Profile picture
Troy Hunt @troyhunt
, 15 tweets, 5 min read Read on Twitter
I've seen some absolutely crazy comments on the debate about changes to HTTPS indicators and EV over the last few days to the point that I've actively muted discussions that have gone off the rails. Let me shine a critical light on the whole thing:
Google is not trying to break the web by pushing for more HTTPS. Neither is Mozilla and neither are any of the other orgs saying "Hey, it would be good if traffic wasn't eavesdropped on or modified". This is fixing a deficiency in the web as it has stood for years.
The web is still insecure by default; browsers default requests to the insecure scheme and visual indicators default to insecure being normal with HTTPS being explicitly flagged. In the coming years, HTTPS will become the norm and the value of explicitly flagging that will wane.
Before long, positive visual indicators will be the norm which will make them redundant. Instead, negative ones will gain prominence and highlight dangerous connections (i.e. in Chrome this July). More on that: troyhunt.com/the-decreasing…
There are major changes coming to visual indicators in Chrome this year; Google published this piece by @emschec this week showing how Chrome 69 will remove the "Secure" text (later the padlock too) and 70 will show a red warning on data entry over HTTP: blog.chromium.org/2018/05/evolvi…
As for EV, both it and DV are positive visual indicators that different clients show in different ways. Safari on iOS shows no URL on EV sites, Chrome on iOS shows EV just like DV. It's entirely up to the browser maker how this works.
There is a real problem at present with commercial CAs misrepresenting the efficacy of EV. We're frequently seeing unsubstantiated claims, misleading stats and flawed research, for example from @EntrustDatacard:
And if it's not immediately clear what's wrong with that slide, read through this thread from @sleevi_ who works on Chromium's PKI:
To make matters worse, we keep seeing legitimately issued EV certs arbitrarily revoked without warning, sometimes months after issuance. We've seen this with @iangcarroll and @sirjamesburton, the latter consequently receiving an apology from @Comodo_SSL after killing his site.
Google is actively testing removing the EV indicator from Chrome. Unbeknownst to the owners, 3 different machines in my workshop this week were part of that test and not one person even noticed it was gone. These are smart technical people we're talking about too.
You may personally like EV indicators. They may make you feel warm and fuzzy. But if that's true, you're not even close to being representative of the masses which is who browsers are made for. Browsers will adapt (all of them - not just Chrome) over time.
Ultimately, browser makers will make decisions about the usefulness of visual indicators and EV based on huge amounts of empirical evidence. If they kill positive indicators, it won't be on a whim, it'll be because the evidence supports them doing so.
Remember also, there are very dedicated, very smart people driving evidence-based decision making here. They're also very transparent - go and watch a talk like @emschec's (of Google) "Trouble with URLs, and how Humans (Don't) Understand Site Identity":
I care much more about the *process* of how we end up with visual indicators in browsers than I do the end result, and so should you. I want to know this stuff has been researched extensively and the right decisions for the internet community as a whole are reached.
Lastly, when that doesn't happen, we should be calling "bullshit" which is why the EV issue keeps coming up. As soon as you approach it pragmatically, it just doesn't add up. I'll leave you with some fun viewing on that 😀 (deep-linked to the right point)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Troy Hunt
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @troyhunt see all

Profile picture
Me to my wife:

“Uh, what brand is our new washing machine?”
“Samsung”
“Why the fuck is it broadcasting an SSID?!”
Now I’m actually really curious...
Oh, well this makes perfect sense 🤷‍♂️
Read 12 tweets
Profile picture
This one is obviously a real mess and deserves some more background so let me share what I know:
Firstly, they've acknowledged the breach and taken the sites down pretty promptly once we managed to get through to them. Here's their disclosure on the root of their site (link to a "safe for work" archive version): web.archive.org/web/2018102018…
But there are multiple inaccuracies, the first being the disclosure date which was 3 days earlier than represented. Here's the first attempt I made to a published address of theirs:
Read 11 tweets
Profile picture
I've had a heap of people pointing me to this post by @meyerweb and I want to add some thoughts in a tweet stream. Start by reading the post because it really is excellent and should remind us all of how different things are in other parts of the world
I want to make sure people don't see this as a reason not to do HTTPS so I've had a good chat to @meyerweb and want to put a few things in context. The first is this: caching in this fashion is the very definition of a "man in the middle" and has serious privacy ramifications.
It's clear why it's being done, but let that not cause us to lose sight of everyone's right to have private and secure communications. That said, there are a bunch of other angles to this:
Read 11 tweets

