« Tomcat Management: Use the JMXProxy to Change Configuration | Main | JBoss: Clustered Node Startup Failures »


The Great SSL Extended Validation Certificate Mystery

You know, these extended validation certificates really bug me--more so than they probably should but they really, really bug me. The premise behind them is easy enough to understand--we'll color your address bar green (or provide some other kind of green-hued, visual cue) to let your users know that you spent tons more money on the same level of encryption. Some sites have reported increased conversion rates which, in the minds of the site owners, more than makes up for the cost, so if you've bought them and you are happy with them, that's super.

I get a lot of hits to this blog where "extended validation" shows up somewhere in the keyword search and I have a question for my readers who also happen to be developers. Are extended validation certificates difficult to work with?  Does the slightest idiosyncrasy in markup on a page wreak havoc with them? Today's example is with Firefox 3.5 Preview, Internet Explorer 7, Safari 4.0, and the mozilla add-ons site.

Open https://addons.mozilla.org/en-US/firefox/ in one of these browsers--let's start with IE7. The site is encrypted using a GlobalSign Extended Validation certificate and before anyone in P.R. freaks, I'm not slamming any company in this post. In IE7, you get the green bar:


Displaying the Certificate's Extended Details though, you don't get something that any user on the Internet would probably find extremely helpful:  An answer to the question "Should I trust this site?"  Instead of popping up a nice little "Yes" message when clicking the link, you get a Microsoft Help page listing all the different ways that your address bar could be colored with each one stating ways how you could still not be protected.

Switching to Firefox 3.5 Preview, although this behavior existed in Beta 4 as well, instead of getting a green bar, you get a blue bar:

Is this a bug?  Is there something wrong with the page?  It doesn't appear to be the case that Firefox can't display EV certs, since my health insurer's site displays as expected.  (Update:  It appears to be a bug.  Other GlobalSign EV SSL certificate-using sites don't display right either.  Check out demo site:  https://ev.globalsign.com/ Update 2: This bug exists in Firefox 3.5 RC1 as well. I had opened up a bug request through bugzilla but it was closed as a duplicate).

Finally, I'm liking how Safari handles them--you can't really tell that an EV cert is being used unless you hover the mouse over the green Mozilla Corporation text next to the prominently displayed RSS button:


It's almost as if the safari developers are saying, "Yeah...we aren't too sure about these things either".

Now, let's switch back to IE7 since they so prominently display the issue and go to https://blogs.verisign.com/.  Again, I'm not picking on Verisign this time--just using their site to display the issue (and yes, I understand that one wouldn't normally try connecting to a blog over an encrypted channel--humor me!). At the start, everything looks fine:


Click on the link for Tim Callan's Web Blog, everything is still fine:


Go back and then click on the link for the new Web User Experience Blog, you get warned about a mix of SSL and non-SSL items on the page and the green bar vanishes although the site name didn't change:


So what's going on here?  Is there some absolute http URL in the HTML somewhere that is throwing off IE?  I don't really know and since this is not an electronic commerce site that I'm buying from (it's a blog site), it's not that big a deal but it does help illustrate my point that it seems like browsers don't really work well with EV certs yet.  Is whatever the cause of the problem on this blog something that is equally easy to perform on a site where visitors might be buying something from?  If so, do we now need to consider writing an Extended Validation Certificate-Using Web Site Markup Validation tool to make sure that the green bar always displays as expected?  I wouldn't want to do that without first knowing all the ways one can break them first--and I don't yet know all the ways one can break them.

UPDATE:  Today's (July 17, 2009) release of Firefox 3.5.1 appears to fix one problem I reported with GlobalSign's Extended Validation certificates so now the location bar displays green when connecting to GlobalSign's EV test site, (https://ev.globalsign.com/) but still doesn't display green on https://addons.mozilla.org/ (on my Mac at least).  This provides a good example of the basic problem I see with providing this kind of visual cue to end-users.  Both sites appear to be signed by the same CA certificate but one displays as expected and the other doesn't.  If I were to guess, I would think that there is something encrypted on the page protected by a different CA signed certificate or there is something on the page that is being delivered over HTTP by way of an absolute url.  I confess, I haven't figured out what it is yet.


TrackBack URL for this entry:

Listed below are links to weblogs that reference The Great SSL Extended Validation Certificate Mystery: