December 24, 2006

Internet Explorer 7 Delivers 20 Million Lumps of Coal to US Small Businesses (Including One to Yours Truly)

This subscription-only Wall Street Journal article from Tuesday (HT Precursor Blog via Don Luskin) has a shocker for every unincorporated business in the USA:

IE7 has a security feature that will turn Web-address bars green and display owners’ identities when consumers visit secure sites from businesses verified as legitimate. The color change will be a boon for consumers, who have been barraged in recent years with “phishing” scams designed to lure them to fake versions of popular Web sites, like eBay or their bank, to filch their account numbers. The hope is that the program will help reduce fraud, lift trust and boost e-commerce.

….. sole proprietorships, general partnerships and individuals won’t be eligible for the new, stricter security certificates that Microsoft requires to display the color. There are about 20.6 million sole proprietorships and general partnerships in the U.S., according to 2003 and 2004 tax data from the Internal Revenue Service, though it isn’t clear how many are engaged in e-commerce.

….. Avivah Litan, an analyst at Gartner Inc. and an expert on online payments and fraud (says that) “All the business is going to go to the greens, it’s kind of obvious.”

….. Small businesses are largely unaware of the issue today, but that seems destined to change after Vista reaches the market. “This is a ticking time bomb that is going to explode,” says Champ Mitchell, chief executive of Network Solutions LLC, a Herndon, Va., Web-hosting company and certificate authority.

….. “The Internet has been great for American small business,” by giving them wide exposure at a low cost, he says. “Microsoft all by itself is getting ready to tilt that field again at an 80-degree angle toward large business.”

In a nutshell, here is what the color scheme for IE7′s address bar is supposed to mean:

  • Green — Verified as a “legitimate” (i.e., incorporated) business.
  • Yellow — “Suspicious,” but ONLY because it is not on Microsoft’s so-called “safe list.”
  • Red — Part of a phishing scam, based on information obtained from others and confirmed by “human analysts.”
  • White — Supposedly, when Microsoft has no information about a site, the address bar will be standard white.

Based on these descriptions, obtained from the WSJ article, I have no idea what will determine the difference between “yellow” and “white.” I don’t see any meaningful distinction in the definitions. I can’t even tell whether “yellow” or “white” will be the “non-green” default.

This move’s tone-deafness reminds me of the horrific “smart tags” feature that MS attempted to put into IE6 back in 2001. In that case, MS just assumed it had the right to alter/hijack a site owner’s web pages by inserting keyword-driven hyperlinks into site content linking users to MS-favored partners, advertisers, and affiliates. MS withdrew “smart tags” from IE6 after a firestorm of outrage from site owners (while keeping them in versions of Office, which was an annoying but at least defensible decision).

In this case, MS will in effect be telling users that anyone whose address bar is white or yellow is suspicious, or worse.

I don’t even understand the concern over the legitimacy of secure sites. I can tell you from getting going as an unincorporated business that getting a Secure Socket Layer (SSL) certificate, and getting approved to process debit-card, credit-card, and Paypal transactions are not easy tasks — despite the fact that I have a Dun & Bradstreet number, an employer ID separate from my Social Security Number, and a physical non-residential business address. In fact, before I could get my SSL cert, I had to get an Ohio Sales Tax certificate, even though there was no way I was ever going to be collecting any Ohio Sales Tax! I also was visited by someone representing the card-processing firm to make sure that my business really is where I say it is.

And for that, people who visit my site using IE7 (i.e., eventually about 80% of the browser market) get to, by default, be unsure about and suspicious of me? What an outrage.

And who really believes that IE7′s color-code scheme will even put a dent in phishing? This link indicates that the average lifespan of a phishing site is one hour (down from one week just a couple of years ago). In fact, the new IE7 regime will actually help phishers avoid apprehension — the moment they know that their site has “gone red” in IE7, they’ll know to shut down and disappear!

Anyway, the vast majority of phishing scams I have seen direct users to unsecure pages (i.e., their web addresses start with “http://”; secure page addresses always start with “https://,” show a lock symbol somewhere in the browser, and often have a site certificate seal). I wonder if IE7 will even go yellow, let alone red, on unsecure pages without site seals until they’re somehow flagged by “human analysts.”

At a minimum, IE7′s address bar color coding should not be allowed to go live until unincorporated businesses can be screened, or until they have the opportunity to get “upgraded” certificates. If that is not acceptable to the folks in Redmond and the alleged security geniuses who cooked up this garbage, they should be forced to abandon the color coding entirely, which I think is the far better option.

I found a URL for contacting Microsoft, though I don’t know if it’s the best available for commenting on this particular matter (e-mail me if you have a better suggestion). Talk about irony — When I went there, I was greeted by this snorter before I got to the form (in two different Mac browsers):


So will IE7′s address bar be white, yellow, or red for this web page?


ALSO: Scott Cleland at the Precursor Blog has justifiably harsh words for Microsoft relating to the so-called “net neutrality” debate. This mini-excerpt only scratches the surface:

Microsoft’s new anti-phishing feature of its Internet Explorer 7 web browser blatantly discriminates against the 20.6 million sole proprietorships in the U.S. in favor of their net neutrality allies: Google, Amazon, eBay and Yahoo and IAC (Interactive Corp — Ed.).

….. Isn’t it ironic that online companies like Microsoft allege that broadband carriers have the potential to discriminate so they deserve preemptive regulation, but when companies like Microsoft, who have vastly more market power and market share than any broadband carrier, actually discriminate against tens of millions of innocent Americans, that is OK? What kind of “principle” is that?


UPDATE: Calling all small business advocates like NFIB, NASE, the Chambers of Commerce, and others — Where are you on this?

UPDATE 2: Here’s an interesting point from a Slashdot commenter

I think any comment about IE7′s anti-phishing system should note that it sends every website you visit to Microsoft. If you care even an iota about the privacy of your web browsing, you should choose “no” when IE7 asks you to enable its invasive anti-phishing system.

Correct me if I’m wrong, but I don’t think you’ll be asked. The default will be to have the anti-phishing system on, and you have to be the one to turn it off — which of course the vast majority of users won’t do.


No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.