Posts Tagged ‘Browsers’

Browsers and secure sites

Monday 3 November 2008

On the web SSL certificates are the common way to verify the owner of the identity of https based website. Compared to older generations the new generation of browsers have a far better support for the display of the amount of trust (or lack thereof) you should place in the owner of the site you are visiting.

Chrome uses a yellow address bar to indicate a valid SSL enabled site:

Firefox does in my opinion an even better job by adding a green logo at the start of the address bar:

IE uses only an yellow icon of a key lock to confirm a secure connection with a SSL enabled site.

Above that IE uses colors to indicate how secure a connection is:

 

  • White: The certificate has normal validation. This means that communication between your browser and the website is encrypted. The certification authority makes no assertion about the business practices of the website. Sample: https://www.verisign.com.
  • Green: The certificate uses extended validation. This means that communication between your browser and website is encrypted and that the certification authority has confirmed the website is owned or operated by a business that is legally organized under the jurisdiction shown in the certificate and on the Security Status bar. The certification authority makes no assertion about the business practices of the website
  • Yellow: The authenticity of the certificate or certification authority that issued it cannot be verified. This might indicate a problem with the certification authority’s website.
  • Red: The certificate is out of date, invalid, or has an error. For more information, see “About Certificate Errors” in Related Topics.

 

Note that for the colors to work you need the IE Phishing filter turned on, which requires you to send anonymous information to Microsoft while browsing. Mine was off by default. If you turn it on you will see while browsing an extended validated site:

Be aware the when it comes to security a valid SSL certificate only indicates how much you should trust the identity. It does not tell you anything about the amount of trust you should put in the intentions of the site. It would be perfectly possible to fund a company i steal your money Inc, get a valid certificate on http://www.istealyourmoney.com get a green bar and walk away with you money if you trust me your money on that site.

Some more reflections on the validity of the greenness in the browser address bar in will firefox have a green bar.

Advertisements