HTTPS everywhere and EV SSL
If you are using version 68 of the Chrome browser ( and maybe later ones as well ), you may well now be getting messages from your browser that this website is not secure.
So does it matter ?
There isn`t a simple answer to that, as in some cases it is is a useful warning, in other cases it is going to create needless worry and confusion amongst users.
A bit of history - for a few years now Google has been wanting every website to use https rather than http, and they have actually been favouring websites that use https in their search result rankings.
So websites that use https will appear higher up the search results than websites that use http.
Now Google are pushing for all websites to use https, and the Chrome browser is being used in this campaign, and the other browser producers may soon be doing the same thing.
So what is the difference - when your browser goes off and connects to a webserver using http, all the data interchanges between the browser and the webserver are sent in a clear text form, or to put it another way, if anyone is sitting with a basic diagnostic tool and watching the data interchange, they can read everything that goes on, they can see your browser requesting the web page, they can see the web page that the webserver sends to the browser - they can see any information that you might enter into a webpage like a user name, or a password, or your address, or your credit card details - everything is in clear English or French or German or whatever language you are using.
As the internet was increasingly used for e-commerce, for transferring business documents, and everything else the internet is now used for, it became obvious that a more secure way to transfer data between the browser and the web server was required, and another method was developed to replace http when it was required, and it is known as https.
There have been various versions of https, but the essence of them all is that the data that is being transferred is encrypted, so that only the browser and the web server can read the data - anyone listening in on the data interchange just sees a garble of 1`s and 0`s which makes no sense - and no-one else can see your user name, password, or any other details that you send.
Now if you are interacting with a website and feeding in data such as your name or address or credit card number then you really do want the connection to be using https, and if the browser flags up that the connection is not secure, then that is a useful warning.
But if you are looking at a website like this one and a million others in which there is no requirement to feed in any kind of personal data then there really doesn`t seem to be much point in using https, and http is perfectly adequate, and if the browser flags up that the website is not secure, it is creating quite unnecessary concern for users. Technically it may be correct in saying that the website is not secure, but it is an unnecessary warning that doesn`t contribute useful information, and is conditioning users to ignore the information.
So why has Google been so proactive in getting all webservers to use https - even websites like this one that do not request, transfer, store, process, any kind of user information.
The cynic in me questions whether Google actually cares about your security - or if it is the fact that Google, even more than Facebook, Microsoft, Yahoo, and all the other internet social media providers, is desperate to get its sticky hands on every tiny little bit of information on you that it can get, so it can sell it. They have proved to be extremely good at this, which is why they are one of the richest companies in the world -
it developed the Chrome browser so it had software installed on your computer that might be able to assist in the extraction of personal data
it gives away free its tracking software, so website owners can track you, I imagine that Google is in there sniffing at it as well
it gives away a free email system on which you can store Gigabytes of data on Google servers - very handy for them to read it all if they chose to do so, although they now claim that they don`t do it anymore
it took Linux and from it developed the Android operating system for mobile phones - and like many of their other developments, they give it away free. Android is used on more than 80% of the worldwide mobile phone estate - that`s something like 4 billion phones using Android - how many of the people using all these phones have any idea how much personal data Google is sucking out of their phones
The list goes on.
So why does https help them - a somewhat simplistic reason is because it means that people can`t see just how much information that Google is sucking out of you.
It also prevents other data leeches from seeing the information that Google has extracted from you - if only Google has the information, they can charge a higher price for it.
I am not sure if that would be the only reason though, I suspect that Google has a deeper reason - more on this later.
Perhaps I am being a bit unkind to Google, because as already said, in some cases the use of https does also have a benefit to us as well, because it means that other agencies like the provider of the free Wi-Fi you are using, your ISP, bad guys who have somehow intercepted your connection, can`t read the data being transferred between your browser and the server - they can see your IP address and what server your browser is talking to, but they can`t read the data.
Sometimes that matters, but for this website and a million others it doesn`t.
Now there is another side to all this - because for several years we have been fed the story that a website that uses https rather than http is a secure website - if for example banks use https, then your browser maybe pops up a green bit or a padlock icon that tells you it is a secure website.
Unfortunately this has always been a bit of lie, because the fact that a website uses https doesn`t tell you anything about the security of the website - all it tells you is that there is a theoretically secure connection between your browser and the webserver that the website is hosted on.
It doesn`t tell you whether the webserver itself has been attacked, and is being used to deliver malware instead of or along with the requested web pages.
