Yellow padlock is losing its trusted status :(

Hi Eric,

“What is the blue padlock for? What type of validation?”

In Firefox 3.5 address bar -

Grey = Not encrypted or only partially encrypted content on page.
Blue = DV type cert, encrypted content, site ID not ensured.
Green = EV cert, encrypted content and ensured ownership ID.

So, Comodo now has EV cert on Forum. Shows Green on any page without external links.
But like as noted above this particular page shows only Grey in address bar, and Red exclamation on Padlock icon. Because of the link to imageshack or someones sig.
Firefox can’t display Green due to page containing this unauthenticated content.

Now if I could get my bank to go Green/EV. Thank Gawd Comodo for VEngine.


Thx for filling me in on the blue padlock. I am using Opera, may be that explains I have never seen a blue one? Does anybody know?


Having read this topic it still seems that a lot of people don’t know what the padlock
or colours the browser put up actually mean.

Is anything being done by browser providers to highlight to ‘joe public’, in simple terms, what they
see when browsing secure pages?

ie, maybe a balloon that opens up on secure pages over the padlock or colour bar and asks the
user ‘know what this is?’ or ‘tell me more about this’.
An option that can be activated or de-activated by the user.

The visible indications of security are all well and good, but not if the person browsing doesn’t understand
what they are seeing.

So, my point is ‘user education’…anything in the pipeline to educate the user?
That is without them having to install yet more add-ons.


Its News to me. Thanks for the info.

I’m pretty sure that when I get to an encrypted page my browser offers me a tiny “what does this mean?” popup. But at that point I am so focused on completing my encrypted session that I swat it down. Next time I see one I’ll actually read it and report back.

Melih, thank you for education.
btw, i think “SSL losing its trust” is rather provocative title :slight_smile: - the first time i read i thought it is about encryption breach in SSL/TLS.

thanks for this info

Well, encryption without authentication is useless. Encryption is about allowing only the intendent receipient to read the message. If you don’t know who the recipient is then you could be encrypting it for the fraudster and you wouldn’t know…so without authentication encryption becomes useless.


I guess there is no browser which natively distinguish OV-SSL from DV-SSL certs.

Even firefox show the same blue bar of DV ssl certs for whose cert ought to be an OV one as Organizational info about Microsoft is included in the certificate details thus allowing users to confirm the identity of the recipient ???

[attachment deleted by admin]

You provided a link to real-world example (in some of your earlier messages). Here is that link. I think the example could help understand case better (hence i repeated your link here) :slight_smile:

To illustrate the point:

However, at the other end of that link is not Abbey Bank, despite what it looks like :o

Earlier is was, but not Clydesdale bank.

Before that …

Yes, a serious problem. While we are still trying to teach the ordinary user to at least look for a padlock, the rules have changed even before they learnt the lesson.

Why does the phrase consumer confusion jump to mind?

Hi DerekS ,


as for “https: //www. /bankhome/”

That’s what I am getting with Fox security set here

Neither McAfee Advisor nor Norton Safe Web can recognize it

Comodo’s Site Inspector (CSI), I may say it again here in the forum unfortunately as usual just goes into deep Nirvana cycle.
I have an impression that the thing (CSI) is not working properly at all… (that’s either Ok on bad sites or this “cycling” behaviour - waiting /done forever & no result)

Would be nice if Vengine would do something … ut probably that is !ot! here

… haven’t checked “clydesdalebplc” …gotta run now :o


Yes, guilty. The domain is on it’s way as well. :wink:

i have learned something new today.
I have a suggestion for the download of CIS and it is to make the
a secure green padlock site.

Verification Engine doesn’t recognise ‘bad sites’. It recognises ‘good sites’…

So if you went to [ ] with Verification Engine installed, you wouldn’t see any Alert or Warning. But if you went to the real/genuine site with Verification Engine installed, your screen’s border will light up in Green… White List Technology beats Black List Technology like Scissors beats Paper. :slight_smile:

Hi J2897,

Thanks for reply
and the note …interestingly enough i’m aware of that , but honestly I have to reread the thread cause I’m not sure why I mentioned that in the context … 88)
most likely I was really in a hurry, when saying that I “gotta run” … & what “…ut” means in my text? - I have no idea ;D