Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Firefox 3 and SSL info in URL-Field .. unbelievable!


Recommended Posts

Looks like Firefox is working together with the major SSL Certificate Companies.

In the new version 3 of Firefox only the expensive Certs will be shown including a company name and a green background.

 

If i want my company name in the url field i have to buy a expensive ssl cert starting at 499EUR

 

So what do you think about that? I am realy pissed as my ssl website info does make me look like i want to hide my identity.

 

Examples with firefox 3

 

Green ssl info with company name

https://www.paypal.com/

 

when clicking on the favicon it shows unknown owner wich is not true (the cert info shows company & unit name)

https://www.mspoints.de/

 

Stephan Gebbers

 

 

Link to comment
Share on other sites

Mozilla 3.0 , IE7 and Opera 2.5 all show this info...

 

Its part of the new browser standard, this will only validate EV SSL certficates with a green browser bar. (safari is also said to implement is soon)

 

 

This is to help protect users against fraudulent and phishing sites.

 

 

Low assurance ssl, which is what very many oscommerce sites are using today only validates the use of ssl and the domain name....

 

This ofcourse should not be enough to assure the user of a sites legitimacy.

 

Such ssl certs are usually issued imideately upon order and requires no background checking.

 

The standard high assurance certificates are better, but the checking routines are not done good enough by many of the issuing authorities.

 

 

With a background in this the new EV ssl certifcates has been created which require stringent checking of not only the use ssl and the domain name but also a check of the entity/business/person which owns the web site and use the ssl certficate for that site.

 

For more info on the criteria set for EV ssl certficates you can visit cabforum.org

Link to comment
Share on other sites

i'm a bit ticked about this too. i'm sure firefox is taking some sort of a payoff for this. and eventually it's going to cost some of us orders once the regular population figures out what the green bar is for.

 

but, until google and other big company sites i frequent, moves onto the green certs i will not worry about it.

(googles highlighted in blue, just like my site does)

 

so far the only site that i use regularly was paypal that has the green bar.

paypal is running on an apache version lower than mine.. so their level of ssl isn't really impressing me.

Link to comment
Share on other sites

i'm a bit ticked about this too. i'm sure firefox is taking some sort of a payoff for this. and eventually it's going to cost some of us orders once the regular population figures out what the green bar is for.

 

but, until google and other big company sites i frequent, moves onto the green certs i will not worry about it.

(googles highlighted in blue, just like my site does)

 

so far the only site that i use regularly was paypal that has the green bar.

paypal is running on an apache version lower than mine.. so their level of ssl isn't really impressing me.

 

 

Not only Firefox, IE7 and the new upcomming Opera has the same functionality....

 

And the point of it is not only to show that the site has SSL , but also that the PHYSICAL identity and location of the sites owners has been verified.

Link to comment
Share on other sites

i understand the point of it, but those of us with cheaper certificates totally get the shaft.

i don't see justifying paying hundreds of dollars on something i can get for $20 or less and achieve the same functionality.

 

aside from this green bar, not one of my customers has ever noticed i have a $20 ssl certificate. nor has one ever asked me why i do not use the same one as a site like paypal does.

(the same can be said for google too, by the looks of it!)

 

to a consumer, there is no difference. but now there will be. seems like a great way for the overpriced certs to lure in sales.. pretty dirty of the browser developers to crap on those of us that aren't willing to pay that much.

 

does anybody know why the cheaper certs weren't included in this green bar deal? aside from being paid-off..

Link to comment
Share on other sites

i understand the point of it, but those of us with cheaper certificates totally get the shaft.

i don't see justifying paying hundreds of dollars on something i can get for $20 or less and achieve the same functionality.

 

aside from this green bar, not one of my customers has ever noticed i have a $20 ssl certificate. nor has one ever asked me why i do not use the same one as a site like paypal does.

(the same can be said for google too, by the looks of it!)

 

to a consumer, there is no difference. but now there will be. seems like a great way for the overpriced certs to lure in sales.. pretty dirty of the browser developers to crap on those of us that aren't willing to pay that much.