It doesn`t tell you whether the website is securely holding any data you send to it.
It doesn`t tell you whether you are looking at the real website, or whether you are looking at a cleverly setup imposter.
It is a bit like sending a parcel using a tracked and signed for delivery method, rather than ordinary second class mail - the delivery process is more secure, but it doesn`t tell you whether the contents of the parcel are good or bad.
Whether the website itself is secure, or is the real website, or is an imposter, is actually handled by a heirarchy of security certification and certificates that your browser stores deep inside itself, and your browser regularily updates this information from a specific provider on the internet - the whole thing sits on a rather unstable platform of trust - somebody somewhere says that a website is real and trustworthy, and issues a certificate to say so - this certificate passes through the certificate heirarchy, and your browser decides that it must be true.
Part of this certification information is used by the browser to set up the https connection.
Now in the good old days of the limited use of https and certificates, there was a reasonable chance that these certificates - which were originally quite expensive to acquire - were accurate, and if a browser held a relevant certificate hierarchy for a website, there was a high probability that it was genuine, and the website was who it claimed to be.
There have been cases of stolen certificates and of corrupt certificate providers, so it has never been 100% safe, but on the whole it has worked reasonably well.
But now we are moving into an era where every website needs to have a certificate - so the unstable trust platform is going to have to deal with millions more certificates, and it is inevitable that it is going to be wobbling a lot more than it has in the past.
And not only that, but now every Tom, Dick, and Harry can get free certificates for their websites - and that is the bad guys as well as the good guys.
So the result of this supposed move to make the browser / webserver interconnection system more secure by using https everywhere is going to make the trust system as a whole a lot more wobbly, and is likely to make connecting to websites where you actually do need security less secure.
It also means that it takes away the ability of internet users to look critically at the browser address bar and decide whether they have a secure connection to the chosen website, because every website will show the same green bits, or the padlock, or show the word Secure, or whatever mechanism current browsers use to indicate a secure connection, and users will assume that all websites are safe - which is very definitely not the case, there are a lot of rogue websites out there.
It also therefore negates all the publicity that has being going for several years encouraging people to look for the signs in the browser address bar that a website is secure.
So I`ll repeat my argument - by making all websites use https even when it is completely unnecessary will substantially reduce the effective security for websites that really do need security, like on-line banking websites.
But in the meantime, if your browser tells you that this website is insecure - it is right, it is not secure, because at the moment I don`t really see that there is any requirement for this website to use any kind of security, and I believe that you can safely continue to view the site - just like you can continue to view a million other websites out there that are still using http, and don`t need https.
What a strange situation that the internet world has allowed itself to be dragged into a major change of the way it works by the actions of a single company which for whatever reason has decided to declare that http is no longer to be used - with their actions disguised as a way of solving a problem which doesn`t really exist.
I do wonder if the proponents of https everywhere have really thought through the implications of what they are advocating -
it will not do anything to make secure sites more secure.
it will make it harder for users to know which sites are genuine and which ones aren`t.
it will make it harder for users to know that other malicious actions such as DNS hijacking have taken place.
it completely nullifies all the publicity there has been about how to identify secure websites.
users will be deluged with pop-up messages about accepting certificates.
millions of web servers will have to be reconfigured just so they can do the exact same job that they do now.
I believe that currently Chrome is the only browser that generates these messages about websites using http, so using a different browser should get rid of them, and any confusion that they are going to cause.
There are plenty of other browsers out there that are easily configurable to suit your way of working, and modern versions of them should show when a website is using EV SSL - more information on EV SSL follows below.
To close this section, do be fully aware that the fact that version 68 of Chrome is displaying the words "Not secure" is because Google has programmed Chrome to do it.
This website, and a million other websites that still use http have not changed at all - they are using http because security is not a requirement.
........................
Now as it happens, my hosting provider has now upgraded the webserver to deliver this website over https, as well as over http, using certification from Let`s Encrypt.
So you can choose whether you want to view the site via http or via https -
for http, use the URL of "www.ron-t.com" or "http://www.ron-t.com"
for https, use the URL of "https://ron-t.com" or "https://www.ron-t.com"
You will see exactly the same website, the difference is in the connection - and you can also see the different way that the address is displayed in the browser address bar.
Let`s Encrypt only provide what is known as Domain Validation, which is the lowest form of website validation, so this website has Domain Validation - there are two higher forms of validation, Organisation Validation, and Extended Validation - I don`t know if Organisation Validation is used much, but see the next section for information about Extended Validation.
