EV Certs and IE7

I ran into an interesting problem on Tuesday.
I installed Extended Validation SSL certificates on three of our IIS servers, and the ISA front end. Yes, yes, I know. “EV SSL is a scam.” They weren’t that expensive at Digicert and I thought it would be cool to turn the address bar green.
After implementing, I found Firefox computers and non-corporate computers with IE 7 could see the address bar turn green successfully when I browsed to my newly secured site. Surprisingly, IE7 from corporate owned computers could not.
What I realized is that IE7 on XP uses the phishing filter to verify that the site is EV validated. The phishing filter is not on by default for the Internet Explorer Intranet zone. We have *.ourdomain.org in the Intranet zone, therefore no green bar for IE7 XP users.
Vista and IE7 works fine because it supports OCSP.
This is where it got kind of annoying. I expected group policy to be able to enable the phishing filter for the intranet zone. Unfortunately, Microsoft hasn’t provided that for XP. This blog seems to be accurate – http://www.frickelsoft.net/blog/?p=80
So my choices are create an ADM and import it, or open my XP group policy in Vista. This will upgrade the policy, I”ll be able to see the option to enable the phishing filter in the intranet zone, and it will apply to IE7 on XP computers. I’ve been a bit leery of “upgrading” my policies in this way ever since I opened Group Policy from a XP computer and then I couldn’t open the policies at the Windows 2000 Domain Controller (until a patch was deployed from Microsoft).

2 Comments

  1. Hi Roger,
    You may find this (very brief) entry on my blog from August 2007 to be
    helpful:
    http://msmvps.com/blogs/spywaresucks/archive/2007/08/16/1115171.aspx
    “In Windows XP, you need to either enable the phishing filter OR enable
    CRL-based revocation (off by default).
    On Windows Vista, OCSP-based revocation is enabled by default, so
    usually no further action is required. Again, enabling the phishing
    filter OR OCSP-based revocation is required before you can see the
    green bar.”
    Sandi

  2. thanks for the tip.
    The phishing filter can slow down browsing, and enabling it will send
    intranet server names to Microsoft. So an alternative method is good.

Comments are closed.