From the April/May 2008 Issue
If you’re old enough to remember the “pre-laser printer days”
(and the profession’s demographic says nearly 80 percent of you are),
you’ll no doubt recall that old dot-matrix and line printers were often
loaded with lined paper that we loving dubbed green-bar. We’d print box
after box of reports and pass them around, mark them up, and generally try to
find information in all those data. Mercifully, Hewlett Packard came along with
its LaserJet+, and we all very quickly ended our affair with green-bar. Well,
now it’s back.
The Modern Green Bar
The green-bar of 2008, however, is very different from its earlier namesake.
This latest version, in fact, has nothing to do with printers or reports but
has everything to do with Internet security. The “green bar” to
which I refer is techno-slang for an emerging anti-phishing standard called
“extended validation.” What?
A Little Background
Let me provide some background. Computers don’t deal well with names,
but rather only with numbers. The basic design of the Internet requires that
each machine connected to the Internet have a unique “address.”
While we humans see these address URLs [Unique Resource Locater] as text, as
or www.Google.com or www.CPATechAdvisor.com,
our computers actually need help. The solution is hidden in a process referred
to as the Domain Name System [DNS], which associates these so-called domain
names with the more computer-like IP [Internet Protocol] address (i.e., 204.737.188.166)
that networking equipment needs to establish a connection.
While that sounds perfectly benign to honest people, it opened the door for
a new style of scam — popularly referred to as phishing — in which
the bad guys pretend to be someone they are not. As contrasted with fraud in
the physical world, mimicking a website in the digital world proved to be all
too easy. The early solution to this was SSL or Secure Sockets Layer (SSL).
This cryptographic protocol ensured secure communications on the Internet and
provided a visual indicator of that security via the familiar “padlock”
icon being displayed. The SSL indicator could only be displayed if a site was
registered and had received a special kind of “certificate.” Consumers
quickly adapted. Problem averted.
But crooks are ingenious and have refined those early attempts to mimic, and
by 2005 the Internet was seeing large-scale phishing attacks using low-authentication
(read: current version) SSL certificates to fool people into assuming the legitimacy
of every SSL site.
The problem is that even the bad guys can register a current version SSL certificate.
It ensures security, but with WHOM? Do you really CARE if your transaction is
“secure” when you’re sending money to a crook?
The New Security Certificate
Enter green bar! There is now a new kind of SSL certificate called an Extended
Validation (EV) SSL certificate. These new “super certificates”
can only be issued by a select few very high-level “certificate authorities.”
Each of these high-level issuers must undergo independent audits to confirm
their compliance with special standards relative to their business verification
These select authorities then extend those special verification processes,
including verification of the organization’s identity, the validity of
its request and the overall legitimacy of the business to each EV-SSL they issue.
The fee for this “special service” is usually several hundred dollars
as opposed to less than $10 for the traditional domain registration. The expected
result is that every website showing an EV-SSL certificate will have been thoroughly
vetted to make absolutely sure that they are, in fact, exactly who they say
they are AND that the transaction you’re about to make is, in fact, secure.
In other words, Internet users get every bit of the security they get today,
plus the new system ensures that the organization with whom they’re about
to transact business is bona fide.
Now, back to green bar. New browsers, like Internet Explorer 7.0 (there’s
a plug-in for Firefox, too), will automatically recognize these super certificates,
and the address bar will actually TURN GREEN when it’s “safe to
proceed,” yellow when caution is warranted and red when danger is apparent.
Older browsers behave exactly as they would with a non-EV certificate. Since
last year’s launch of these new certificates, banks and other financial
organizations have been quick to adopt them and also quick to advertise the
benefit to their customers.
The Importance to Practicing Public Accountants
To those of us practicing public accounting, this will soon become very important.
We’re facing a perfect storm in the confluence of the general media beginning
to cover this new “Internet thing-y,” security experts continuing
to warn of increasingly effective phishing attacks, certificate issuers like
VeriSign and Network Solutions and major Internet vendors like PayPal and eTrade
touting the advantages their extended validation sites offer, and Microsoft
promoting IE 7 and Vista. Our clients will most certainly hear the message,
and the message will be clear and consistent: “Trust only the green bar!”
Once consumers see the “green bar” on one site, they’ll begin
asking for it on others. The new system is much more visible than the old, familiar
padlock icon, and the new system warns with yellow and red bars. Consumers will
most definitely take notice! Will we as practicing tax and accounting professionals
As of this writing, we are most certainly not, and neither is the industry
serving us. I was able to identify only one lone vendor — newcomer Copanion with their GruntWorx scan and organize product — that has seen fit to add this soon-to-be industry standard level of security. Not one other vendor in our space has implemented EV-SSL. Block’s
TaxCut, Intuit’s TurboTax and CCH’s CompleteTax all use SSL, but
none have added EV. In the online accounting world, NetBooks, NetSuite, QuickBooks
Online and Accountants Relief all lack EV. And neither ADP, PayChex nor PayCycle
yet employ the new standard. Thomson Creative Solutions, whose NetClient portal
product boasts some 150,000 end users, has also yet to adopt. When I contacted
these and other vendors offering our profession (and our clients!) services
that would seem to be perfect candidates for extended validation, I heard comments
- “While we are aware of the new Green Bar certification, we need to
evaluate it further.”
- “… found out about this only last week. Then, I went to many
websites to see if anyone has yet implemented it. Even Chase hasn’t
- “We’re going to be implementing it. I believe it is a very good
- “We have considered it but haven’t gotten strong feedback about
the importance of implementing this feature.”
- “There is no increase in security over a “normal” SSL
certificate; it uses the same encryption.” I predict that we’ll
begin hearing comments from clients soon.
There is a great deal of emphasis on data security; it is number 1 on the 2008
AICPA Top Technology Initiatives list (see page 96) for the sixth straight
year! And as a profession, we should be taking a leadership position. And our
vendors should be there with us. We deserve it, and so do our clients.
Tell your vendors, “We want our green bar!!”
Microsoft demonstration website for Extended Validation certificates; “Woodgrove
Bank” is not an actual business.
PS: Verisign.com has some very informative whitepapers available on extended
validation. You may find them interesting reading.