February 15, 2007

“Green Address Bar” SSL Certificates

Filed under: .Net,Networking,PHP,T3city — pj @ 8:02 pm

I’ve written other places about SSL certificates. Once upon a time, you bought your SSL certificates from either Verisign or Thawte. Back then, all (both) SSL Certificate Authorities (CAs) did some real validation on the entity (business or person) that was applying for the SSL cert. To validate the entity, they did things like review corporate records to make sure addresses matched, looked up phone numbers in public directories and matched drivers licenses to domain registrations.

I can understand why they wanted a bit of money for the work that was required for validation that first year, but overall, SSL certificates have long been overpriced for the value they provide. After that first validation, the next year’s renewal costs the CA practically nothing, but they used to give no renewal discounts at all and, even now, renewal discounts don’t exist and multi-year discounts are not as substantial as they could (should?) be.

Then there were (are) silly SSL cert upgrades that supposedly provided stronger encryption. Well, I suppose those upgrades actually could enhance encryption if you just happened to be running an old, obscure version of IE that was only available outside the US, only for a short time and has not been available since early 2000. Funny how even today, you’ll find that even the biggest CA charges extra for Server Gated Cryptography, even though no browser modern enough to be secure needs or supports it.

If you want to spend even more on your SSL cert, CAs will happily add on various types of hyper-specific insurance policies and all manner of “site seals” and  “trust logos”.

The entire verification and trust thing is just silly. The percentage of Internet users that would recognize Verisign, Thawte, Comodo or any other CA is vanishingly small. Even if we were to assume your average Internet buyer were a sophisticated, educated, rational consumer, why would they trust some company they’ve never heard of to tell them how trustworthy amazon.com is? On top of all this, given the year after year rape attempts committed by big CAs with their over pricing of renewals, fake SGC upgrades and other kinds of fake “strong cryptography” upgrades, the only thing I personally trust CAs to do is to make as much money as they possibly can with any means at their disposal.

With the useless state of verification and trust, it’s no wonder that some smaller CAs eventually started verifying less and charging a lot less. Now days, you can buy an SSL certificate that certifies nothing other that you are using SSL. Fair enough – even that tidbit is more than most consumers are interested in knowing. Practically speaking, SSL is only a technology for the vendor. Vendors should use SSL properly because they care about the consumer enough to not transmit their personal information in the clear over the Internet.  Frankly, if my wife, my Mom or one of my kids finds something they want to buy, as long as the browser don’t completely refuse to accept the connection, they will be happy to click through all manner of browser warnings to put in a credit card number. Haven’t we all been trained to ignore these peskey warning messages by now? A few shoppers might be consoled by a a happy, friendly padlock icon, but how many users are fully aware that the pad-lock icon is supposed to be in the browser’s status bar. “What’s a status bar”, you ask?

Given all this, I’ve been using the least expensive SSL certs I can find. Here are a couple of different examples – can you tell what kind of validation was used?

I suppose the SSL CAs all got together and decided something just had to be done before everybody started using self-signed SSL certificates. Enter now the “Green Address Bar” SSL Certificate. The real name is the “Extended Validation”  SSL Certificate, but my name would be better. At least with my name, there is a slight chance that consumers (of SSL certs) will notice.  If you have one of these super-duper certificates, IE’s address bar is supposed to turn green (as in the color of money, eh?). I think this is a Vista only feature, though.

The SSL vendors want $500 and more for these “EV” SSL certs. Personally, I think they are pricing themselves out of the market. Yes, a handful of sites like amazon.com will pay the extra $489 for the SSL cert that makes the browser’s address bar turn green (as in the color of envy?). I have to guess, though, that the vast majority of SSL certs are purchased for small e-commerce sites like searchenginecommando.com, t3city.com and embracegroup.com. These small operators will rightly assume that public will pay no attention to the fact that the address bar is not green. Personally, I doubt if many people really even look for the SSL lock icon anymore. If EV were just a $50 up-charge, then a lot of small shops might would go ahead and get it (at least for the first year until they find out it didn’t effect sales). Right now, since the new certs are so expensive, practically nobody will buy them and buyers will just forget all about the green address bar. If they do notice, they’ll probably just have a vague notion that something wrong with their computer (again). “Wasn’t Vista supposed to fix these kinds of problems?” they’ll wonder.

5 Responses to ““Green Address Bar” SSL Certificates”

  1. Kahn says:

    I can see the future,

    Green bar snobs, people who have bought from larger online e-tailers and suddenly think that it would be unsafe to shop anywhere, a green bar is not present.

  2. pj says:

    It could end up that way, but right now, I doubt it. The Green bar is a Vista only thing and I’ve been using Vista and Office 2007 on my personal desktop for a week or so and there are a lot of distractions to keep me from noticing the background color of IE’s address bar. First, Vista flashes and prompts for many things at seemingly random times. Often, my desktop flashes all black for a second or so for no apparent reason. Maybe Explorer has crashed? Maybe Windows was planning to show the UAE prompt, then thought better of it? The new menus and toolbars in Office 2007 are crazy. It doesn’t help that Outlook, the program I use the most, has old style menus in the main program, but the new Office 2007 style menus and toolbars in its other windows (messages, contacts, etc.). In Vista, I find myself trying not to look at the top part of applications… instead, I’m desperately digging around for keyboard shortcuts so I don’t have to deal with the new mega toolbars.

  3. Tom Weldon says:

    To PJ Tezza
    From Tom Weldon

    Who reads 3-month-old blogs; PJ does. What’s a UAE prompt anyway? I’ve got an idea about that.

    We should catch up….

  4. pj says:

    Hi Tom, what’s up? I’ll send you an email with my info.

    Yeah, the blog is getting more and more out of date. I have plenty of interesting stuff to post about – I’ve been working on lots of interesting projects – but there hasn’t been anywhere near enough time left to blog. Right now, blogging is just one more item on my to-do list I never get to. This blog post is a little bit older than 3 months, though.

    “UAE prompt” = typo for “Vista UAC prompt” (not that spellcheck likes either one).

  5. way says:

    what we need is a javascript hack, to change the addressbar green! I figure that if you have solid ssl, then you have every right to make your bar green as well! so if anyone decideds to write it, of finds it let me know -Eric

Leave a Reply

Powered by Teztech