One Man Band

One of the reasons I love the Internet is it enables a One-Man Band to play as loudly as any of the Big Guys.

Microsoft, in a laudable attempt to counter phishing, may stuff a sock in your tuba, though.

An article by Riva Richmond in today’s deadtree edition of the Wall Street Journal explores the implications for small online businesses of Microsoft “going green” with the new version of Windows:

IE7 [Microsoft’s new Internet Explorer 7 web browser] has a security feature that will turn Web-address bars green and display owners’ identities when consumers visit secure sites from businesses verified as legitimate. The color change will be a boon for consumers, who have been barraged in recent years with “phishing” scams designed to lure them to fake versions of popular Web sites, like eBay or their bank, to filch their account numbers. The hope is that the program will help reduce fraud, lift trust and boost e-commerce.

But browsers won’t turn green when customers visit [a small business site]. That’s because sole proprietorships, general partnerships and individuals won’t be eligible for the new, stricter security certificates that Microsoft requires to display the color…

The new certificates, called extended validation secure-sockets-layer certificate, or EV SSL for short, are affidavits from a certificate authority both that private data are being encrypted and that the business operating the site has been confirmed as real. By contrast, current SSL certificates — the technology that encrypts data and puts a small lock on visitors’ browsers — can be obtained with little more than a credit card and are considered ripe for abuse by con artists.

Existing SSL certificates were designed to secure communication, but do nothing to assert the identity of either end of that communication. You can be assured that nobody can eavesdrop, but you cannot be assured of who is listening at the other end of the secured line.

There are several ways that a One-Man Band can respond to this threat.

Outsource your online sales. Whether you can allow your online sales to be hosted entirely by somebody else depends on the nature of your One-Man Band. EBay hosts stores both at its original auction site, and at fixed-price eBay Express. Amazon now hosts astores. Café Press and Zazzle host POD design shops. Some large franchise-based businesses like Avon host sites for individual reps.

Outsource your shopping cart. Let a larger business handle taking the orders and money, for a fee. Make sure that they support EV SSL certs.

Outsource payment processing. Pay through a secure third party, like Pay Pal or the Amazon Honor System. Again: make sure that the third party payment processor supports EV SSL certs. (Does your shopping-cart software support third-party payment?)

Support formation of online small-business federations. These federations can then take the responsibility for verifying identity and issuing EV SSLs to members. Local Chambers of Commerce or Better Business Bureaus would be good candidates to start such federations.

A lot of work has been done in the last several years in the area of federated identity. See, for instance, the InCommon Federation sponsored by Internet2.

(You are invited to explore my entire website — kick off your shoes, sample a cookie, flip through the photo album, stroll through the shops and check seasonal promotions and specials, read up on national and local news, sneak a peek at the latest inside information — stay as long as you like.)