PS - one thing that might not work on both http and https is the links to the W3C validators for XHTML and CSS - they are great tools, but in this world you can`t stand still, and W3C are in the process of updating their validation services - I have changed the links so they get the current services which work on both http and https, but I gather that W3C may be changing them again sometime in the future, so I may have to change the links again.
........................
During the summer of 2018 Let`s Encrypt announced that they now service over 124 million domains with https - so that means that over 124 million certificates have been added to the wobbly certification stack.
And they are free - no cost.
It is interesting to surmise what might happen if Let`s Encrypt announce that they are going to start charging for them.
Somebody somewhere would start getting very rich.
There are a lot of big name companies who are listed as being sponsors of Let`s Encrypt - there might well be quite a lot of commercial pressure for Let`s Encrypt to start charging for their certificates.
........................
There is a newly developed higher level form of certification variously called Extended Verification, or Extended Validation, or EV SSL, depending on what webpage you are looking at - which is a way for a browser to show that the person who runs a website is actually who they claim to be.
The encryption used with EV SSL is exactly the same as the encryption used in ordinary SSL, and the security of the connection between the browser and the web server is exactly the same as with ordinary SSL.
The difference between the two is in the amount of information that the organisation running the website has to present to the Certificate Authority in order to get a certificate.
For ordinary SSL, few questions are asked about who or what the organisation is that runs the website, as long as they have basic ownership of the domain name.
For EV SSL the Certificate Authority will ask a lot more questions about who or what the organisation is, and where it is - it may even be done by a real person !
The benefit of EV SSL is that your browser can display the name of the owner of the website in the address bar, so that users can see that the actual owner of the website is the same as what the content of the website is claiming the owner to be.
In theory it makes it more difficult for the bad guys to create an authentic looking imposter website - however cybersecurity is a constantly evolving landscape, so maybe it will not take the bad guys long to get their own EV SSL certificates.
And how many people have ever heard of Extended Verification, how many browsers are capable of allowing you to see the Extended Verification, and how many people have any idea how to get the browser to show it, if it actually has that ability ?
The answer to all of these questions is of course very few.
And not all websites that might benefit from its use it do use it - at the moment EV SSL is still very far from being mainstream - certification for EV SSL is a lot more expensive to purchase than ordinary certification, so that may be the reason, or it could just be lack of awareness.
It is going to have to become mainstream, because if it doesn`t, then if we move to an https everywhere internet, users are going to be increasingly left in the dark about which websites really are secure, and which ones aren`t.
There is going to have to be a whole new public education drive about how users should know whether a website is secure and using EV SSL, or whether it isn`t, even though it is using https.
There is also going to have to be a complete consistency across all browsers as to how the use of EV SSL is displayed in the address bar, so that any such education is meaningful.
Whilst so many of the world`s top companies are not using EV SSL, it is somewhat uncertain as to whether EV SSL will become mainstream, but whether it does or doesn`t, a website with Extended Validation does look good in the browser address bar, and adds a professional look to the browser user interface.
........................
I have tried out the various browsers that I have on my different desktops, and there seemed to be quite a variation in how usefully they presented the information as to whether a website is using EV SSL or not.
Edge on Windows 10 1607 has one of the better presentations, it shows the owner of the website in green in the address bar, and the padlock icon is green - on sites that don`t use EV SSL the padlock is grey. Click on the padlock and you get some limited information about the website owner.
Internet Explorer on Windows 8.1 was a bit inconsistent in that it didn`t seem to recognise that some sites are using EV SSL - however when it worked it worked well and with a few clicks you can get a lot of information about the certificate.
Firefox provides an obvious display within the address bar, and with a couple of clicks you can see more but somewhat limited information extracted from the certification. However Firefox has a bad side in that it truncates the website owners name, if it is a long name. Mozilla - you need to fix this.
Pale Moon colours the address bar green, and with a few clicks you can see a lot of information about the certificate. However like Firefox it has a bad side in that it truncates the website owners name, if it is a long name. Pale Moon was a fork of Firefox a couple of years ago, and is now seperately developed - it is available for Linux and Windows.
Opera on Windows 10 1607 works well, it shows the website owners name in a distinct green colour. Clicking on the padlock shows somewhat limited information extracted from the certificate.
Opera on Linux provided the least information of all the browsers I looked at - as far as I could see there was no indication in the address bar that the site is using EV SSL - quite surprising really, as Opera has always been very standards compliant.
