SSL Suit Against VeriSign Gets Class Action Status

Netcraft.com
June, 2006

A lawsuit accusing VeriSign of improper marketing of SSL certificates has been given class action status by a California court, allowing thousands of VeriSign customers to join the proceedings and share in any award. The plaintiff, Southeast Texas Medical Associates LLP (SETMA), alleges that VeriSign overstated the differences between its Secure Secure Site and Secure Site Pro certificate products and their value to businesses conducting e-commerce. The proposed class includes anyone who has bought Secure Site Pro certificates since 2001. The plaintiffs estimated this figure at more than 400,000 potential class members, each of whom would be eligible for more than $500 in damages, placing the theoretical financial risk to VeriSign at more than $200 million.

VeriSign has thus far declined public comment on the lawsuit. The case may have relevance for other SSL providers as well, as it hinges on details of marketing complex technology products to customers who are not experts in Internet security or cryptography. The case highlights the fact that SSL certificates are among the products being closely scrutinized by attorneys seeking to build practices around Internet security litigation. One of the plaintiff’s lawyers, Marc Gravely of the Austin firm Gravely & Pearson, L.L.P., says his law firm is now taking aim at Internet security companies “who place profit over the security and personal privacy of businesses consumers.” In a press release, Gravely called the California case “almost certainly the first of many more to come given the burgeoning Internet security industry and tremendous growth of online transactions.”

The complaint alleges that VeriSign overstated the benefits of its more expensive SSL certificates. “Secure Site and Secure Site Pro provide essentially identical security for communications between businesses and their customers,” the lawsuit alleges. “It has only been through its false and misleading advertising that defendants have been able to extract a $546 premium from thousands of businesses throughout the country.”

At issue is support for 128-bit SSL sessions and the necessity of Server Gated Cryptography (SGC), which is supported by Secure Site Pro only. SGC is an extension of SSL that was widely used prior to 2000, when the U.S. government placed export controls on 128-bit encryption technology, limiting banks and bank branches outside the U.S. to web servers that supported only 40-bit encryption. Once the export bans were lifted in 2000, subsequent browser releases had the capability to conduct 128-bit SSL sessions without SGC. Standard 1024-bit SSL certificates from most certificate authorities already support up to 256-bit encryption, which is enabled not by the SSL certificate, but the session key negotiated by the web server and browser.

Today, SGC’s primary benefit is to provide additional security for Internet users with older browsers (4.x versions of Internet Explorer or Netscape). “Many take for granted that strong encryption (at least 128-bit) is universal today,” VeriSign says in its description of Secure Site Pro. “In reality, legacy software issues may expose client systems to weak encryption (40-bit or 56-bit). According to a Yankee Group study, ‘the number of people still subject to weak encryption because they are using older versions of Windows and Internet Explorer is in the tens of millions.’”

The lawsuit alleges that VeriSign overstates the number of e-commerce customers using older browsers – and thus overstates the need for the additional $546 cost of an SGC-capable certificate. “VeriSign deceives actual and potential customers into believing that these certificates have different properties when used with the vast majority of Internet users when this is simply not the case,” the suit adds.

The motion for class action status was argued April 7 in Santa Clara, Calif. before California Superior Court Judge Kevin Murphy. VeriSign argued that Southeast Texas Medical Associates was “an impermissible puppet plaintiff” for lawyers seeking to target VeriSign. The judge denied that claim, while noting that the “plaintiffs are not overly informed about the theory and dynamics of the litigation.”

At the very least, SETMA appears to not be terribly attentive to the use and description of SSL on its own web site at setma.com. Despite its grievances with VeriSign and the dispute over bit-depth, the setma.com web site includes a page that touts its use of VeriSign certificates. “These pages are encrypted using a 128 bit Verisign encryption certificate to ensure the privacy of your heath and financial data,” the site notes.

That would be fine – if perhaps a little strange – if the setma.com site actually used a VeriSign certificate. In fact, the site uses an SSL certificate purchased from Entrust, a VeriSign competitor. Thus, even as it sues VeriSign for making false claims about its certificates, SETMA appears to be misleading its web site visitors about its own use of SSL certificates.

SETMA’s complaint asserts that the lack of end-user sophistication regarding certificates is a central issue in the case, saying VeriSign succeeded in selling Secure Site Pro certificates “because the matter is so deeply steeped in technology and difficult for any consumer to discover or understand.” It remains to be seen, if the case ever proceeds to trial, whether a jury will find the details of SSL certificates and encryption bit depths any easier to sort out.