 

does anybody know why the cheaper certs weren't included in this green bar deal? aside from being paid-off..

 

 

The cheaper certificates does not verify the site owners physical location and identity.

 

 

The new green bar is not only to verify that a site has ssl but also to verify that this is a legitimate organization/person behind the site with verified physical location and information to back that up.

Link to comment
Share on other sites

The cheaper certificates does not verify the site owners physical location and identity.

 

 

The new green bar is not only to verify that a site has ssl but also to verify that this is a legitimate organization/person behind the site with verified physical location and information to back that up.

 

Well i would instantly switch to an EV SSL but i don't get why it is so expensive to verify a persons business and address.

Standards are mostly made for the benefit of the company (or in this case companies) wich is establishing the new standard. It is all about the money as always. And to keep small business small.

 

I hope that EV SSL will not be accepted by the customers and not seen by the buyers and will become useless.

 

Stephan Gebbers

 

 

Link to comment
Share on other sites

Well i would instantly switch to an EV SSL but i don't get why it is so expensive to verify a persons business and address.

Standards are mostly made for the benefit of the company (or in this case companies) wich is establishing the new standard. It is all about the money as always. And to keep small business small.

 

I hope that EV SSL will not be accepted by the customers and not seen by the buyers and will become useless.

 

Stephan Gebbers

 

 

Due to that close to all browser providers will support it and also counting in the strong support from among other PayPal , its is just a mather of time till this is just what can make a customer turn away and not buy at your site.

 

But given time the price for EV certificates will also go down.

 

The requirements for checking the owner information is quite stringent for EV certificates so it do require time and work on the providers side to verify it..hence a EV certificate will in all probability never be as cheap as todays standard certificates though.

Link to comment
Share on other sites

ok, point understood..

 

but from a consumer point of view.

do you really care how much work the site owner had to go through to "validate"?

does this mean anything to the consumer.

 

any valid company can easily fork out $500 to get one of these fancy bars and then turn around and steal your credit card number.

this is not really doing anything other than providing a false sense of additional security. your details can still be taken for a ride, with or without this green bar.

 

just because the person that signed up for the cert had to jump through hoops does not mean the site is any safer than the cheap little guy a few clicks away that has a plain old blue cert.

Link to comment
Share on other sites

ok, point understood..

 

but from a consumer point of view.

do you really care how much work the site owner had to go through to "validate"?

does this mean anything to the consumer.

 

any valid company can easily fork out $500 to get one of these fancy bars and then turn around and steal your credit card number.

this is not really doing anything other than providing a false sense of additional security. your details can still be taken for a ride, with or without this green bar.

 

just because the person that signed up for the cert had to jump through hoops does not mean the site is any safer than the cheap little guy a few clicks away that has a plain old blue cert.

 

 

The point is not just to fork out the 500 USD + , its that the document requirments and the follow up checking done by the provider is done so that the physical identity is verified....

 

Ie. the address info which will be available on the ssl cert info is an actual entity which you can contact/visite and so on at just that location.

 

So as such, yes that is very much of interest to a consumer who purchases something at your site....

Link to comment
Share on other sites

Interestingly, VeriSign (who sell SSL) are not part of the Green Bar Posse either...

 

 

VeriSign do offer EV (Extended Validation SSL) certificates.

Link to comment
Share on other sites

The point is not just to fork out the 500 USD + , its that the document requirments and the follow up checking done by the provider is done so that the physical identity is verified....

 

Ie. the address info which will be available on the ssl cert info is an actual entity which you can contact/visite and so on at just that location.

 

So as such, yes that is very much of interest to a consumer who purchases something at your site....

but what part of this process should signal to the customer that the site is any safer than one without the green bar?

 

i understand there's a lot of steps and requirements.. but in the end, the same level of protection is still issued.

if the green certificate site gets compromised.. is it still safer than the guy who is too cheap to invest in one and still uses a $20 cert (but whose site was not compromised)?

