Extended Validation SSL Update

I am Craig Spiezle, Director of Online Security and Safety for Microsoft Internet Explorer.  While I am new to this role, I’ve been at Microsoft for over 10 years, and very involved on usability and online safety, helping users realize their potential, while being confident that their data and privacy are maintained.   In response to mounting online threats, Microsoft recently launched a $250,000 Sweepstakes communication to show users how Internet Explorer and innovative technologies can enhance online trust and confidence.  Leveraging the stop light metaphor of red for stop and green for go, the interactive site demonstrates this to users, while providing them chances to win one of 25, $10,000 shopping sprees with PayPal.  Visit the site today, download Internet Explorer 7 and enter to win.  www.microsoft.com/ie/confidence  Hurry entries must be received by January 31, 2008.


Internet Explorer integrates dynamic Phishing protection and support of the emerging Extended Validation SSL Certificate program, as just two of several investments to help of protect users, their data, their PC and their privacy.


The Microsoft Phishing Filter provides dynamic protection from known phishing sites and blocking nearly 1 million exploits each and every week.  This is an opt-in service that operates in the background and provides an early warning system to notify users of both suspicious websites that could be engaging in identity and data theft, as well as those confirmed to be phishing sites.  By design, user privacy has been at the forefront of this service and verified by third party audits that no personal information is collected by Microsoft or any third party.[1]  http://www.jeffersonwells.com/client_audit_reports/Microsoft_PF_IE7_IEToolbarFeature_Privacy_Audit_20060728.pdf  It relies on browser-based heuristics to analyze Web pages in real time and warn users about suspicious characteristics as they browse. This client-side technology is combined with dynamically updated information that helps prevent users from interacting with confirmed phishing sites reported to Microsoft by a network of third-party data-provider partners and a community of users who help provide information on potential and confirmed phishing sites.


However, phishers have also been able to obtain ‘valid’ SSL certificates for their spoofed sites.  Looking for that gold padlock icon is important, but without the identity information users can end up sending their personal information to the wrong website.  Historically one way users used to help answer that question was the SSL padlock (the gold lock), which was the only indication of any security whatsoever. While helpful, SSL only means that I have an encrypted connection to someone.  So someone with malicious intent could set up a site that closely copied the look and URL of a legitimate business, get a SSL cert, and try to fool users into giving them sensitive personal information via a phishing or social engineering attack. 


Responding to these threats, the CA/ Browser Forum has developed the new Extended Validation SSL Certificates or EV SSL.  EV SSL leverages proven SSL technology, and adds a new process for vetting the identity of the business that is requesting the certificate, offering an improved level of authentication for securing transactions on their Web sites. Given the standardization and rigorousness of the process used, users can realize a higher level of online trust and confidence.


Internet Explorer 7 is the first browser to fully support EV SSL, and here’s what that looks like (in this instance when visiting http://login.live.com). You will notice that the address bar turns green, to notify users about the available identity information, and the name and country of the business are shown right there on the address bar (here “Microsoft Corporation [US]”). If a user wants to see more information about the company behind a website, he can simply click on the name of the company – the identification popup immediately shows the name and address of said company.






This is great news for Internet users: they now have an easy and reliable way to verify that they are on the correct site, and they don’t have to worry as much about phishing attacks or deceptive website, as long as EV SSL is used. Furthermore, when they are transacting with a new website that uses EV SSL  (say one they found through shopping.msn.com), they can easily identify the company behind the website, which helps them legally pursue their claim if the site doesn’t deliver as promised, helping add an element of accountability to the web. Remember that most sites will use a secure connection (https://, that will show you the green bar if they are using EV SSL), only when you are about to exchange with the sensitive information, such as when you login, or are about to check out your cart. If you wonder about the different colors of the address bar and how to use them in making trust decision, you will find this description of the Internet Explorer 7 Security Status Bar helpful.


Today there are nearly 3,500 sites are now protecting their customers with EV SSLs, including Alaska Airlines, AutoZone, British Airways, eBay, FedEx, PayPal, Microsoft, Royal Doulton, The Body Shop UK, and Travelocity. In addition leading financial services have been quickly adopting worldwide including the Banque National du Canada, Charles Schwab, Deutsche Bank, SunLife, Sovereign Bank, UBS, and Vanguard.   While the Microsoft Phishing Filter and EV SSLs alone will not solve all of the internet’s ills, combined they are important step to protect brands and consumers alike. 


Craig Spiezle

Director Safety & Security

Windows Internet Explorer Product Management


[1] Third Party audit preformed by Jefferson Wells.  More information is available at www.microsoft.com/safety/antiphishing

Comments (4)

  1. Did you see this post at blogs.msdn.com

  2. Internet Explorer 7 is the first browser to fully support Extended Validation SSL and below is the update

  3. Andre Kirchner says:

    Hi Craig,

    I have a Hotmail account, and I know it uses sender ID framework (SIDF) to authenticate received messages. And recently I have received a message from viff@viff.org, but viff.org’s mail server doesn’t have a SPF record. (I searched for mail.vifc.org at http://www.kitterman.com/spf/validate.html?).

    How which mechanism the the Hotmail mail server use to authenticate a message in this case?

    Thanks in advance,


  4. Mattie says:

    I know there is a secure block in place that no one  have

    assess to anything that I receive or any message that I may write. Is

    there a check box any where that I need to sign to be sure

    that all is secure?

Skip to main content