Can you tell the difference between the two images below (beyond the fact that they're different websites)?
Do you see where Twitter has 'Twit...
For further actions, you may consider blocking this person and/or reporting abuse
Thanks for sharing this. This is an important topic for any developer since it's often - in my case as a consultant, at least - us who are responsible for applying certificates to servers. Knowing and understanding the differences between DV and EV certs will help us keep our clients better informed.
What I wonder is if browsers ditched the "Secure" moniker in favor of something more accurate like "Encrypted" or "Private", would that cause the average user to wonder? I suspect it wouldn't for most but perhaps it's a small step that could aid in further teaching an uninformed user. After all, the simple lock icon helped train those users over time to believe they were safe, which is sort of how we got to this discussion.
There is definitely a more interesting conversation to be had around how user experience (icons,colors, etc.) trains and conditions users and what can be done to make sure that the conditioning is correct as it pertains to perception of privacy vs security.
We use Fastly's shared SAN certificate at the moment. It's not something I've yet taken the time to research and contemplate the potential issues associated with this. If anyone wants to share some initial thoughts on that, I'm happy to listen.
The big question is, can you trust the CA. The simple answer is: you cannot.
A lot of high profile CAs have been kicked out the major browsers and OS provided root certificates. Prime cause: the CAs did not properly validate the certificates they gave out. This includes EV certificates.
HTTPS is more about preventing third parties monitoring and highjacking your connection than providing authenticity.
I just stumbled upon a nice video that explains why certificates exists, how they can be bypassed and how a company made Google certificates or Lenovo laptops were compromised a few years ago.
Man in the Middle Attacks & Superfish - Computerphile
As a developer: This is really cool and makes a lot of sense. I learned something new.
As a user: EV certs piss me off because they take up more room. And if it is green it is green, I scan past the name, I don't think users will ever learn the difference. But they will notice the EV takes up more room.
Great and clear article.
Thanks!
I use Let's Encrypt, and I certainly appreciate being able to have a certificate without breaking my ($0) budget!
Very informative article, as well as an excellent link to more info. :)
This was good to know.