 

or how about the green cert site decides to take a little extra double-dipping off random cc#s... but the little guy is not.. are consumers any safer with the green guy?

 

 

and also, can't you confirm the website's location/address by looking up the whois? it is an icann requirement to have a valid address, otherwise you can lose your domain.

surely no legit company falsifies this. that's a huge risk to take otherwise!

Link to comment
Share on other sites

but what part of this process should signal to the customer that the site is any safer than one without the green bar?

 

i understand there's a lot of steps and requirements.. but in the end, the same level of protection is still issued.

if the green certificate site gets compromised.. is it still safer than the guy who is too cheap to invest in one and still uses a $20 cert (but whose site was not compromised)?

 

or how about the green cert site decides to take a little extra double-dipping off random cc#s... but the little guy is not.. are consumers any safer with the green guy?

 

 

and also, can't you confirm the website's location/address by looking up the whois? it is an icann requirement to have a valid address, otherwise you can lose your domain.

 

surely no legit company falsifies this. that's a huge risk to take otherwise!

 

 

You can use about any address or name you wish in whois....There are really no checks and balances there...

 

This in turn makes the low assurance certificates only good for actually validating that a site has ssl and nothing more.

 

It does not in any give any form of assurance that you are dealing with someone "real" in the sense that you can locate them and held them accountable.

 

Todays high assurance certificates is a setup up, but due to the "loose" checking done on location/information about any "shelf" company will do.

 

The new EV (Extended Validation) standard has much stringent checking and gives a much higher probability that the information/location is actually correct.

 

 

 

 

Back to low assurance certificates, which is where the whole ssl certificate system started to really have no value....

 

1. someone registers a domain with a totally false whois info

 

2. the aquire a low assurance certificate for that domain

 

3. they are now set to look and act like a legitimate site with ssl

 

So without having shown any info at all, spending 20 usd + they are now ready to scam the internet browsers full time without any accountabilety since noone can find out who actually is behind the domain...

 

New Scam and Phising sites pops up daily using similar metodes to whats described above....

 

 

Not to mention all the copy and replica sites operating in just the same way...aswell as illegal Pharmaceuticals, gambling, kiddie porn and so on.....

Link to comment
Share on other sites

Thats interesting

 

http://en.wikipedia.org/wiki/Extended_Validation_Certificate

 

Surrounding issues

 

[edit] Availability to Small Businesses

 

Since EV certificates are being promoted[4] and reported[5] as a mark of a trustworthy website, some small business owners have voiced concerns[6] that EV certificates give undue advantage to large businesses.

 

The published drafts of the EV Guidelines excluded unincorporated business entities, and early media reports[7] focused on that issue. Version 1.0 of the EV Guidelines was revised to embrace unincorporated associations as long as they were registered with a recognized agency, greatly expanding the number of organizations that qualified for an Extended Validation Certificate.

 

Early media reports also focused on the higher price of EV certificates, typically pointing to VeriSign's pricing. While the higher validation costs inherent in following the EV Guidelines do engender higher prices relative to other SSL certificate products, a number of CAs have been promoting EV prices below $500.

 

[edit] Vulnerability to Phishing

 

There has been some concern that EV certificates, despite their improved authentication and higher cost, will not prevent phishing attacks[8].

 

In 2006, researchers at Stanford University and Microsoft conducted a usability study[9] of the EV display in Internet Explorer 7. The study measured users' ability to distinguish real sites from fraudulent sites when presented with various kinds of phishing attacks, and found that there was no significant difference between users who saw extended validation indicators and those who did not. Users who received training with the Internet Explorer 7 help file were more likely to judge all sites legitimate, regardless of whether they were fraudulent.

 

 

Link to comment
Share on other sites

The new browsers are just starting to add new tools to help identify scam and phishing sites, more will come...not to forget all the addons both those available today and new and upcomming ones...

 

If after users have had some time to adjust to the new systems and if they do not warn/protect good enough, then more will follow...maybe even pop-up warnings....

