Profile picture
Troy Hunt @troyhunt
, 15 tweets, 5 min read Read on Twitter
I've seen some absolutely crazy comments on the debate about changes to HTTPS indicators and EV over the last few days to the point that I've actively muted discussions that have gone off the rails. Let me shine a critical light on the whole thing:
Google is not trying to break the web by pushing for more HTTPS. Neither is Mozilla and neither are any of the other orgs saying "Hey, it would be good if traffic wasn't eavesdropped on or modified". This is fixing a deficiency in the web as it has stood for years.
The web is still insecure by default; browsers default requests to the insecure scheme and visual indicators default to insecure being normal with HTTPS being explicitly flagged. In the coming years, HTTPS will become the norm and the value of explicitly flagging that will wane.
Before long, positive visual indicators will be the norm which will make them redundant. Instead, negative ones will gain prominence and highlight dangerous connections (i.e. in Chrome this July). More on that:…
There are major changes coming to visual indicators in Chrome this year; Google published this piece by @emschec this week showing how Chrome 69 will remove the "Secure" text (later the padlock too) and 70 will show a red warning on data entry over HTTP:…
As for EV, both it and DV are positive visual indicators that different clients show in different ways. Safari on iOS shows no URL on EV sites, Chrome on iOS shows EV just like DV. It's entirely up to the browser maker how this works.
There is a real problem at present with commercial CAs misrepresenting the efficacy of EV. We're frequently seeing unsubstantiated claims, misleading stats and flawed research, for example from @EntrustDatacard:
And if it's not immediately clear what's wrong with that slide, read through this thread from @sleevi_ who works on Chromium's PKI:
To make matters worse, we keep seeing legitimately issued EV certs arbitrarily revoked without warning, sometimes months after issuance. We've seen this with @iangcarroll and @sirjamesburton, the latter consequently receiving an apology from @Comodo_SSL after killing his site.
Google is actively testing removing the EV indicator from Chrome. Unbeknownst to the owners, 3 different machines in my workshop this week were part of that test and not one person even noticed it was gone. These are smart technical people we're talking about too.
You may personally like EV indicators. They may make you feel warm and fuzzy. But if that's true, you're not even close to being representative of the masses which is who browsers are made for. Browsers will adapt (all of them - not just Chrome) over time.
Ultimately, browser makers will make decisions about the usefulness of visual indicators and EV based on huge amounts of empirical evidence. If they kill positive indicators, it won't be on a whim, it'll be because the evidence supports them doing so.
Remember also, there are very dedicated, very smart people driving evidence-based decision making here. They're also very transparent - go and watch a talk like @emschec's (of Google) "Trouble with URLs, and how Humans (Don't) Understand Site Identity":
I care much more about the *process* of how we end up with visual indicators in browsers than I do the end result, and so should you. I want to know this stuff has been researched extensively and the right decisions for the internet community as a whole are reached.
Lastly, when that doesn't happen, we should be calling "bullshit" which is why the EV issue keeps coming up. As soon as you approach it pragmatically, it just doesn't add up. I'll leave you with some fun viewing on that 😀 (deep-linked to the right point)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Troy Hunt
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!