May 31, 2006

Verisign sued over dodgy security practices

This may be the first of its kind. I've long predicted this response to ropey SSL industry practice, but unfortunately, today, I have no time to comment! (Note - FC is moving ... expect some disruption.)


Firm leads $200M suit vs. VeriSign
Alleges pricey business software is no more secure
By Kathy Robertson Sacramento Business Journal May 28, 2006

VeriSign Inc. faces a class-action lawsuit potentially worth more than $200 million for false and misleading advertising of the Internet-security software it sells to businesses that conduct commerce and communications with customers online.

Sacramento law firm Kershaw Cutter & Ratinoff is the lead counsel in the case and alleges that VeriSign sells two versions of its software -- and says that one of them provides a higher level of security -- when there is no practical difference between the two.

The law firm also alleges that the nation's largest Internet-security provider charges $546 more for the higher level of security and misleads customers into thinking they will get more protection if they buy the pricier version. The lawsuit, filed last year and certified as a class-action last month, contends that more than 400,000 Web sites nationwide use the security software.

The case is the first of its kind to be granted court approval to proceed as a class action in a hot legal arena resulting from the tremendous growth of online transactions -- and of a security industry to protect them. VeriSign spokesman Brian O'Shaughnessy declined to comment on the suit.

Five years of claims

"It's essentially a rip-off," said Bill Kershaw, the local attorney who is lead counsel on the case. "When you get charged significantly more money, you expect significantly more security." The lawsuit, initially filed in Santa Clara County Superior Court in February 2005, alleges unfair competition and seeks restitution for the people or businesses that have purchased the software since January 2001.

Mountain View-based VeriSign (Nasdaq: VRSN) operates services that enable and protect billions of online interactions daily, from sales to banking. The company reported $1.6 billion in revenue and net income of $112.4 million in the past four quarters.

The nation's largest Internet-security provider sells two types of software, or "certificates," to businesses. Both are intended to ensure that communications between the businesses' Web sites and their customers are secure, and that personal information such as addresses, credit card and Social Security numbers are kept private through data encryption while they are being transferred over the Internet. The two versions are called Secure Site and Secure Site Pro.

In its advertising, the company says its "Pro" version offers significantly enhanced encryption technology over the standard version and that, as a result, Web sites using it will be able to communicate with customers in a more secure fashion. The "Pro" version costs $895; the standard version, $349. About 99 percent of the time, the higher-level encryption software is provided to everybody, regardless of whether they pay the higher fee or not, Kershaw said.

'Essentially identical'

"Claims that these certificates provide added security are simply untrue," the plaintiffs assert in court documents. "Secure Site and Secure Site Pro provide essentially identical security for communications between businesses and their customers. It has only been through its false and misleading advertising that defendants have been able to extract a $546 premium from thousands of businesses throughout the country."

The lead plaintiff in the case is Southeast Texas Medical Associates LLP, of Beaumont, Texas. A technical expert at the group discovered the discrepancy while working on the system, Kershaw said. "This is not something an average business owner -- or technician -- would discover. It takes some sophistication," he said, adding that the practice appears to be limited to VeriSign.

Two Texas law firms -- Gravely & Pearson in San Antonio and Provost Umphrey in Beaumont -- asked the Kershaw firm to act as California counsel since VeriSign is based in Silicon Valley. The 4-year-old local firm is known for representing plaintiffs in class actions.

In early 2005, Kershaw Cutter & Ratinoff -- working with lawyers from the Sacramento firm of Dreyer Babich Buccola & Calaham -- won cash refunds, plus interest, for a group of California drivers insured by Allstate Corp.

Posted by iang at May 31, 2006 10:13 AM | TrackBack
Comments

Hello iang,

>> "This is not something an average business owner -- or technician --
>> would discover. It takes some sophistication," he said, adding that the
>> practice appears to be limited to VeriSign.

Its not limited to verisign. It is also practiced by Geotrust.

In any case, a basic cert and a premium cert from Geotrust are one and the same. They advertise that you get a secure seal on a premium cert which provides "enhanced verification", whatever that is.

The seal is really a Geotrust advertisement placed on your site that is linked to a choicepoint database that lists the cert owner. Oh yes, they are deep in bed with choicepoint. That should make you feel safer! haha

Anyway, what they don't tell you is that the seal code you embed in your webpage works the same on both cert types i.e. the basic/quick certs and premium certs.

Go figure. Get the cheaper basic cert and save some money. The cert industry makes me puke. I feel we need a complete paradigm shift away from these providers to something that makes them useless and irrelevant, but in the meantime I can make good money from them.

Posted by: anon at June 1, 2006 02:35 AM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.