Epiphany didn`t distinquish at all in the address bar which websites are using EV SSL and which sites are not - however with a couple of clicks you can dig down right into the certificates - but from them it still isn`t always obvious whether the site is using EV SSL or not. Epiphany was designed as part of the Gnome 3 project, so is presumably only available on Linux.
Chrome - I don`t normally use Chrome, however as part of my research for this web page I installed it on Windows 10 1607 - it shows sites using EV SSL with a padlock and the name of the owner of the site - at first sight these are grey, and look just the same as the URL in the adress bar, so not at all obvious. However if you look much closer you can see a very slight green tinge, so Google can claim they show it in green, but effectively it is grey. Clicking on the padlock enables you to dig down into various properties of the website, and does provide some good information. It appears from the internet that there has been quite a lot of variation between the various versions of Chrome about how it displays sites that use EV SSL, so your Chrome maybe different.
Safari - I don`t use Safari at all, so have no idea how it would present the information.
So if you are looking for a browser that gives an easy to see indication that a website is using EV SSL, then I suggest Edge, Firefox, Opera, or Pale Moon.
If you want to dig a bit further into the certificate then I suggest Pale Moon or Epiphany or Internet Explorer.
........................
I do wonder what Google is really up to - they want every website to use https, so that people can`t dig down and see what is going on.
Chrome 68 displays the name of websites that use EV SSL in a colour which is about as unnoticeable as it could be.
At the time of writing this, Google doesn`t have Extended Validation for any of the Google websites that I looked at - Google search, gmail, Youtube - Google doesn`t seem to want EV SSL to exist.
Chrome has a nearly 60% share of the global browser market - it has gone from around 50% to nearly 60% in just over three years, mostly taking over from Internet Explorer, whose market share is steadily dropping.
This puts Google in a very powerful position - nearly 60% of computers out there have Google software installed on them, in a world where encryption hides everything that is going on, and creates an illusion that everything you do on the internet is secure and hidden.
Do they have ambitions to be a giant proxy server for every website that exists, then they will know absolutely everything that goes on.
Google has its own root certificate authority - it could feed certificates to Chrome, then the giant Google proxy server could easily do a man-in-the-middle decryption and recryption, read the data, and nobody is any the wiser.
Except that EV SSL makes it a bit more difficult for them to do this - not impossible, just a bit more difficult.
I don`t know - Google employs some of the best brains in the business, and I can`t compete - but I do wonder what they are up to.
........................
There are some other considerations about forcing all websites to use https instead of http which I haven`t seen any reference to on any web pages - the first is how much extra processing power is required both at the client end and at the server end, the second is how much extra electricity is going to be used either nationally or globally to supply this extra processing power, and thirdly, how much extra network capacity will be required to carry all the additional data packets required, again either nationally or globally.
I am not sure if I know where to begin to provide some kind of answer to these three factors - but I am sure that somebody somewhere could fairly easily make some kind of guesstimate - I really don`t know whether any of it would be significant or not.
An update about Edge
Microsoft have announced that they are killing off the Edge browser in its present form - Edge is currently built on the EdgeHTML engine, and whilst it is the default browser on Windows 10, it hasn`t proved to be very popular, and a lot of Windows 10 users have chosen to use a different browser.
Edge was supposed to be a replacement for Internet Explorer, but as the earlier versions of Windows have lost market share, Edge hasn`t really taken over from Internet Explorer.
Microsoft have announced that their new browser will be based on the Chromium browser - the Chromium browser is an open source development based on the Blink engine, and I think that the development of Blink and Chromium is mostly done by Google.
Blink and Chromium is the basis for the Google Chrome browser, and for the last few years as a basis for the Opera browser, instead of the Presto engine which Opera originally used.
Personally I think it was a sad day for Opera when they gave up on the Presto engine and tried to copy the Chrome browser - the Presto based Opera won numerous awards - why give up on an award winning formula that gave it its uniqueness to become a clone or copy of something else.
Blink and Chromium is also the basis for the newly developing Brave browser with its somewhat unusual business model, as well as a heap of others, some of them being minority browsers, and some of them being major players in other parts of the world.
It would appear to be a matter of some considerable concern that so many browsers are now being based on Chromium and its Blink engine - there is a significant risk that web designers will increasingly build websites that work on Blink and Chromium, and the independent standards created by the likes of W3C will be increasingly ignored.