Related threads

Profile picture
Over the last few days, it's become clearer and clearer to me that, without intervention, coverage of the 2020 campaign is likely to be a disaster for everyone except Trump and his core voters, who want to watch it all burn anyway. In this thread I describe the danger I see. 1/
By "disaster for everyone," I mean all candidates opposing Trump, journalists themselves, voters from all sides (except those who have exited from the news system by merging with his hate campaign against the news media) and anyone who seeks the repair of American democracy. 2/
Start with the simple fact of inertia. In ruins after the debacle of 2016, the horse race model and "game" schema that have instructed campaign journalism for at least 40 years are up and running again. It appears the bosses have no better ideas, and no will to develop them. 3/
Read 26 tweets
Profile picture
Over the last few days, I've seen a lot of people attacking @Hafsa_Khawaja for her tweets about white people in Pakistan. I am in total agreement and am writing this thread to explain 1. Why she's right and 2. How foreigners should behave in Pakistan.
I'll raise my hands up and say that I experienced some of the best hospitality in the world during my time as a foreigner in Pakistan, and I am indebted to everyone who has shown that to me. I do know that Pakistanis can be incredibly kind and hospitable beyond belief.
However, why was this kind of hospitality extended to me and not to others? I met many foreigners when I was in Pakistan. It seems that some are worthy of the friendliness (Arabs, Chinese, and most of all, goras) and some are not (Afghans, Somalis, etc.).
Read 19 tweets
Profile picture
(THREAD) Tonight's revelation that Kavanaugh knew of allegations of sexual assault against him by Deborah Ramirez months before they became public is a game-changer—but *only* if journalists realize its astounding implications. I discuss them here. I hope you'll read and retweet.
1/ See if you can spot the problem:

TIMELINE
6/27: Kennedy announces retirement
7/?: Kavanaugh seeks narrative to discredit Ramirez (NBC)
7/7: McConnell warns Trump against nominating Kavanaugh (NYT)
7/9: Trump nominates Kavanaugh
9/23: Ramirez allegations first published (NYer)
2/ *No one* is claiming—not the White House, not Senate Republicans, not Kavanaugh's camp—that Kavanaugh (whether in conjunction with his high school friends or not) *lied to or concealed from the President* potential nominating-ending negative information about Kavanaugh's past.
Read 58 tweets
Profile picture
Over the last few days, some Jewish organisations & activists have responded to the Warsaw Ghetto graffiti in ways I have found troubling 1/
The statements have gone along the lines of (paraphrasing) ‘we get how upset you are about Israel & we agree, but this isn’t the way to go about it’. 2/
My issue with this is (please excuse the poor analogy, I’m not comparing Israel & ISIS but there’s no apt analogy) imagine if someone had graffitied ‘fuck ISIS’ at the site of a massacre of Muslims. 3/
Read 15 tweets
Profile picture
Last year, we ran a four-part series on the fascinating history of the National Enquirer, its parent company American Media, Inc. and its ties to the Trump administration. In light of the news over the last few days, we thought we'd do a quick primer...
The history of the National Enquirer cover sixty years of American history – touching on the New York Mafia, the DC corridors of power, the tabloid industry of Florida, newspaper strikes, commie witch-hunts, Soviet espionage and much, much more... popbitch.com/2017/10/the-un…
The key players in the early years (1950s-80s) are:
– Generoso Pope Jr, the founding editor and son of a New York media magnate
– Frank Costello, the head of the New York mafia in the 40s/50s
– Roy Cohn, the shadiest motherfucker to ever earn a law degree
Read 56 tweets
Profile picture
Over the last few days, have noticed a lot of twitter people discussing why Indian engineers/MBA types tend to mostly swing rightwards. Also, does the inclusion of a few humanities courses make a difference? Read on.
1) People have already covered the usual explanations - male, upper caste, the god complex that accompanies securing an admission. All solid points, but that doesn't account for the fact that the phenomenon often goes beyond savarna males
2) I think the question is one of basic worldview, and the assumption that the social world mirrors the 'natural world' (which in turn is also erroneously presumed to be newtonian and deterministic, with 'iron clad' laws)
Read 14 tweets

Trending hashtags

#PhotoThread #auspol #VoteGOP #SecDef #RoshHashanah #leaker #SoccerMom #bots #RedWave #DefyHistory #cryptocurrency #TwitterBots #SoccerDad #SainsburysRant #UNGA #SecDefTravels #trumptower #Kabul #abroadforyes #PeoplesVote #TogetherForYes #Africangangs #Together4Yes #repealthe8th #GodBlessTheUSA

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!