« JBoss: Remotely Generating Thread Dumps With JMXConsole | Main | WebSEAL: Disabling SSLV2 and Weak Ciphers »

11/29/2008

Extended Validation SSL Certificates: An Easy Way to Bust the Green Bar

It has been a little over a month since I posted some questions regarding Extended Validation SSL Certificates (EV SSL). Since posting, I have had some time to think about this particular issue further and I am still pretty skeptical about these new certificates.

Based upon the comments from the initial post regarding my concerns with EV certs and the marketing information by many of the EV SSL Certificate vendors, not only is it said that EV certificates increase trust but in many case-studies, they improve conversion or registration rates. My main concern with using a bold visual cue to evoke safety and trust is that users will start to equate safety and trust with the green bar, even though the site may still be ssl-encrypted (and for all intents and purposes, still secure).  Your organization can go through the two to three week long vetting process to get that new certificate, you pay the extra—in some cases substantial—increase in price for the certificate, you can be considered PCI compliant, and all that trust can vanish simply because someone in-house (!) added a link on the site to an image that uses an unencrypted absolute URL. EV-aware browsers (except Safari 3.2) are unanimous presently in their handling of those cases where you have a mix of secure and insecure elements within an EV SSL encrypted page--the green bar vanishes and then I start wondering what's wrong with the site.

Perhaps an example to illustrate my point is in order. A very well known CA that sells Extended Validation SSL Certificates operates a site of corporate blogs. If you access that site over SSL (https), you are presented with an Extended Validation certificate. If you then click on any of the blogs hosted by that site, with one exception, the green bar vanishes in your browser but the page is still encrypted. This all appears to be due to the inclusion of images on those sites that are being delivered over an unencrypted (http-only) channel--probably because someone input an absolute URL in the HTML. If this behavior occurred on an electronic commerce site where I was getting ready to submit an order, I'd be a bit reluctant to submit that order. Even on a site like this corporate blog, it made me stop for a few seconds and wonder what was going on. It makes the fact that there is a problem even more prominent.

I worry that the over-emphasis on providing visual indicators for trust and security may have unintended consequences to site owners when that indicator fails.  The behavior with the afore-mentioned corporate blog site has been like this for the past week at least and, like I said, if this were an electronic commerce site, I might not be buying.

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01156fbc6fe6970c0115722882b6970b

Listed below are links to weblogs that reference Extended Validation SSL Certificates: An Easy Way to Bust the Green Bar:

Comments