>they seem to be resellers for DigiCert/Symantec certificates
>they should at the very least have either ETSI TSP² or WebTrust³ certifications to meet the security/trust requirements for operating a CA
A reseller does not need to meet any of these certifications. Resellers have a business relationship with a CA, and all the steps related to certificate verification and issuance are handled by that CA.
On the backend, a certificate request for your site is handled the same by the CA whether if comes through a reseller or through them directly.
This is a common concern, but in reality, it does not mean anything. "Sharing" your cert with a weird site is similar as taking the same bus route as someone who is bad.
From a security standpoint, there is little to no risk. Worst case scenario one of the other sites is doing something that results in the cert being revoked... and I imagine CloudFlare has a way to just move you (and everyone else) onto another cert seamlessly.
1. Unicode Homograph attacks don't work in a business registration. Someone would have to be able to legally register a business name that fits your look-alike example. That is not possible in most places AFAIK.
So what you re actually pointing out is that domain names are vulnerable to these attacks, which is another reason why DV certificates can fall short.
2. Correct, different companies. This is as intended, but admittedly a weakness in the human-readability of EV certificates.
3. Not all roots can issue EV certificates.
4. It becomes much harder to remain anonymous if you do these things. You are right, it isn't impossible to register a company solely for malicious use. But it carries with it legal risk.
There are no Wildcard EV certificates. You are just describing Wildcards.
Crypto nerds do trust the HTTPS PKI that is why there are about a dozen industry-leading crypto people working at Chrome, Mozilla, etc on PKI crypto.
>But aren't regular non-devs supposed to verify certificate name and the name of the website they are on? But aren't regular non-devs supposed to verify certificate name and the name of the website they are on?
The browser does this for you. Chrome (and all major browsers) have a certificate validation that parses the hostname in the certificate and compares it to the site you are on.
Checking certificate details manually is primarily useful for troubleshooting. It serves little to no security benefit for 99% of users.
I wrote an article that covers some similar ground, but is focused on why Chrome's team chose "Secure" over the alternatives, such as "Private."
It is quite a bit longer, but I do break down the data to show some big issues with the alternatives. For example, 28% of users surveyed said they would leave a site if it said "Private."
I agree with Mike that Chrome's testing was incomplete. It is important for them to test perception... because we wouldn't want indicators having a large negative effect on things like bounce or conversion rate. In some ways this is comprehension to an average user... we probably can't expect most people to ever rationalize past "am I safe or not."
"[Some of us chose] to debug viruses, worry about floppy disk compatibility, learn how to change out failed hard drives, etc. if we simply wanted to use technology at all"
Now, Millennials is a pretty uselessly broad term, so depending on what age range you are actually talking about, there is slightly more truth to this. If you are talking about someone who is 29-34 today, then you would be an early adopter of these technologies and it did require a high level of expertise. However this was a very small portion of the population.
If you are talking about 22-25 year olds, then computers and the internet had become more common in households and de-skilling. I know plenty of people who have used and owned computers most of their lives and have never debugged a thing.
Nerds have the inability to understand that most people use computers like any other tool. They do not obsess over it, seek to understand how it works, or otherwise care.
Like a microwave, they buy a new one if their current computer "breaks." Like a light fixture, if it malfunctions, most people hire a repairman instead of doing it themselves.
This has always been true for the mainstream users of computers. It only seems more absurd now because 16-19 year olds have had smartphones and other technology luxuries their whole lives, and so we expect them to have invested more interest into truly learning how to use them and how they work.
But availability of a technology does not have much of a connection to proficiency of said technology.
Ironically, I am sure most of the people here who whine about how little other people understand computers have a similar lack of understanding for other objects they use everyday. How many people in programming/I.T. know anything about plumbing or car maintenance?
I would recommend a total redesign of your front page. It sounds like it could be a great tool, but I have literally no impression of it from clicking on any of the non-gated links on your site.
The basic info on https://visualtip.com/tour is closer to what you need on the homepage. But visual-focused instead of text. And absolutely reduce the noise on the page by getting rid of meaningless text such as
"Security: We take security very seriously and have taken measures to protect our customer's data"
and the Deiter Rams quote which looks like a user endorsement needs to go too.
You mean in order to place it back on the machines? Sure, just one line.
But there seems to be a rather big difference between basic software that is guaranteed to be available and software that requires any amount of scripting/preparation to install, even if it is just one line.
I think Chrome's behavior is the most sensible choice. If you are in an environment where traffic inspection is required by policy, than the browser should obey that.
If Chrome enforced pinning with local roots, then the outcome would be:
1. Those sites simply become unaccessible
2. Those networks require you to use a different browser
3. Those networks deploy a modified version of the browser which disable that behavior
4. Websites avoid using HPKP in the first place because it may cause problems
or some combination. Those outcomes seem worse than Chrome obeying the desires of the network admins.
Is there some risk that malware or other bad actors could abuse this? Sure. But Chrome's devs considered that and decided any other number of bad things could be done with the same access.
Certificate resellers are only taking money in exchange for the cert. They are not doing any validation.
This is true even in cases like Gandi.net where some of the certs they sell come from a custom-branded intermediate certificate. The root CA is Comodo and they are doing the validation, controlling the private key's of the certs that handle issuance, etc. Its just a branding thing.
There are a few cases with Sub-CAs/Registration Authorities where a third-party company is handling some/all of the certificate validation. Symantec is currently in trouble for the bad actions of CrossCert, a Korean company that was licensed to be a Sub-CA. But WoSign/StartCom would not be able to participate in any sort of arrangement like this without being immediately banned again.
So there is no inherent problem with a banned CA continuing to sell certificates that another CA is validating. However, in the investigation of WoSign it was found that the company is deeply dishonest, incompetent, and even a little bit malicious. So anything that puts money in their pocket should be avoided.
>For example, when I type the first 4 letters of my bank's URL, the omnibox has 3 suggestions prior to the direct bank URL even though it's a site I frequently visit and google knows that. They want me to search "BANK NAME" because then I'm more likely to click on the top link which of course is an ad.
This is strange. For nearly every letter on the keyboard, Chrome's first suggestion in the address bar is a site I regularly visit. I.e. for p its paypal.com, for e its ebay.com.
There are almost no cases where the first suggestion isnt a direct URL. I wonder what settings differ between us.
>I think it's unlikely you'll find anyone reviewing vacuum cleaners online because they love the engineering prowess exhibited by a Dyson.
There are literally dozens of sites for every niche and topic where people are writing about it for personal satisfaction. Rather shocking you would think that given the number of personal blogs that pop up on HN.
>I immediately gravitate towards the keyword descriptive dotCOM. It instantly exudes trust & authority
Strongly disagree. As a result of this type of thinking, I find that the majority of "keyword descriptive dotCOM" domains are usually click-bait or shady content marketing.
Sites like "VacuumReviews.com" are almost always full of content focused on SEO not quality, and questionable financial motivations.
But I guess if the general public still likes those types of domains it shouldnt affect their value.
>they should at the very least have either ETSI TSP² or WebTrust³ certifications to meet the security/trust requirements for operating a CA
A reseller does not need to meet any of these certifications. Resellers have a business relationship with a CA, and all the steps related to certificate verification and issuance are handled by that CA.
On the backend, a certificate request for your site is handled the same by the CA whether if comes through a reseller or through them directly.