{"id":598,"date":"2017-07-29T11:33:14","date_gmt":"2017-07-29T19:33:14","guid":{"rendered":"http:\/\/unmitigatedrisk.com\/?p=598"},"modified":"2017-07-29T11:39:58","modified_gmt":"2017-07-29T19:39:58","slug":"positive-trust-indicators-and-ssl","status":"publish","type":"post","link":"https:\/\/unmitigatedrisk.com\/?p=598","title":{"rendered":"Positive Trust Indicators and SSL"},"content":{"rendered":"<p><em><strong>[Full disclosure I work at Google, I do not speak for the Chrome team, and more generically am not speaking for my employer in this or any of my posts here]<\/strong><\/em><\/p>\n<p><span style=\"font-size: 1rem;\">Recently Melih did a blog <a href=\"https:\/\/www.melih.com\/2017\/07\/19\/to-indicate-or-not-to-indicate-a-devilish-question\/\">post<\/a>\u00a0on the topic of browser trust indicators. In this <\/span>post<span style=\"font-size: 1rem;\"> he makes the argument that DV certificates should not receive any positive indicator in the browser user interface.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I agree with him, just not for the same reasons. Positive trust indicators largely do not work and usability studies prove that is true. Browsers introduced the \u201clock\u201d user interface indicator as part of a set of incentives and initiatives intending to encourage site operators to adopt SSL. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">What is important is that these efforts to encrypt the web are actually working, <a href=\"https:\/\/www.wired.com\/2017\/01\/half-web-now-encrypted-makes-everyone-safer\/\">over half the web is now encrypted<\/a> and more importantly the adoption rate is demonstrating hockey stick growth.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As a result, in 2014 Chrome started down the path of <a href=\"https:\/\/cabforum.org\/pipermail\/public\/2017-July\/011671.html\">deprecating positive trust indicators all together<\/a>. In-fact today Chrome already marks HTTP pages as <a href=\"https:\/\/blog.chromium.org\/2017\/04\/next-steps-toward-more-connection.html\">\u201cNot secure\u201d if they have password or credit card fields.<\/a><\/span><\/p>\n<p><span style=\"font-weight: 400;\">The eventual goal being able to mark all HTTP pages as insecure but for this to happen SSL adoption needs to be much higher, I suspect browsers will want to see adoption in the 90% to 95% range before they are willing to make this change. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">This is relevant in this case because if all pages are encrypted what value does a positive trust indicator have? None. This means that when all HTTP pages get marked \u201cNot secure\u201d we will probably see the lock icon disappear.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">So, as I said, I agree with Mehli, the \u201cSecure\u201d indicator should go away but so should the lock, the question is not if, but when. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">But what does that mean for EV trust indicators? I am a member of a small group, a group that thinks that EV certificates can provide value. With that said today EV certificates have some major shortcomings wich significantly limit their value, some of which include:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">It is not possible to get an EV wildcard certificate,<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">CAs, largely, have ignored automation for EV certificates,<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Due to the lack of automation EV certificates are long lived and their keys more susceptible to theft as a result,<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The vetting processes used in the issuance of EV certificates are largely manual making them expensive and impractical to use in many cases,<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">CAs market them as an antiphishing tool when there are no credible studies that support that,<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The business name in the certificate is based on the legal name of the entity, not the name they do business under (DBA),<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The business address details in the certificate are based on where business is registered (e.g. Delaware),<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">There is no contact information in the certificate, short of the taxation address, that a user can use to reach someone in case of an issue.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Addressing these issues have either been actively been resisted by CAs, for example, DigiCert has tried to get EV wildcard certificates to be a thing in the CA\/Browser Forum a number of times but CAs have voted against it every time, or simply ignored.<\/span><\/p>\n<p>There are some people who are working towards addressing these gaps, for example, the folks over at <a href=\"http:\/\/certsimple.com\">CertSimple<\/a>\u00a0but without CAs taking a leading role in redefining the EV certificate the whole body of issues can nott be resolved. Importantly until that happens you won&#8217;t see browsers even considering updates to the EV UI.<\/p>\n<p><span style=\"font-weight: 400;\">Given this reality, browsers have slowly been minimizing the details shown in EV certificates since they can give users the wrong impression and have limited value given the contents of the certificate.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">It is my belief that unless the CAs work together to address the above systematic issues in EV certificates that minimization will continue and when the web is \u201cencrypted\u201d it won&#8217;t just be DV that loses its positive trust indicator, it will be EV also. <\/span><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[Full disclosure I work at Google, I do not speak for the Chrome team, and more generically am not speaking for my employer in this or any of my posts here] Recently Melih did a blog post\u00a0on the topic of browser trust indicators. In this post he makes the argument that DV certificates should not [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3],"tags":[6,144],"class_list":["post-598","post","type-post","status-publish","format-standard","hentry","category-security","tag-ssl","tag-ux"],"_links":{"self":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=598"}],"version-history":[{"count":0,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/598\/revisions"}],"wp:attachment":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}