Browsers showing positive indicators for DV certs causes Consumer Harm

Someone has to stand up for the end users!

[b]You will hear people say[/b]: Yeah but end user’s don’t care about these indicators, look at the research papers …(and they will produce research papers that they paid for!)….
Is there research suggesting that average users are helped by the EV-indicator to distinguish between the intended site and a fraudulent site?
[b]My answer to them is[/b]: Then why have it? Remove it, your own paid research paper says no one cares, so remove it! You can’t have it both ways. You can’t say user’s don’t care but we will continue showing it to users knowing that it will cause harm to them.
That is the plan for Chrome:
Thus, our focus is on introducing negative indicators that accurately reflect when there is no connection security, while also working to reduce the confusion introduced by the myriad of positive indicators by aligning to a single, neutral state. A “single, neutral state” for secure connections, and negative indicators for insecure connections.

You are missing the point Jowa.

1)browsers should stop displaying a misleading indicator
2)browsers should train users to look for proper indicators

Just because they have failed by confusing users with non uniform indicators, just because they failed by not educating users about what to look for, you cannot diminish the value of visual indicators.

Visual indicators are of value, if trained properly.

You are conflating the current state of affairs…which is a mess created by showing users indicators that shouldn’t be there causing consumer harm…not training users on the proper ones they should be looking at…you are implying that Visual indicators are meaningless. You are simply wrong.

Visual indicators are very powerful…remember Traffic lights… remember hologram on credit cards…we just have to use them properly…that is the issue!

Educate and train users, why does that make me think of Σίσυφος? Maybe because trying to teach people something they do not want to be taught (like boring technical stuff) is like trying to defeat gravity. It fails every time.

If a solution is not effective for billions of users, ranging from about 5 to about 105 years, maybe changing the solution is a better way than trying to change all users. And as Cormac Herley (Microsoft) argues, “users’ rejection of the security advice they receive is entirely rational”.

Traffic lights work, and they would still work if the green light were removed. The driver only needs to know it has to stop (red light, negative indicator). If there is no light, keep going.

LOL…so very flawed…

Traffic lights would still work if the red lights were removed. The driver only needs to know it can go only if the light is green!

No, because to go from one place to another is in the driver’s interest. The driver, however, is not interested in stopping until it has arrived at that other place. That is why red traffic lights are needed, to avoid accidents. Green is redundant.

Similarly, web users are interested in going to various sites. They will go to those sites with or without a green traffic light (a positive indicator). They may even go to a site with a red traffic light (negative indicator), if they learn that it doesn’t mean anything (false alarm, as the users see it).

Sorry you need more than just red or only green, there is always some who will go through on a red thinking it just changed.

Firefox has recently introduced a warning when you login for sites which do not use https why?


And so has Chrome (56), “as part of a long-term plan to mark all HTTP sites as non-secure”.

The driver can go from one place to another without stopping as long as he sees green light! If no green light, stop…if Green light go…

The why, was for why do it?

All should at least should know the http is not secure, why not then educate them about which site is actually secure instead of all https are fine.


The driver can sometimes drive several kilometres without seeing a single traffic light of any colour. Or wait, since there is no green light, according your reasoning, no driving? I think the nearest traffic light is 1½ km from where I live. Should I expect lots of new traffic lights, so at least one is always in sight?

I think you, and most people here, know why. Because it is not good if users’ login credentials can be read by third parties, which is possible without TLS.

Be cautious when guessing what “all” should know.

To educate about which sites are “actually secure” you need to know which sites are actually secure. That is easier said than done.

I think users need clear and relevant warnings, and they are more about the content (malware, phishing) than the certificate. The latter does not say anything about the former.

That’s such a demagogue’s trick; it’s a scare tactic make people believe the web (it’s still mostly http) is a dangerous place. It’s an abomination.

All users need to know is that look for https (either with EV or OV cert) when logging in on a website and that they can look at what the browser tells. The browser should send a positive sign of security when an OV or EV is being used.

About sixty percent of the connections made with Firefox (40 % in January 2016) and Chrome are now secure. For sites where people log in, that number is probably much higher.

Edit: changed January 2014 to January 2016.

LE’s contribution is much less than 2% of the traffic according to Mozilla telemetry ( | mozilla-certvalidations)…Yet it represents huge amount of the Phishing attacks…huge majority is provided by Symantec and Comodo…

Your logic is flawed, because now you are bringing into equation aspect of having no traffic lights. This is merely an investment optimization that is applicable to physical world, not internet as there is no cost to either showing red or green… Either presence of red will stop…or lack of green will stop (which means presences of green is good)…both do the same thing.

So the driver can drive without seeing a lit green traffic light? Good. That means that what the driver really needs to look for are unlit green traffic lights. A bit distracting to the driver, isn’t it? And it’s very hard to see an unlit anything in the dark. Oops! I think it’s better that we return to the digital world.

“both do the same thing”

Do they? I attached four indicators (1, 2, 3, 4). Currently about sixty percent of the connections browsers make are secure (indicator 1), and consequently, about forty percent are insecure, for which most browsers show a neutral indicator (2). While a green (positive) indicator for secure connections is not very controversial, it is debatable how useful it is. More controversial is the neutral indicator (= your unlit green traffic light) for insecure connection. Is a neutral indicator (2) a clear signal of anything? Is even (3), saying “Not secure” in a neutral colour, a very clear signal? Or is (4) (= my lit red traffic light), needed, to tell users that the connection is not secure?

Test that on a random selection of users. I doubt a neutral indicator will make any user leave the site, or even hesitate to stay on it. Hopefully at least some users will hesitate to log in, or register, but probably you will find that (3), what Chrome and Firefox currently do, or even (4) is needed there.

When even more connections are secure, maybe (3) can be used for insecure connections, and (4) for insecure connections to a pages for logging in, registering etc.

And again, I think it makes less sense to tell/encourage people to do what they intend to do, because they will do it (visit a website or drive from one place to another) anyway. What you need to tell people is that they for some reason need to do something they did not intend, like not visit a site, or not submit information to it.

Also, protections like Safe Browsing use negative alerts. If you try to go to a site that is known to be fraudulent or malicious, a red warning is shown in the entire browser window. Does it not make sense to use only one type of colour signals, rather than sometimes use neutral for insecurity/danger and sometimes red?

lol…now you are talking about usability of these…

I just passed thru cross junction…was I supposed to ? did i miss a red light because they are too far in between, i stopped “expecting” them?

Do you expect the “road” to look like “road” when you are on it? what if it changes all of a sudden…will you notice?

Now you are moving into twilight zone with your argument…

Not to mention in security sometimes its more secure and practical to provide Positive indicators…like in real life we issue passport…you have to “positively” show your passport to get into the country…etc…

You have a very flawed argument and naive approach to security thinking everything can be done using negative indicators.

Test it! Then you will know what is flawed and what works. If you think you can find the best possible solution without testing, I think we can talk about a naive approach.

Please help me test the following use case:
I want to use a negative indicator (not positive)

A country that want to check who are legitimately entitled to enter their country.