undefined | Better HN

0 pointschetanahuja10y ago0 comments

"This comment is the exact perception about HTTPS that we need to change. It's not the job of HTTPS to say whether a website is safe or unsafe."

Too late. The web industry has spent about 20 years training regular people to look for that green lock sign in the address bar and feel all warm and fuzzy about how safe the site is. You can post on hacker news all you want about what perceptions need to be changed. It's not going to change the ground reality. SSL, as practiced in the industry today with all it's historical baggage is fundamentally broken. There's no fixing it.

0 comments

XorNot10y ago

Actually what's really broken is the way we've approached implementations. Recently I was trying to get a self-signed certificate for myself trusted by Python urllib3...I still don't know how to do it. It uses a completely separate trust-store. As does half a dozen other things on my system.

goldman6010y ago

Java is literally the worst as well. The Java truststore doesn't even have all the certs that every major browser supports. I'm looking at you StartSSL.

vacri10y ago

Green lock = EV cert. People are trained to look for the green, not for the lock - few people other than techies even look for a grey lock. EV certs generally have much more stringent requirements than "hey, give me a cert!".

bigiain10y ago

I'm pretty sure "People are trained to look for the green, not for the lock" is newer and not nearly as widely known advice as "look for the lock". And it's pretty obvious just looking around non-tech-related sites that even the "look for the lock" advice isn't all that well received - so many sites use images of padlocks on the page to imply "banking grade security!!!", surely not _all_ of them are incompetent - I have a strong suspicion that at least some of those people are doing it as part of high statistical significance validated A?B tested funnel optimisations...

chinathrow10y ago

Chrome has a green lock and green 'https' for this site, which hasn't an EV cert.

nailer10y ago

That's correct - only Chrome shows green locks for domain validated certs.

Firefox uses a grey lock for domain validated certs.

Edge uses a hollowed-out grey lock for domain validated certs.

j / k navigate · click thread line to collapse