be clear and consistent: “Trust only the green bar!”
Once consumers see the “green bar” on one site, they’ll begin asking for it on others. The new system is much more visible than the old, familiar padlock icon, and the new system warns with yellow and red bars. Consumers will most definitely take notice! Will we as practicing tax and accounting professionals be ready?
As of this writing, we are most certainly not, and neither is the industry serving us. I was able to identify only one lone vendor — newcomer Copanion with their GruntWorx scan and organize product — that has seen fit to add this soon-to-be industry standard level of security. Not one other vendor in our space has implemented EV-SSL. Block’s TaxCut, Intuit’s TurboTax and CCH’s CompleteTax all use SSL, but none have added EV. In the online accounting world, NetBooks, NetSuite, QuickBooks Online and Accountants Relief all lack EV. And neither ADP, PayChex nor PayCycle yet employ the new standard. Thomson Creative Solutions, whose NetClient portal product boasts some 150,000 end users, has also yet to adopt. When I contacted these and other vendors offering our profession (and our clients!) services that would seem to be perfect candidates for extended validation, I heard comments like these:
- “While we are aware of the new Green Bar certification, we need to evaluate it further.”
- “… found out about this only last week. Then, I went to many websites to see if anyone has yet implemented it. Even Chase hasn’t implemented it.”
- “We’re going to be implementing it. I believe it is a very good idea.”
- “We have considered it but haven’t gotten strong feedback about the importance of implementing this feature.”
- “There is no increase in security over a “normal” SSL certificate; it uses the same encryption.” I predict that we’ll begin hearing comments from clients soon.
There is a great deal of emphasis on data security; it is number 1 on the 2008 AICPA Top Technology Initiatives list (see page 96) for the sixth straight year! And as a profession, we should be taking a leadership position. And our vendors should be there with us. We deserve it, and so do our clients.
Tell your vendors, “We want our green bar!!”
Microsoft demonstration website for Extended Validation certificates; “Woodgrove Bank” is not an actual business.
PS: Verisign.com has some very informative whitepapers available on extended validation. You may find them interesting reading.