 

A nice test of such functions is to download and install Vengine, vengine.com , this does not specifically reflect on EV certificates but it does separate low assurance certificates and high assurance certificates.

 

It will show that a site with low assurance certificate is valid and have active SSL encryption but will also show a warning message that the identity of the sites owner has not been verified.....

Link to comment
Share on other sites

VeriSign do offer EV (Extended Validation SSL) certificates.

I didn't say that they didn't.

I said that they are not part of the green bar posse.

Go to verisign - no SSL until your're in the payment area.

Whereas PayPal are green straight away.

Link to comment
Share on other sites

I didn't say that they didn't.

I said that they are not part of the green bar posse.

Go to verisign - no SSL until your're in the payment area.

Whereas PayPal are green straight away.

 

 

That is standard web procedure...

 

Most payment processors and banks have ssl from the get go, while info sites inc. ssl providers and web shops have the ssl only on selected pages.

 

 

Also Verisign is a member The Certification Authority Browser Forum and have been part of "hammering" out the details for the EV standard.

Link to comment
Share on other sites

i still don't see how having this bar should indicate to a consumer that the said site is more trustworthy than one without.

if spammers and thieves go to the length to even register ssl.. what should indicate to us that they won't catch on to this "green bar" and do a little up-front investment.

 

it would be very easy for a scammer to register a site like mywidgetshop.com and seem as though they "intend" to do business lawfully... and after getting their fancy cert, they start luring people in and ripping them off.

 

this green bar is nothing more than a sales tactic, and gives consumers a false sense of security.

just because the site owner had to go through difficulties getting that green bar, does not mean they're more trustworthy than sites without. paypal has been compromised before.. who's to say they're safer than google checkout (whose never had a compromise yet, to the best of my knowledge)

at this time, google doesn't have that green bar..

 

paypal also has an outdated version of apache and display their default apache headers (big no-no for a site like theirs, if you ask me) stuff like this should be more of an indicator of safety, rather than how much money they're willing to spend to convince people they're legit.

 

by chance, do you happen to have one of these overpriced certs toyicebear? :)

Link to comment
Share on other sites

by chance, do you happen to have one of these overpriced certs toyicebear? :)

 

 

No i do not personally use EV certificates yet, i am waiting for the use of IE7 in combination with Vista, Firefox 3.0 and Opera2.5 to be of wider use first.

 

This gives the added advantage that the price for the EV certificates will most likly be lower when the times come to purchase them.

 

 

it would be very easy for a scammer to register a site like mywidgetshop.com and seem as though they "intend" to do business lawfully... and after getting their fancy cert, they start luring people in and ripping them off.

 

There are always ways for scammers to circumvent any system, but the EV SSL makes it more difficult and raises the bar abit.

 

 

Following your logic, you could just as well say.

 

 

Why lock the door of your house or for that mather install an alarm?

 

A good thief can pick the lock and disable any alarm system anyway.....

 

 

i still don't see how having this bar should indicate to a consumer that the said site is more trustworthy than one without.

 

So you personally have no problem in leaving your credit card details on any site just as long as it has SSL?

 

And this even though you do not know who owns the site or even where in the world they are located?

 

This in turn also rises the likelyhood that this site also stores your cc and even your cvv details? (Most sites who do this today are sites run by smaller companies trying to save a buck or who simply do not know better and ofcourse scamming sites)

 

 

Personally i would never give out my cc details at any site where the owners identity is in question.....

 

So from my point of view the new EV certificates is a step in the right direction....

 

As an added bonus as soon as the general consumer gets aware of this new browser feature and starts to use it actively, well then not only scam and phising sites will have problems but also sites selling counterfeit and illegal products...which using todays systems can easily sit "hidden" behind anonymous web addresses.

 

But since this is a very lucrative business, they will ofcourse look for ways to beat the system...

 

 

But as mentioned before i personally prefer to lock my door and turn on the alarm .... don't you?

