Website identity is important for user safety. While encryption is important, knowing who you are encrypting to is paramount when conducting online transactions. While many users can identify the green bar/lettering associated with an Extended Validation (EV) certificate, recent user interface (UI) changes by browsers make it more difficult to differentiate these certificates from low value, domain validated certificates. This makes it a challenge to figure out the true owner of the website.
For example, Chrome recently changed the certificate UI for Domain Validated (DV) certificates to show a green padlock. With an increase of DV certificates used by fraudsters for phishing (see: http://toolbar.netcraft.com/stats/certificate_authorities), it is becoming more and more difficult for users to determine if a site is legitimate. DV certificates don’t identify the entity behind the website. You just know you are connected to www.example.com. There is no ownership information vetted about example.com. Organizationally Validated (OV) and EV certificates provide ownership information allowing a user to know who the site belongs to. But unfortunately, browsers do not distinguish sites with these types of certificates.
This chart from the CA Security Council (CASC) shows the confusing UIs that are in current browsers: https://casecurity.org/browser-ui-security-indicators/. It’s no wonder that users have trouble understanding the differences in the various certificates. And they are constantly changing.
A proposal from the CASC for a common, easy to understand, user display for website identity is shown below:
The members of the CASC which include the 7 largest SSL issuers in the world, are endorsing a paper on Website Identity Principles, which was presented at the RSA Conference on February 15, 2017. There are three main principles that summarize the intent of this paper:
1. Website identity is important for user safety.
2. Different TLS certificate types that are used to secure websites – Extended Validation (EV), Organization Validated (OV), and Domain Validated (DV) certificates – should each receive a separate, clearly-defined browser UI security indicator to tell users when a website’s identity has been independently confirmed.
3. Browsers should adopt a common set of browser UI security indicators for different certificate types, and should educate users on the differences among these indicators for user safety.
More information on these principles is available on the CASC website (https://casecurity.org/identity/).
If Symantec crawls through a website and finds that there are scripts to download something executable or to send data out of the browser machine - that web site should be marked as "Not Secure" - is it not a valid, feasible and easy solution ? This is also irrespective of browsers and their updates.