However what is interesting for this web page is what will happen with the new Microsoft browser in the way that it displays the name of organisations that have Extended Validation.
Edge provides one of the best displays of the organisation name for organisations that have gone for Extended Validation.
The current Opera browser based on Chromium also displays quite well the organisation name for organisations that have gone for Extended Validation.
However Chrome really tries to hide the fact that an organisation has gone for Extended Validation, it displays the name in a green colour that is so indistinct from grey, that it isn`t really noticeable.
So it isn`t that Blink or Chromium is trying to hide the existence of Extended Validation, it would appear to be a deliberate policy of Google for the Chrome browser.
So it will be interesting to see how the new Microsoft browser - based on Blink, just like Opera and Chrome - will display organisation names for organisations that have gone for Extended Validation.
I guess we will have to wait and see.
........................
There is another less obvious but very important way in which Edge is better than the other mainstream browsers, ie, Chrome and Firefox - and that is in the way that Edge detects phishing websites.
In a recent blog on the website of the Certificate Authority Security Council ( or CASC ) they included some findings on an investigation done by NSS Labs on the speed and effectiveness of Edge, Chrome, and Firefox in detecting phishing websites - and they found that Edge was both faster at reporting them, and also found a higher number of phishing websites than either Chrome or Firefox.
Now I have no idea about how much of this faster and higher detection ratio is due to the design of Edge, and how much of it is due to the detection backend that is run by Microsoft on Microsoft servers that provide information to Edge - but it is obviously another factor of the new browser that Microsoft is planning to produce that will require a bit more investigation once the new browser is up and running and in use.
So again, I guess we will have to wait and see, but in the meantime, from the point of view of phishing website detection, Edge would seem to be the safest of the above three browsers for online shopping and banking.
Or maybe it isn`t - see below -
........................
A bit more digging revealed a possible reason that Microsoft are going to kill off Edge - because Edge uses Flash - that horrible insecure and somewhat evil bit of software that just will not die - however there are various sources on the internet that suggest that Adobe will kill it off in 2020.
To be fair to Flash, it was probably one of the biggest mechanisms that brought videos to the internet and I guess we should be grateful for that, but it brought some bad baggage with it -
- the ability for websites to switch on microphones and cameras without the users knowledge
- the ability for websites to store the so-called "everlasting cookies" which acording to legend you can never delete - although actually you can if you know where to look
On Windows 10 1607 and 1809 - so probably other versions as well - Edge has Flash enabled by default - you can go into the Edge settings menu and switch it off, but that certainly doesn`t remove it - so it isn`t really clear just how much of the nasty bits of Flash are actually stopped from working by switching it off.
Now the fact that Edge on Windows 10 uses Flash by default is somewhat hidden by Microsoft - it doesn`t appear in the listing of programmes that you can uninstall through Control Panel / Programs and Features.
As far as I can see, it doesn`t appear in C:\Program Files or C:\Program Files (x86).
Microsoft have hidden it away in places like -
C:\Windows\WinSXS\
C:\Windows\SysWOW64\
C:\Windows\System32\
So uninstalling it is a bit of a headache to do manually, but there are scripts available on the internet that will do it for you.
The fact that Microsoft are hiding Flash away like this makes it a bit more difficult to work out what version of Flash is used in Edge -
Chromium based browsers like Chrome and recent versions of Opera use a version of Flash known as PPAPI, also known as Pepper Flash
Firefox and I think Internet Explorer on Windows 7 and below use or used a version of Flash known as NPAPI
I haven`t found any specific information on which version is used in Edge, but it looks like Edge uses its own version of Flash, which is built into Edge.
And there is the problem for Microsoft - Edge has Flash built into it, and when Flash finally dies, Edge is going to have a bit of a hole in it, so Microsoft are going to be forced to redesign Edge anyway, quite apart from any issues about the browser market share that Edge has or hasn`t got.
Microsoft seems to have fallen in love with opensource, so it may make sense for them to use the opensource Chromium browser as the basis for a new browser, rather than trying to design an all new browser for themselves.
It would appear that Microsoft have been hoist with their own petard by hiding Flash away and embedding into Edge - a technique they started with Internet Explorer on Windows 8 and 8.1.
If they had kept Flash as a plugin that could be uninstalled through Control Panel / Programs and Features, then Edge would have gone on working quite happily without it.
But they tried to hide it away, and now they are stuck in a hole.
website design by ron-t
website hosting by freevirtualservers.com
© 2024 Ron Turner
