Why do Firefox and Chrome want to kill EV certificate

In the latest versions of Firefox and Chrome, when visiting HTTPS sites using EV certificates, the address bar does not display the green lock icon and company information, instead, it displays the same gray lock icon as DV certificate sites.

As early as August this year, Firefox announced that it would cancel the special display of EV certificates when it released 70.0 in October. The reasons are:

  1. Additional company information confuses users and takes up screen space;
  2. It is emphasized that ev certificate affects user's cognition and delays the progress of default HTTPS experience that makes users imperceptible;
  3. Users do not care about the green mark of EV certificate, and the anti fraud effect is not significant.
  4. Safari has been hiding company information since last year.

However, they are more radical than Safari, just showing a gray icon. The news is seen as a major negative for the certificate industry. The EV sellers who claims to be able to turn the browser address bar green, have 10000 sentences of mother fuck in their mind, and I don't know who they can talk to.

There has been a long-standing conflict between the browser and the certificate provider. It's not the first time that Chrome and certificate providers are in conflict. In August, it proposed to reduce the validity period of the certificate, which was rejected. So, is EV certificate really unnecessary?

EV & UI Design

In today's 1920 wide display resolution, the width left for the browser address bar is at least 1200 pixels. In the Firefox interface, there is a blank space before and after the address bar; on the left side is the privacy icon, on the right side is the reading mode and plug-in shortcut icon. It's reasonable to say that there's such a long company name as "宝鸡有一群怀揣着梦想的少年相信在牛大叔的带领下会创造生命的奇迹网络科技有限公司", but can't even "PayPal Inc." or "Apple Inc."?

Of course, browsers don't always run with maximized windows. How does Firefox deal with address bars? They hide part of the URL. So why can't corporate information get the same treatment? I've seen some people who almost never enter the URL manually. They are always searching for keywords in search engines and clicking links to enter the website. For these people, both of confusing URLs and complex buttons are useless. Just hide them, which can save a large amount of screen space.

n the mobile version, the horizontal space is indeed very less, and even only the domain name is displayed by default, and the complete URL can be seen after clicking. So it's not difficult to display EV information in two lines on the domain name.

Although users are lazy, they are not stupid. Company information is confusing, not a problem; the latest version of Firefox only shows "certificate issued to: PayPal Inc." which is the source of confusion. When clicking on the company information, you will be prompted with the words "Verified by XXX, this website is operated / owned by PayPal Inc." Anyone will know what does that mean.

EV and imperceptible HTTPS

What Mozilla and Google think of imperceptible HTTPS is that whatever you are using EV / OV / DV, it will all display as a small black lock. After all, in order to be imperceptible, they dare to hide http://www. Imperceptible HTTPS is also a non-existent requirement. Insecurity, transmission security and commercial security cannot be simplified as insecurity and security. The users are not the resistance of HTTPS promotion. Whether they can distinguish between black lock and green lock does not automatically make the website support HTTPS.

Even the autocratic Qing government knew that in order to carry out the order of shaving, it was enough to kill those who didn't want to wear pigtails. There was no need to kill Manchus who wear smaller pigtails. Imagine the Manchu soldiers saying to you, what we want is imperceptible pigtails, your hair is too short, which affects other people's cognition of the pigtails. Pull it down and kill him!

EV & Anti fraud

Users don't care about EV, which is the problem of browsers and certificate providers with poor publicity. Users don't care a lot, including HTTPS. Users are too lazy to type https://, the industry has proposed HSTS preload instead of giving up HTTPS.

Users don't care about the code signing certificates of Windows Drivers and Mac OS apps. Why don't you hide the signing information? Oh, I'm sorry. It's about Microsoft and Apple. Mozilla and Google can't help it.

Some users have just begun to pay attention to the meaning of green bar, and it is very helpful to fraud if EV is killed. If you receive an e-mail, there is a link https://www.аpple.com, which allows you to see the HTML source code. Do you dare to click it? Don't worry about the link, though it's not Apple's official website. So far it's still a non-existent site. The letter 'а' in the website is not an ordinary small letter A.

