Local website purchase SSL or self signed?

Dashrender

@Breffni-Potter said:

Oh wait, gray padlock means SSL but without Extended Validation. Firefox is the only browser to do this by the looks of it, everyone else has a green padlock.

Nope.
Here's IE 11 on Win10 pro

Dashrender

As can see here, Chrome does use a green padlock for non EV certs.

And a green box around a green padlock for EV

FF uses a green padlock for EV

and IE makes the whole bar green for EV.

Dashrender

There's no consistency here at all. How are consumers suppose to protect themselves. This is ridiculous. The format for displaying EV should part of the EV spec or something. sigh.

scottalanmiller

@Dashrender said:

There's no consistency here at all. How are consumers suppose to protect themselves. This is ridiculous. The format for displaying EV should part of the EV spec or something. sigh.

This isn't about security, it's about selling certs.

Dashrender

@scottalanmiller said:

@Dashrender said:

There's no consistency here at all. How are consumers suppose to protect themselves. This is ridiculous. The format for displaying EV should part of the EV spec or something. sigh.

This isn't about security, it's about selling certs.

I'd mostly agree, but I'd say it's a tiny bit about security.

scottalanmiller

@Dashrender said:

I'd mostly agree, but I'd say it's a tiny bit about security.

Seems almost like security being lost here.

Dashrender

@scottalanmiller said:

@Dashrender said:

I'd mostly agree, but I'd say it's a tiny bit about security.

Seems almost like security being lost here.

The reality perhaps is a loss of security, but the hope was that EV would show the consumer that the site went through more rigorous verification process, so you should be able to trust that that they are who they say they are.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

I'd mostly agree, but I'd say it's a tiny bit about security.

Seems almost like security being lost here.

The reality perhaps is a loss of security, but the hope was that EV would show the consumer that the site went through more rigorous verification process, so you should be able to trust that that they are who they say they are.

I feel like this is one of those things that I would say and people would point out that I'm crazy and a tech and that absolutely zero consumers would understand this or look into it. It's all for the sales, I think, not at all for the security.

Dashrender

@scottalanmiller said:

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

I'd mostly agree, but I'd say it's a tiny bit about security.

Seems almost like security being lost here.

The reality perhaps is a loss of security, but the hope was that EV would show the consumer that the site went through more rigorous verification process, so you should be able to trust that that they are who they say they are.

I feel like this is one of those things that I would say and people would point out that I'm crazy and a tech and that absolutely zero consumers would understand this or look into it. It's all for the sales, I think, not at all for the security.

You're absolutely right. I thought I was saying that. The IDEA was to enhance security.. but you can't just put something in place and expect the public to understand what it is or why it's good or even more... CARE... they don't. Just like people (at least in the US) don't care about identity theft. I think we all agree that it's a huge problem, but even as big a problem as it is, it hasn't affected enough people to cause the masses to really care about it.

scottalanmiller

I think that the masses really care about identify theft but too many do not understand that it is three companies responsible for it and that voting to hold them accountable is the only option.

JaredBusch

@Dashrender said:

The reality perhaps is a loss of security, but the hope was that EV would show the consumer that the site went through more rigorous verification process, so you should be able to trust that that they are who they say they are.

@scottalanmiller

I feel like this is one of those things that I would say and people would point out that I'm crazy and a tech and that absolutely zero consumers would understand this or look into it. It's all for the sales, I think, not at all for the security.

I'll call anyone that thinks this crazy

@scottalanmiller is most certainly right here. There is nothing security related here. it is all good marketing allowing cert providers to charge more money for something no one cares about and does zero for security.

coliver

@JaredBusch said:

@scottalanmiller is most certainly right here. There is nothing security related here. it is all good marketing allowing cert providers to charge more money for something no one cares about and does zero for security.

Agreed 100%. There is zero benefit to having the more expensive certification from a technical standpoint. Probably also zero from a marketing and reputation standpoint.

scottalanmiller

@coliver said:

@JaredBusch said:

@scottalanmiller is most certainly right here. There is nothing security related here. it is all good marketing allowing cert providers to charge more money for something no one cares about and does zero for security.

Agreed 100%. There is zero benefit to having the more expensive certification from a technical standpoint. Probably also zero from a marketing and reputation standpoint.

That would be my guess. I can't see a company touting this in a useful way. How would you present it?

"We spent more on our SSL cert than our competitor."

Customers would say "What's an SSL cert and why are you wasting money on a more expensive one?"

coliver

@scottalanmiller said:

@coliver said:

@JaredBusch said:

@scottalanmiller is most certainly right here. There is nothing security related here. it is all good marketing allowing cert providers to charge more money for something no one cares about and does zero for security.

Agreed 100%. There is zero benefit to having the more expensive certification from a technical standpoint. Probably also zero from a marketing and reputation standpoint.

That would be my guess. I can't see a company touting this in a useful way. How would you present it?

"We spent more on our SSL cert than our competitor."

Customers would say "What's an SSL cert and why are you wasting money on a more expensive one?"

Not even customers... how would you present this to shareholders? "We spent money on something that has no proven track record of being more secure or more marketable then the cheaper option." Doesn't make sense to me.

scottalanmiller

Well, thankfully minutia like SSL Certs is rarely presented to shareholders

coliver

@scottalanmiller said:

Well, thankfully minutia like SSL Certs is rarely presented to shareholders

Right... I'm not even sure how much more expensive it is... just seems like it would be one of those... "If they are wasting money on that, what else are they wasting money on?" Situations.

Dashrender

Yet many banks and Paypal, eBay, etc all use the EV cert.

JaredBusch

@Dashrender said:

Yet many banks and Paypal, eBay, etc all use the EV cert.

many people use SAN also. The point is the marketing worked. Not that the solution is correct.

Dashrender

uh.. Isn't SAN a different situation altogether?

JaredBusch

@Dashrender said:

uh.. Isn't SAN a different situation altogether?

No. Both are a waste of money with little true value and hyped or marketed heavily as a good thing.