>they seem to be resellers for DigiCert/Symantec certificates
>they should at the very least have either ETSI TSP² or WebTrust³ certifications to meet the security/trust requirements for operating a CA
A reseller does not need to meet any of these certifications. Resellers have a business relationship with a CA, and all the steps related to certificate verification and issuance are handled by that CA.
On the backend, a certificate request for your site is handled the same by the CA whether if comes through a reseller or through them directly.
This is a common concern, but in reality, it does not mean anything. "Sharing" your cert with a weird site is similar as taking the same bus route as someone who is bad.
From a security standpoint, there is little to no risk. Worst case scenario one of the other sites is doing something that results in the cert being revoked... and I imagine CloudFlare has a way to just move you (and everyone else) onto another cert seamlessly.
I dunno, it _mostly_ doesn't mean anything, but the day I discovered my site hostname listed next to phishing and porn sites was the day I didn't want to use CloudFlare's free certs anymore. Sure not many people will see the SANs on a cert, and there's nothing wrong with porn using SSL, I just don't want to cobrand with them. :D
Hah. I really should read usernames before responding.
I actually know of your competitor (fly.io, right?) and am giving it a test for something I'm working on that needs the hostname support after Cloudflare got me legging it when they said their hostname system was for the Enterprise plan.
1. Unicode Homograph attacks don't work in a business registration. Someone would have to be able to legally register a business name that fits your look-alike example. That is not possible in most places AFAIK.
So what you re actually pointing out is that domain names are vulnerable to these attacks, which is another reason why DV certificates can fall short.
2. Correct, different companies. This is as intended, but admittedly a weakness in the human-readability of EV certificates.
3. Not all roots can issue EV certificates.
4. It becomes much harder to remain anonymous if you do these things. You are right, it isn't impossible to register a company solely for malicious use. But it carries with it legal risk.
There are no Wildcard EV certificates. You are just describing Wildcards.
Crypto nerds do trust the HTTPS PKI that is why there are about a dozen industry-leading crypto people working at Chrome, Mozilla, etc on PKI crypto.
>But aren't regular non-devs supposed to verify certificate name and the name of the website they are on? But aren't regular non-devs supposed to verify certificate name and the name of the website they are on?
The browser does this for you. Chrome (and all major browsers) have a certificate validation that parses the hostname in the certificate and compares it to the site you are on.
Checking certificate details manually is primarily useful for troubleshooting. It serves little to no security benefit for 99% of users.
I wrote an article that covers some similar ground, but is focused on why Chrome's team chose "Secure" over the alternatives, such as "Private."
It is quite a bit longer, but I do break down the data to show some big issues with the alternatives. For example, 28% of users surveyed said they would leave a site if it said "Private."
I agree with Mike that Chrome's testing was incomplete. It is important for them to test perception... because we wouldn't want indicators having a large negative effect on things like bounce or conversion rate. In some ways this is comprehension to an average user... we probably can't expect most people to ever rationalize past "am I safe or not."
"[Some of us chose] to debug viruses, worry about floppy disk compatibility, learn how to change out failed hard drives, etc. if we simply wanted to use technology at all"
Now, Millennials is a pretty uselessly broad term, so depending on what age range you are actually talking about, there is slightly more truth to this. If you are talking about someone who is 29-34 today, then you would be an early adopter of these technologies and it did require a high level of expertise. However this was a very small portion of the population.
If you are talking about 22-25 year olds, then computers and the internet had become more common in households and de-skilling. I know plenty of people who have used and owned computers most of their lives and have never debugged a thing.
Nerds have the inability to understand that most people use computers like any other tool. They do not obsess over it, seek to understand how it works, or otherwise care.
Like a microwave, they buy a new one if their current computer "breaks." Like a light fixture, if it malfunctions, most people hire a repairman instead of doing it themselves.
This has always been true for the mainstream users of computers. It only seems more absurd now because 16-19 year olds have had smartphones and other technology luxuries their whole lives, and so we expect them to have invested more interest into truly learning how to use them and how they work.
But availability of a technology does not have much of a connection to proficiency of said technology.
Ironically, I am sure most of the people here who whine about how little other people understand computers have a similar lack of understanding for other objects they use everyday. How many people in programming/I.T. know anything about plumbing or car maintenance?
I would recommend a total redesign of your front page. It sounds like it could be a great tool, but I have literally no impression of it from clicking on any of the non-gated links on your site.
The basic info on https://visualtip.com/tour is closer to what you need on the homepage. But visual-focused instead of text. And absolutely reduce the noise on the page by getting rid of meaningless text such as
"Security: We take security very seriously and have taken measures to protect our customer's data"
and the Deiter Rams quote which looks like a user endorsement needs to go too.
I agree. I clicked to the front page and I see something about annotating images, but then also something about users... and I just don't really get what it does without reading the whole page. The company name is also not very illuminating.
The tour page however tells me almost instantly that it's meant to get feedback on designs (even if that is only made clear in step three out of three). Now going back to the front page, those three steps are there as well, except they're shown as three separate features of the product instead of logical steps (I didn't make that connection) and the "You, the designer" part puts the "so what's that about clients/customers" in place.
Then again, I often feel like I'm thick-witted so take it for what you will. Or perhaps where you link from (e.g. link text / ad text / the search query they entered) gives enough context for them to get it.
On the other hand, this basically means just one line to the script to be run on each fresh install of Windows.
It's not like we lost the license to use Paint, did we?
You mean in order to place it back on the machines? Sure, just one line.
But there seems to be a rather big difference between basic software that is guaranteed to be available and software that requires any amount of scripting/preparation to install, even if it is just one line.
Yeah, but that executable file is like 335 kilobytes, or at least it was in Windows XP. * checks Win10 * My goodness it's 6,520 kilobytes now. At that rate of growth... * back of napkin math * KILL IT!!
We jest, but bullshit like that is entirely possible.
Windows is a product in decline in many ways, and a public company still needs to grow revenue. Users can (and are) migrating to modern platforms, but many of the organizations using it are doing so because they have to, will continue to have that need for a decade or more.
My colleagues at work who run apps on the IBM Mainframe and POWER server platforms plan their operational cadences around peak periods where they lease access to CPU cores and memory on their servers. They only get to access about 25% of the hardware without a meter running. Microsoft can and probably will do the same conceptual thing to extract more dollars.
>they should at the very least have either ETSI TSP² or WebTrust³ certifications to meet the security/trust requirements for operating a CA
A reseller does not need to meet any of these certifications. Resellers have a business relationship with a CA, and all the steps related to certificate verification and issuance are handled by that CA.
On the backend, a certificate request for your site is handled the same by the CA whether if comes through a reseller or through them directly.