@ViafaSia also found a phishing site that used the let's encrypt method DV certificate. Each letter of apple in the website is another similar character. Here is another one, https://раураӏ.com , open it with your Firefox, and then open the real https://paypal.com . You will known, Mozilla is just an idiot which stands with Google. Chrome displays IDN domains in another ways.

You may have some tips to identify fake links, such as mouse over the links to see the real URL from the browser's status bar, or pay attention to whether it is an HTTPS link. But still can't escape the advanced phishing website.

EV & Safari

Although Safari has hidden EV company information for a long time, until the latest iOS / iPad OS 13.2 and Catalina, Safari still displays the green address bar for EV certificate sites. Google takes users as the puppet, to order the certificated sellers. Google's face says, 'if Apple dare to light the light, I dare to set it on fire'. Mozilla make wind behind Google, just like a dog.

It's always been easy for certification companies to make money. Google doesn't like it. When Chrome gets bigger, it has the right to speak. Finally, it can give directions. It's not enough to have Mozilla's support. By the way, it get Safari into the water to justify himself.

Some people say that EV is so expensive and doesn't support wildcard, it's not bad to suppress it. Google has the ability to launch competitive products to promote the development of the industry, but now it's going to kill EV directly.

What will happen to EV?

Maybe EV will quit the stage of history, maybe it will be reborn after all parties play games. It's time for them to take some action.

  1. The EV upstream enterprises pay money to browser. After all, their necks are in the hands of others, money should be divided;
  2. Provides a preload list like HSTS (or a better HPKP), and sites using EV certificates are automatically submitted to the list. The browser judges the similarity of domain names, once reaches the threshold, directly prompt users and report to anti fraud organizations;
  3. Reduce price, and popularize EV / OV to enterprises and organizations with the popularity of HTTPS.

使用 acme.sh 管理 Let’s Encrypt Wildcard SSL 证书

Certbot 可以申请 Wildcard 证书,但更新不便。

安装

curl https://get.acme.sh | sh

配置 API

编辑 ~/.bashrc ,加入以下内容(以 cloudflare 为例):

export CF_Key="123456789"

export CF_Email="[email protected]"

保存后,执行:

source ~/.bashrc

申请证书

acme.sh --issue --dns dns_fs -d dallas.lu -d *.dallas.lu

值得一提的是,如果有多个域名,各自使用不同的 DNS,可以参考以下命令:

acme.sh --issue \
-d dallas.lu --dns dns_cf \
-d *.dallas.lu --dns dns_cf \
-d a.com --dns dns_namecom \
-d *.a.com --dns dns_namecom \
-d b.com --dns dns_dp \
-d *.b.com --dns dns_dp

安装证书

acme.sh --install-cert -d dallas.lu \
--key-file /etc/nginx/certs/dallas.lu.key \
--fullchain-file /etc/nginx/certs/dallas.lu.fullchain.cer \
--reloadcmd "service nginx restart"

一切配置妥当后,开启 acme.sh 的自动版本更新:

acme.sh --upgrade --auto-upgrade

Using Let’s Encrypt Wildcard SSL Cert

Let's Encrypt has announced the official support of the Wildcard certificate FINALLY.

Apply

Run command on your VPS:

~/certbot-auto certonly \
-d dallas.lu \
-d *.ngrok.dallas.lu \
-d *.dallas.lu \
-d other.com \
-d *.other.com \
--manual \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory

Use --cert-name to set cert name, otherwise the domain name after the first '-d' param will be used as the cert name.

IP logged notice

The IP of the request machine will be logged, but it will not be public now. If worry about the important one of IPs on the VPS,you can modify the config files in /etc/sysconfig/network-scripts and restart the network service to change your IP temporarily. Type 'Y' to continue.

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

DNS txt records

Add a txt record.

