Browser Makers Agree to Standards

Developers of four of the most widely used Internet browsers have agreed to make a number of changes to their products to make Web browsing a more secure and trustworthy experience.

Among the changes, which were informally agreed to during a recent meeting, are plans to create a new way of informing Web surfers that they are visiting a trusted Web site and major changes to the look of pop-up Windows.

Developers representing the Internet Explorer, Firefox, Opera, and the Konqueror browsers had been discussing ways to combat phishing and improve security in their products for about eight months, but they agreed to the new ideas during a meeting in Toronto on November 17, according to George Staikos, president of Staikos Computing Services, and a Konqueror developer.

Identifying Trusted Sites

The most noticeable change will be in the way that certain high-profile Web sites are displayed. Developers would like to make the browser's address bar turn green when browsers are visiting popular Web sites like eBay.com or Paypal.com, much in the same way that the Firefox address bar goes yellow and displays a padlock when visiting a secure Web site.

The green address bar will contrast with the red address bar that Internet Explorer (IE) 7's Phishing Filter will display on known and suspected phishing sites.

To make this happen, developers would introduce a new, and as yet undetermined, more rigorous way of creating digital certificates. Digital certificates are a kind of electronic identification card used by Web sites to prove that they are, in fact, who they claim to be. They are issued by "certification authority" companies, including Verisign and EnTrust.

Developers at the Toronto meeting agreed to create a way of making a new type of "high assurance" certificates, said Staikos. "We want to create a stronger identity mechanism for sites that require a stronger identity," he said. "We need to be able to tell the users, 'Yes, you're actually at your bank,' as opposed to, 'You're at a site that looks like it might be your bank and you're using encryption.'"

Current digital certificates are supposed to reassure users, but that trust is undermined by the fact that these certificates can be fraudulently obtained, Staikos said. "There have been organizations in the past that have abused the system," he said. "It's not widespread yet, but we know it's not hard to abuse."

Mozilla, Microsoft Agree

Developers from the Mozilla Foundation, which develops Firefox, and from Microsoft also endorsed the concept.

"This is pretty much a theoretical idea at this point, but something that would be interesting from a browser point of view," wrote Mozilla developer Frank Hecker, in an e-mail interview.

"We want to take the experience in the address bar a step further and help create a positive experience for rigorously identified HTTPS (HyperText Transport Protocol Secure) sites," wrote Microsoft developer Rob Franco in a post to Microsoft's Internet Explorer blog.

Franco has also posted examples of how these Web sites might appear in the upcoming IE7 browser.

In addition to the green background, IE would show the name of the company being visited along with the name of the certificate authority that vouched for the Web site, Franco wrote.

Pop-Up Changes Urged

Developers in Toronto also agreed to improve browser security by no longer allowing pop-up windows to be displayed without an address bar or a status bar. This will make it harder to mistake them for other types of Windows messages, Staikos said. "You'll always know that a window belongs to a Web browser," he said.

Internet Explorer will adopt this practice in IE7 and, like Firefox, it will show a lock icon in the address bar when it is viewing secure Web sites, Franco wrote.

There is much work to be done before the new types of certificates will be broadly adopted, but with the idea approved, at least in concept, by the browser makers, Staikos was confident that it would also be picked up as a profitable new product for certificate authorities.

"If we provide a facility for this, I think it would be downright silly for companies not to jump in and start issuing these things," he said.

But it's still going to be awhile before IE or Firefox users are seeing green, he said. "I would not be surprised if it takes at least a year and a half."

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
  
Shop Tech Products at Amazon