Different Colors for different Certificate Authorities

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Different Colors for different Certificate Authorities

Ali Khalfan
Regular users are told to lock for the SSL lock to make sure the site is
secure.  In the old days, it was a lot harder to get an SSL certificate
without some sort of rigorous verification (e.g. registration document,
whois repository, proof of actual owner of the entity owning the domain).

It is a lot easier to get a valid SSL certificate today.  Some
certificate authorities, such as Truecrypt, provide certificates simply
if proof is provided that a domain is owned.  Because Truecrypt mainly
cares about encryption.  Needless to say, a miscreant setting up a
phishing website does own a domain.  So, encryption is provided but not
authenticity.  A regular user will look at the lock, which is green, and
think the site is secure (while it is not).

I would think different colors should be on the bar based on the
certificate authority.  If the certificate is signed by an authority
known to perform rigorous verification it should be different from a
certificate signed by an authority verifies by a simple e-mail
verification.


Thanks,
Ali


_______________________________________________
wishlist mailing list
[hidden email]
https://lists.mozilla.org/listinfo/wishlist

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Different Colors for different Certificate Authorities

Ali Khalfan
anybody besides spammers can give me any feedback on this?




-------- Original Message --------
Subject: Different Colors for different Certificate Authorities
From: Ali Khalfan <[hidden email]>
To: [hidden email]
Date: Wed Sep 14 2016 08:49:24 GMT+0300 (AST)

> Regular users are told to lock for the SSL lock to make sure the site is
> secure.  In the old days, it was a lot harder to get an SSL certificate
> without some sort of rigorous verification (e.g. registration document,
> whois repository, proof of actual owner of the entity owning the domain).
>
> It is a lot easier to get a valid SSL certificate today.  Some
> certificate authorities, such as Truecrypt, provide certificates simply
> if proof is provided that a domain is owned.  Because Truecrypt mainly
> cares about encryption.  Needless to say, a miscreant setting up a
> phishing website does own a domain.  So, encryption is provided but not
> authenticity.  A regular user will look at the lock, which is green, and
> think the site is secure (while it is not).
>
> I would think different colors should be on the bar based on the
> certificate authority.  If the certificate is signed by an authority
> known to perform rigorous verification it should be different from a
> certificate signed by an authority verifies by a simple e-mail
> verification.
>
>
> Thanks,
> Ali
>


_______________________________________________
wishlist mailing list
[hidden email]
https://lists.mozilla.org/listinfo/wishlist

signature.asc (836 bytes) Download Attachment
Loading...