Although controversial, extended validation certificate still has great value ......
Last week, one with " I've been broken yet ?" Tool-renowned security expert, educator Troy Hunt, wrote a long column, discusses the value of extended validation (EV) certificates .
In this article, he value of EV certificates and user noticed EV certificates into question. He concludes:
"The bottom line is, by far, the validity of EV certificates is entirely dependent on whether people recognize them and whether in fact change their behavior accordingly. It is hard to argue ???"
Indeed, EV certificate really depends on whether the user is concerned about them, and whether to use that information. But does that mean EV certificate is not worth it?
Before further explore this question, let's look at the difference between the various validation:
Domain Verification (DV) and Extended Validation (EV) Two main categories of SSL certificate. DV as its name, the domain can only be sure that your browser's address bar is the owner of the certificate. This is done using an automated technical means - such as to create a separate domain DNS record above.
EV certificate to do the same, but in addition, they also confirm that the site is a legally established by the company's operations. This is accomplished by a certificate issued by the help of the staff in the agency's database of official government agencies and other reliable data sources. The company's name (and the company is registered in any country) will be displayed in the end user's browser:
As Troy said, DV certificate will tell you "that the connection is secure", while the EV certificate will tell you "the connection is secure, and you know who you are and dialogue."
On the Internet, we know who you are and dialogue is very valuable. Spend the money to eat a meal on the outside, you can create a website and claim to represent anyone (or anything), without providing too much personal information.
Considering the sheer number of false Internet sites and phishing sites, I think all of us agree on the following point: For more information on Web site operators are beneficial.
Your computer does not really understand anything it accesses the site. It will happily display the contents of any host name or IP address you visit for you.
Your browsers, Paypal.com and FakePaypal.com just two different addresses only. For the people, it is clear that the two sites have a not real Paypal site (although in real phishing sites, the difference is not so obvious). Your computer only to see another have HTML, CSS, Javascript and other Internet addresses can be displayed for the file you are.
From a technical perspective, this is your browser needs to be done. Although this is often incompatible with the object users, since these users are connected to legitimate sites of interest than the technological marvel of the DNS and IP routing much.
When we see the big picture, you can see Google's Chrome browser is designed in line with this view:
We recommend Google Chrome security team, the user agent (UA) gradually their UX into a non-secure origins appear as "positive non-secure." In order to more clearly show the user how insecure HTTP.
T0 (currently): non-secure sources is not marked
T1: non-secure sources are labeled as suspicious
T2: non-secure non-secure sources labeled
T3: security source was not marked
Currently, we are in the plan "T0" and "T1" between two phases - Later this year, Chrome browser will start displaying "non-security" warnings on more HTTP web page .
One of the reasons the Chrome browser want to do this is to a computer to determine the difficulty of the security of your connection in the end how much.
HTTPS can only guarantee that your data is securely transmitted to the server you connect. After what happened no one knows.
Cloudflare Flexible SSL provides a secure connection between you and Cloudflare, but not from Cloudflare to the original server, it is a browser you do not understand the example of data on the Internet all the travel.
Chrome browser may not like to make sure that your connection is secure as their own responsibility. It will only make a few tips to know when the connection is not secure, because that's all it can do.
Relatively simple to determine whether the site is legitimate or whether you need to provide personal information or credit card information to the site. Hopefully, we all know it is because a site uses HTTPS does not necessarily mean that you provide personal information to it is a good idea.
This decision information needed to ensure that more than technology can provide HTTPS, so this judgment needs to be made by the user.
This is not to say that there is no other mechanism to protect users. Like Google Safe Browsing and such systems Microsoft SmartScreen, to protect users from phishing sites and malicious software being reported against infected sites, it has a very important value.
However, these systems are not perfect. They sometimes spend more than a day's time to identify a site, which means missing an important window of time during which many users have been compromised. These systems have not been used to establish the identity of the website, it can only partially achieved target EV certificate.
Troy said, "EV certificates are an artificial control", which is a problem. But to assess the identity and legitimacy of a website in the real world is not our browsers are suitable to do. After all, from a technical point of view, you just want your browser to log in to FakePaypal.com, because it is indeed a real website.
The value of EV certificates is obvious. Its value lies in its ability to learn more about the site than your browser, and the browser can only be connected to a host name, parsing and verification certificate file encryption key to evaluate a website.
EV certificates - as well as all related and HTTPS indicators - can be made to make it easier for users to understand, at this point, Troy is right. This example is proof - half before the Chrome browser recently redesigned user to identify and understand the padlock icon is very difficult. Some users will mistake it for a purse.
But this did not eliminate the need for network identification or reduce the value of EV certificates. It just means that we need a better explanation - this is when it comes to the safety and general Internet users a common theme.