Link to comment
Share on other sites

you don't think the demand will cause the cost of these certs to go up? i'm going to assume a lot of shop owners are going to jump on the bandwagon just assuming they're going to get blackballed without having that bar.. and i don't doubt that will be the actual case. anyone supplying these EV certs is going to notice this.. and with most business models, jack the price.

 

Following your logic, you could just as well say.

 

 

Why lock the door of your house or for that mather install an alarm?

 

A good thief can pick the lock and disable any alarm system anyway.....

i'm confused with this ideology.. a scammer beating "the system" isn't really the same as locking my door. :)

 

So you personally have no problem in leaving your credit card details on any site just as long as it has SSL?

 

And this even though you do not know who owns the site or even where in the world they are located?

absolutely. first and foremost, i don't order from a site/company unless i have trust in them. there's nothing i need to buy on the net that's important enough to leave myself open to fraud.

i know most consumers do little investigation about the trustworthiness of companies they do business with.. but i do. if i'm not already familiar with them, i research them before buying.

 

So from my point of view the new EV certificates is a step in the right direction....

i would agree with you.. if the price tag wasn't involved. that is my biggest beef of all. something tells me it doesn't cost even a fraction of what these certs cost to validate one company.

having all of the major browsers play in for them seems like a very dirty sales tactic, and i'm not too happy with the fact that i'm inevitably going to have to be suckered into buying one because the average consumer is too retarded to understand what that bar really means.

Link to comment
Share on other sites

you don't think the demand will cause the cost of these certs to go up? i'm going to assume a lot of shop owners are going to jump on the bandwagon just assuming they're going to get blackballed without having that bar.. and i don't doubt that will be the actual case. anyone supplying these EV certs is going to notice this.. and with most business models, jack the price.

 

Due to how the ssl marked is operated with a massive amount of re-sellers and different "brand" names its highly likly that the price will go down and not up as demand rises.

 

Following your logic, you could just as well say.

Why lock the door of your house or for that mather install an alarm?

A good thief can pick the lock and disable any alarm system anyway.....

 

i'm confused with this ideology.. a scammer beating "the system" isn't really the same as locking my door.

 

In a sense it is, you said because someone might beat the system then why use it in the first place...

 

The very best hackers can crack a computer system even if it has a firewall, so then why have a firewall?

 

An accomplished burglar can disable a alarm, so why have an alarm in your house?

 

And so on.....

 

The same goes for EV certificates...

 

If an accomplised scammer can get one, then why should browsers/potential buyers then trust those who use them when they buy something online?

 

 

Well the answer is the same as on the other questions, not because its 100% foolproof but because the probability that its safer is soooooooo much higher than without it.

 

 

i would agree with you.. if the price tag wasn't involved. that is my biggest beef of all. something tells me it doesn't cost even a fraction of what these certs cost to validate one company.

 

I think most of them is too expensive right now, some providers ask around 1000 USD for one which is way too much...

 

But looking around you can find alternatives close to 400 USD.

 

As mentioned before i guess the price will go down, but there will probably be a natural level it will not dip below since it do require a certain amount of background checking prior to issuing one.

 

 

The reason the low assurance certificates sold today can be so cheap is that no real checking is done prior to issuing one....so its basically a totally automated money machine for the providers....

Link to comment
Share on other sites

i think you misunderstand my positioning on EV ssl.

 

i am NOT against using it. in fact, i am FOR anything that will make things difficulty for my competitors.. a lot of them are not legit companies and would end up getting denied for these.

 

i am against the glamorization of these type of ssl versus the cheaper certs for a consumer point of view. they do not understand the difference. because of this, the majority will assume that green bar means safe NO MATTER WHAT.

in fact, it does not. this green bar does not prevent the script of the website from being compromised..

so a site without this green bar that does regular vulnerability tests may in actuality be safer, but the customer isn't going to believe this because "i just don't see the green bar"

 

that, and i'm not a fan of the price. a couple hundred maybe would be reasonable.. but there are some pretty outrageous prices for these. i think $400 is even too much.

