Yellow padlock is losing its trusted status :(

[Guest]

[Melih]

SSL losing its trust

This is a new video i have prepared to educate people about SSL and the issues with it.

Melih

[OmeletGuy]

Indeed it is, mostly to us users that know how easy it is to get one. To normal every day users it’s a False Sense of Security and commonly used for fraud. To some people they don’t need to see a Yellow Padlock on the browser, one on the webpage is enough, but fake.

[Tarantela]

Melih you have explained the problem in very simple and understandable vocabulary and
i have learned something new today.
I have a suggestion for the download of CIS and it is to make the personalfirewall.comodo.com
a secure green padlock site.
It would be an assurance that Comodo company is thinking about user safety when they
download CIS or any other Comodo product.

[Quill]

I have to wonder how many 'normal' users know what the padlock means, assuming they even see it!

The underlying PKI, for now, is sound, but we need something much more obvious and enlightening about any 'secure' connection we make, especially if it involves the transmission of confidential data.

 

[eXPerience]

Lol, I didn't even know that the yellow padlock was there for that reason .  Well, at least I know it now 

Xan

[Quill]

Xan, step into my office, we need to have a conversation ;p

[J2897]

That video was nice and clear; easy to understand. But if anyone missed it:

SSL (the Padlock) means that the Connection (from 'you' to 'the site' you are on) is Encrypted; but that's all it means.

It does NOT mean that the Site Owners are 'Legitimate' or 'Trust Worthy'.

[Endymion]

IMHO in some cases even fairly limited guarantees may be enough, though this may be arguable.


Indeed despite providing different trust levels DV and OV certs are equally represented with the same padlock.

eg: some blog,forum and alike services that require user to provide not much than an email  use ssl certs :

https://forums.weather.com cert is an OV (Organization validation) one but https://help.ubuntu.com/community, https://blogs.secondlife.com/ and https://twitter.com/ are DV (Domain Validation) certs.



Whenever the padlock could lead to implicitly assume more guarantees than those actually implied is no negligible concern, I'm among the lines of those who are not totally against DV certs although I agree that in some scenarios DV certs are not reliable enough.


eg: https://www.createspace.com/ provide a shopping cart but use a DV cert whereas it is not possible to confirm its owner through whois (contact address use a 3rd party  privacy service)

Indeed www.createspace.com is an Amazon subsidiary http://www.amazon.com/gp/help/customer/display.html?nodeId=15015781

But there is no direct way to confirm the organization like there would be for EV or OV certs.

[eXPerience]

Xan, step into my office, we need to have a conversation ;p

Sure where do we meet ?

Xan

[harmony]

Dangerous Validation! Ha...very Newsful, Melih. Thnx.

Kind regards,
Srikanth

[Melih]

IMHO in some cases even fairly limited guarantees may be enough, though this may be arguable.


Indeed despite providing different trust levels DV and OV certs are equally represented with the same padlock.

eg: some blog,forum and alike services that require user to provide not much than an email  use ssl certs :

https://forums.weather.com cert is an OV (Organization validation) one but https://help.ubuntu.com/community, https://blogs.secondlife.com/ and https://twitter.com/ are DV (Domain Validation) certs.



Whenever the padlock could lead to implicitly assume more guarantees than those actually implied is no negligible concern, I'm among the lines of those who are not totally against DV certs although I agree that in some scenarios DV certs are not reliable enough.


eg: https://www.createspace.com/ provide a shopping cart but use a DV cert whereas it is not possible to confirm its owner through whois (contact address use a 3rd party  privacy service)

Indeed www.createspace.com is an Amazon subsidiary http://www.amazon.com/gp/help/customer/display.html?nodeId=15015781

But there is no direct way to confirm the organization like there would be for EV or OV certs.

Indeed there are some uses of DV, although fairly limited.

DVs are being used in ecommerce to "establish trust" today. This is wrong, VERY wrong. DV should NOT be used for establishing trust, because there is no trust component in a DV certificate.

Melih

[OmeletGuy]

Just a question Melih, Why dont the forums have a green bar insted of just the Yellow Padlock.

[Melih]

Just a question Melih, Why dont the forums have a green bar insted of just the Yellow Padlock.

because we havent' put an EV cert there..
i guess we should...

Melih

[eXPerience]

because we havent' put an EV cert there..
i guess we should...

Melih

That would be better, yes

Xan

[zyrelle27]

Wow. Now I know what those yellow padlock is for... I didn't even know what it means, before I just thought that it's some sort of a secure connection between me (my browser) and the site I'm trying to enter.

New knowledge installed. 

Thanks Melih.

[Tags:]