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.dallas.lu with the following value:

QQxHqbXK2aWM8qRWpAyenXo2QotSejV_ERnnc6MUEqU

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

TIPS: if you want root.com and *.root.com verified in the same cert, you should add the params for each domain, for example: '-d dallas.lu -d *.dallas.lu'. AND, you need add multiple txt records. Use 'nslookup' to verify:

nslookup
> set type=txt
> _acme-challenge.dallas.lu
Server:		8.8.8.8
Address:	8.8.8.8#53
 
Non-authoritative answer:
_acme-challenge.dallas.lu text = "I6Tys5RebMhWaBxN1e4fBaBj2OF7jUPl92tdDtfKjao"
_acme-challenge.dallas.lu text = "QQxHqbXK2aWM8qRWpAyenXo2QotSejV_ERnnc6MUEqU"

Cert

After verification:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dallas.lu/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dallas.lu/privkey.pem
Your cert will expire on 2018-06-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

We don't talk about configuring SSL certs now. If failed to verify some domains, just run the command again. The value of txt records will not change after verified.

使用 hook api 自动从 git 仓库更新并打包

多人合作的软件开发中打包编译是一个麻烦事儿,还有紧接着的部署步骤,手动操作问题多。如果同时使用 git 和 maven,倒是相对容易做到新增标签时自动打包。

Continue reading

知乎漫游指南

知乎已经成为获取知识和以获取知识为理由消磨时间拖延正经事儿的不二选择,尽管知乎上涌入了大量的各色用户,甚至有大神不断声明离开。既然是知识的集散地,那就不仅有精英到平民的方法论价值观输出,也应该有术业有专攻的散户的精彩回答。所以,希望知乎用户不必激进的认为「知乎被傻逼占领了」。

Continue reading

匹配麻将和牌的正则表达式

正则表达式一般用来描述字符串,所以我们把麻将和牌的组合先变成字符串。麻将中包含以下牌面:

  • 条:幺鸡、二条、三条、四条、五条、六条、七条、八条、九条
  • 筒:一筒、二筒、三筒、四筒、五筒、六筒、七筒、八筒、九筒
  • 万:幺万、二万、三万、四万、五万、六万、七万、八万、九万
  • 其他:红中

牌的摆放顺序和搭配也很重要,能影响人的判断,决定能否及时上听、避免漏和;同样,也能够简化正则匹配问题。所以在这里假设已经按搭配成「刻、顺子、对子、杠」,顺子中以上面列表顺序从小到大依次排好。

Continue reading

Ubuntu 14.04 上使用中州韵五笔拼音

在 Window 7 上用了相当一段时间的小狼毫输入法,感觉不错。于是尝试在 Ubuntu 上使用其 Linux 版本——中州韵,根据其 iBus 安装说明 使用 sudo apt-get install ibus-rime 安装的版本太低了;安装说明里提到的 PPA 源又没有 Ubuntu 14.04 ( Trusty ) 适用的安装包。和遇到同样问题的 lanking 一样只好下载编译。根据 Ubuntu 12.04 安装手记,将实践过程中可能会遇见的问题补充如下。

Continue reading

WordPress 多站点的 Google 公共库反代

听说最近召开了某互联网大会,想来是形势一片大好。值此良机,记录一下解决万恶的Google 提供的反动公共库文件拖慢整站的问题。如果你的 WordPress 上只跑着一个站点,插件 Useso take over Google 已经提供了完美的解决方案。但是,如果想要在 WordPress 多站点中,把库文件放在每个站点的目录下呢?

Continue reading

CentrioHost 泛域名 SSL 证书续费事件

一年前在 http://www.v2ex.com/t/81933 获知消息,于是无脑入了两个。今年9月13号,Paypal 发来邮件说 Kamrul H. Bappy 通过循环付款向我收费 $5,我等了两天没有收到任何相关的邮件,就通过 Paypal 得知收款人是 CentrioHost 的。登录该站一看,什么订单信息都没有了,以为和 Godaddy 一样,既然用不到服务了,就申请退款吧。

Continue reading

卸载 Gnome3 后恢复启动 Logo

Gnome 3 很漂亮,但是在任务切换方面,倒不如 Unity 简洁。所以本着不折腾的原则卸载了。恢复了 Ubuntu 13.10 自带的登录管理器 LightDM 后,还有启动时的 logo(splash screen)仍是 Gnome 风格的。

最后,在 http://ubuntuguide.org/wiki/Ubuntu:Saucy#Change_Plymouth_Splash_Screen 找到了更改的办法:

sudo update-alternatives --config default.plymouth
sudo update-initramfs -u

然后按提示输入编号,选择想要使用的 Splash Screen 即可。