 

and here's one of my problems with this: http://answers.yahoo.com/question/index?qi...06230443AAfFdUH

"verified secure" - this person answering doesn't seem to realize that this green bar does not in fact, prevent hacking and theft of data.

to your average browser, that answer tells them that without a doubt, their data is safe. it is in reality, no real safer than an ssl site without the green bar.

 

this green bar only really means the individual that signed up for the cert confirmed their identity and location and was (AT THE TIME) of ssl registration operating under a presumably legitimate state.

 

does not mean they were not compromised after the fact, or that your data isn't being mined.

Link to comment
Share on other sites

The new browsers still show the padlock for all sites with valid ssl certificates including the low assurance ones.

 

The new green bar is not to just show that a site has SSL it is also to show that the owner of the site have a verifiable physical location and company/personal info.

 

For The first part, yes close to any SSl certificate will do..a site with EV SSL is not necessarily more secure on the SSL encryption than a site having a low assurance ssl certificate.

 

For the second part, well only a EV SSL certificate will do...its the only one with extensive background checking done.

 

(It can also be noted that EV SSL is limited to a max validity periode of 2 years, while many other ssl types can be purchased for periodes of 10 years + )

 

The shopping public has clearly accepted that SSL is a secure online communication metode.

 

But there are still plenty of people out there who are sceptical to online shops and problems related to who actually owns a shop, where they are physically located, how to contact them if something goes wrong and ofcourse who and where to report to the Police in case of fraud/scams/replicas/counterfeit products.

 

So yes its very reasonable that only sites with EV certificates gets the Green Bar.

 

And as a shop owner this is something that should make you happy and not concerned...that is if you have a legitimate business.....

 

Why..because if/when this gets accepted by the general public as a sign of trustworthiness, then more people will be willing both to sign-up and to actually pay by using their credit cards at a site they feel they can trust.

 

This will then possibly increase the number of customers who shop online, especially among the group who have been apprenhensive up till now because of the lack of assurance and accountabilety among many of the webshops you can find online today.

 

So in the end this might actually increase your shops sales....

 

And as an additional bonus you might also be able to win over some of the customers who now only shop at Amazon and other big well know shops.....

Link to comment
Share on other sites

i would agree with you on every point, except the price.

 

the cost of the EV SSLs make me feel almost as though extortion is taking place by shoving the green bars in people's places. for this fact alone i have a HUGE problem with them and how they're now paraded in the general public's faces..

 

if these certs were moderately or reasonably priced, you're right, i'd be pretty happy.

knowing that sometime within the near future i must shell out $400+ for something that previously cost me $20 and provides no additional functionality (only headaches) does not have me all that pleased.

 

i know i'm not going to rip my customers off and i do everything humanely possible to ensure my scripts are patched (why i frequent this board! and many others.), i don't think i need to PROVE to them otherwise if a price tag is attached.. i already invest countless hours of my free time ensuring everything is looked after.

 

most of the physical info/data is supplied up-front by any legit business.

speaking on my behalf solely, i have it all located in a very easy to find location within my site. any customer that can't spot that is a moron and i'd probably prefer they take their business elsewhere... :)

 

and any business that feels the need to hide that info, do people really buy from them? if so, they (customer) deserve what they get for being dumb.

 

And as a shop owner this is something that should make you happy and not concerned...that is if you have a legitimate business.....

 

Why..because if/when this gets accepted by the general public as a sign of trustworthiness, then more people will be willing both to sign-up and to actually pay by using their credit cards at a site they feel they can trust.

this was true about plain old ssl prior to this green bar.

 

 

and for what it's worth, i don't see this green bar grabbing me any sales.

it's going to be something customers LOOK FOR after they're already interested in making a purchase. they'll either turn away or go ahead with the purchase. if anything, i forsee my conversion rate staying the same. (when compared to a standard ssl which i now have)

 

so in this situation, the only people winning are those that create the ev ssl. they get to stick their fingers in my pocket book and when it comes to, i'll have no choice but to abide or my sales will move on, because they don't see the "green bar".

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...