Blogging Techstacks

You know, these extended validation certificates really bug me--more so than they probably should but they really, really bug me. The premise behind them is easy enough to understand--we'll color your address bar green (or provide some other kind of green-hued, visual cue) to let your users know that you spent tons more money on the same level of encryption. Some sites have reported increased conversion rates which, in the minds of the site owners, more than makes up for the cost, so if you've bought them and you are happy with them, that's super.

I get a lot of hits to this blog where "extended validation" shows up somewhere in the keyword search and I have a question for my readers who also happen to be developers. Are extended validation certificates difficult to work with?  Does the slightest idiosyncrasy in markup on a page wreak havoc with them? Today's example is with Firefox 3.5 Preview, Internet Explorer 7, Safari 4.0, and the mozilla add-ons site.

Open https://addons.mozilla.org/en-US/firefox/ in one of these browsers--let's start with IE7. The site is encrypted using a GlobalSign Extended Validation certificate and before anyone in P.R. freaks, I'm not slamming any company in this post. In IE7, you get the green bar:

 

Displaying the Certificate's Extended Details though, you don't get something that any user on the Internet would probably find extremely helpful:  An answer to the question "Should I trust this site?"  Instead of popping up a nice little "Yes" message when clicking the link, you get a Microsoft Help page listing all the different ways that your address bar could be colored with each one stating ways how you could still not be protected.

Switching to Firefox 3.5 Preview, although this behavior existed in Beta 4 as well, instead of getting a green bar, you get a blue bar:

Is this a bug?  Is there something wrong with the page?  It doesn't appear to be the case that Firefox can't display EV certs, since my health insurer's site displays as expected.  (Update:  It appears to be a bug.  Other GlobalSign EV SSL certificate-using sites don't display right either.  Check out demo site:  https://ev.globalsign.com/ Update 2: This bug exists in Firefox 3.5 RC1 as well. I had opened up a bug request through bugzilla but it was closed as a duplicate).

Finally, I'm liking how Safari handles them--you can't really tell that an EV cert is being used unless you hover the mouse over the green Mozilla Corporation text next to the prominently displayed RSS button:

  

It's almost as if the safari developers are saying, "Yeah...we aren't too sure about these things either".

Now, let's switch back to IE7 since they so prominently display the issue and go to https://blogs.verisign.com/.  Again, I'm not picking on Verisign this time--just using their site to display the issue (and yes, I understand that one wouldn't normally try connecting to a blog over an encrypted channel--humor me!). At the start, everything looks fine:

Click on the link for Tim Callan's Web Blog, everything is still fine:

Go back and then click on the link for the new Web User Experience Blog, you get warned about a mix of SSL and non-SSL items on the page and the green bar vanishes although the site name didn't change:

  

So what's going on here?  Is there some absolute http URL in the HTML somewhere that is throwing off IE?  I don't really know and since this is not an electronic commerce site that I'm buying from (it's a blog site), it's not that big a deal but it does help illustrate my point that it seems like browsers don't really work well with EV certs yet.  Is whatever the cause of the problem on this blog something that is equally easy to perform on a site where visitors might be buying something from?  If so, do we now need to consider writing an Extended Validation Certificate-Using Web Site Markup Validation tool to make sure that the green bar always displays as expected?  I wouldn't want to do that without first knowing all the ways one can break them first--and I don't yet know all the ways one can break them.

UPDATE:  Today's (July 17, 2009) release of Firefox 3.5.1 appears to fix one problem I reported with GlobalSign's Extended Validation certificates so now the location bar displays green when connecting to GlobalSign's EV test site, (https://ev.globalsign.com/) but still doesn't display green on https://addons.mozilla.org/ (on my Mac at least).  This provides a good example of the basic problem I see with providing this kind of visual cue to end-users.  Both sites appear to be signed by the same CA certificate but one displays as expected and the other doesn't.  If I were to guess, I would think that there is something encrypted on the page protected by a different CA signed certificate or there is something on the page that is being delivered over HTTP by way of an absolute url.  I confess, I haven't figured out what it is yet.

It has been a little over a month since I posted some questions regarding Extended Validation SSL Certificates (EV SSL). Since posting, I have had some time to think about this particular issue further and I am still pretty skeptical about these new certificates.

Based upon the comments from the initial post regarding my concerns with EV certs and the marketing information by many of the EV SSL Certificate vendors, not only is it said that EV certificates increase trust but in many case-studies, they improve conversion or registration rates. My main concern with using a bold visual cue to evoke safety and trust is that users will start to equate safety and trust with the green bar, even though the site may still be ssl-encrypted (and for all intents and purposes, still secure).  Your organization can go through the two to three week long vetting process to get that new certificate, you pay the extra—in some cases substantial—increase in price for the certificate, you can be considered PCI compliant, and all that trust can vanish simply because someone in-house (!) added a link on the site to an image that uses an unencrypted absolute URL. EV-aware browsers (except Safari 3.2) are unanimous presently in their handling of those cases where you have a mix of secure and insecure elements within an EV SSL encrypted page--the green bar vanishes and then I start wondering what's wrong with the site.

Perhaps an example to illustrate my point is in order. A very well known CA that sells Extended Validation SSL Certificates operates a site of corporate blogs. If you access that site over SSL (https), you are presented with an Extended Validation certificate. If you then click on any of the blogs hosted by that site, with one exception, the green bar vanishes in your browser but the page is still encrypted. This all appears to be due to the inclusion of images on those sites that are being delivered over an unencrypted (http-only) channel--probably because someone input an absolute URL in the HTML. If this behavior occurred on an electronic commerce site where I was getting ready to submit an order, I'd be a bit reluctant to submit that order. Even on a site like this corporate blog, it made me stop for a few seconds and wonder what was going on. It makes the fact that there is a problem even more prominent.

I worry that the over-emphasis on providing visual indicators for trust and security may have unintended consequences to site owners when that indicator fails.  The behavior with the afore-mentioned corporate blog site has been like this for the past week at least and, like I said, if this were an electronic commerce site, I might not be buying.

I am very interested in getting opinions from other administrators out there regarding extended validation ssl certificates. I can't really see how they are more useful in protecting an electronic commerce transaction over a "plain old SSL cert".

Taking the most expensive implementation from Verisign to illustrate my point, a standard SSL cert costs $399.00 for a cert that will expire in 12 months. "Upgrade" to a 128-bit only certificate will set you back $995.00. "Upgrading" that standard cert to an Extended Validation cert will cost you $995.00 too but if you also add-on the 128-bit only option to that EV cert, you are looking at almost $1,500.00 USD just to color the address bar green. A $1,200 markup seems like a lot to pay for something that didn't seem to me to be that big a problem in the first place--especially when it could very well (for all I know) be providing nothing more than a false sense of security.

For example, if my browser bar is green, does this mean that I need to no longer worry about making sure that SSLv2 or Null and Weak encryption ciphers are disabled? Something tells me that the answer to this is, "Ummm....No....". So what is it? Are you buying Extended Validation certificates or are you just implementing the strongest possible controls on your site and buying the no-frills cert? Are certificate vendors simply ripping us off by tricking users into looking for the green bar or are these certs doing something magical? Did sales increase drastically for those of you who have implemented them?