undefined | Better HN

0 pointslifeisstillgood10y ago0 comments

Well. I missed that memo. Or rather I kinda sorta knew it was getting devalued, but a Padlock in my browser is something I trust. If it's not trust worthy or verified should we not go the whole hog, dump trusted public keys from all browsers and move to the web-of-trust / certificate pinning.

From the blog:

   just too much of a hassle. The application process can be 
   confusing. It usually costs money. It’s tricky to install 
   correctly. It’s a pain to update.

If the reason there is not enough SSL around is because it's too much hassle for webmasters, I doubt there is a solution. If you want to take payments you get SSL. if that's too much hassle PCI compliance is going to really stretch you.

0 comments

hueving10y ago

The padlock means you are connecting to the owner of that domain. That's a very valuable guarantee.

EV validation and whatnot is essentially a nice way to burn a ton of money on borderline extortion.

velox_io10y ago

Vanilla SSL verifies the the website is legit, EV verifies that the business is legit. More competition will lower the price, there's tons of room for cheaper & faster EV providers.

nailer10y ago

> But a Padlock in my browser is something I trust.

On the padlock note, Microsoft Edge shows a hollowed out, grey padlock for DV certificates.

Only EV certs get a full green one (as well as the legal name as other browsers show for EV). See https://certsimple.com/blog/dv-ssl-in-microsoft-edge

eric_bullington10y ago

> Microsoft Edge shows a hollowed out, grey padlock for DV certificates.

Firefox does the same. Luckily, Chrome is unlikely to do the same, since google.com itself is "only" domain validated.

finnn10y ago

Now we just need to add a big red icon for http sites...

cpach10y ago

Mozilla actually have announced their plans to deprecate plain HTTP: https://blog.mozilla.org/security/2015/04/30/deprecating-non...

j / k navigate · click thread line to collapse