[fc-discuss] Financial Cryptography Update: Brand matters (IE7, Skype, Vonage, Mozilla)

iang@iang.org iang@iang.org
Wed, 8 Feb 2006 11:30:05 +0000 (GMT)

 Financial Cryptography Update: Brand matters (IE7, Skype, Vonage, Mozilla) 

                           February 08, 2006




In branding news:  IE7 is out in Beta 2 and I'm impatiently waiting for
the first road tests.  (Roight... as if I have a Microsoft platform
around here...)  Readers will recall that Microsoft took the first
steps along the branded security path by putting the CA name up on the
chrome.  This places them in the lead in matters of risk.

Sadly, they also got a bit confused by the whole high-end super-certs
furfie.  IE7 only rewards the user with the CA brand if the site used
these special high-priced certs.

Plonk!	That kind of ruins it for security - the point of the branding
is that the consumer wants to see the Bad Brand or Unknown Brand or the
Missing Brand or the Bland Brand ... up there as well.	Why?  So as to
close off the all-CAs-are-equal bug in secure browsing.  (Preferably
before the phishers start up on it, but just after the first sightings
will do nicely, thanks, if you subscribe to post-GP theories.)

By choosing to promote a two-tiered risk statement, Microsoft then
remains vulnerable to a takeover in security leadership.  That's just
life in the security world;  leadersip is a bit of a lottery when you
allow your security to become captive to marketing departments' zest
for yet another loyalty program.  Also, annoyingly, IE7 promises to
mark any slightly non-formal certificated site (such as FC) as a Red
Danger Danger site.  Early indications are that this will result in an
attack on brand that hasn't hitherto been seen, and has interesting
strategic implications for you-know-who.

The CA branding idea is not new nor original.  It was even (claimed to
be) in the original Netscape design for secure browsing, as was the
coloured security bar.	Using brand is no more than an observation
deriving from several centuries of banking history - a sector that
knows more about risk matters than the Internet, if only because they
lose money every time they get it wrong.

Consider some more in the flood of evidence that <i> brand matters </i>
- over in VoIPland look at how things have changed:

In Europe, branded VoIP represented 51.2 percent of all VoIP calls in
the last quarter of 2005, while Skype accounted for 45 percent of VoIP
minutes. Vonage took less than one percent of the market while other
third-party VoIP providers represented 3.5 percent of all VoIP traffic,
the report said.

"Twelve months ago, Skype represented 90 percent of all VoIP minutes.
Now people are buying branded services," Chris Colman, Sandvine's
managing director for Europe, said Tuesday.

Whaaa.... 90% to 45% of the market in 12 months!  No wonder Skype sold

The same trend was found in the North American market. The study found
that U.S. branded VoIP represented 53 percent of VoIP minutes on
broadband networks. Vonage, with a 21.7 percent share, and Skype, with
14.4 percent, were the leading third-party providers.

I'll bet Vonage are kicking themselves...  Meanwhile, one group that
have traditionally resisted the risk nexus of brands ... just got hit
over the head with their own brand!  Mozilla earnt a spot in the 10 ten
most influential brands last year.


More influential that Sony!  Heady praise indeed.  Well done, guys. 
You have now been switched on to the miracle of brand, which means you
have to defend it!  Even as this was happening, Firefox lost market
share in the US:


Predicted of course, as IE7 rolls out, Microsoft users start to switch
back.  Nice.  Competition works (in security too).

So, what's the nexus between brand and risk?  Newbies to the brand game
will blather on with statements like "we protect our brand by caring
about the security of our users."  Can you imagine a journo typing that
up and keeping a straight face?

No, brand is a shorthand, a simple visual symbol that points to the
entire underlying security model.  Conventional bricks&mortar
establishments use a combination of physical and legal methods
(holograms and police) to protect that symbol, but what Trustbar has
shown is that it is possible to use cryptography to protect and display
the symbol with strength, and thus for users to rely on a simple visual
icon to know where they are.

Hopefully, in a couple of years from now, we'll see more advanced, more
thoughtful, more subtle comments like "the secured CA brand display
forms an integral part of the security chain.  Walking along this
secured path - from customer to brand to CA to site - users can be
assured that no false certs have tricked the browser."

Powered by Movable Type
Version 2.64