Why do Firefox and Chrome want to kill EV certificate

In the latest versions of Firefox and Chrome, when visiting HTTPS sites using EV certificates, the address bar does not display the green lock icon and company information, instead, it displays the same gray lock icon as DV certificate sites.

As early as August this year, Firefox announced that it would cancel the special display of EV certificates when it released 70.0 in October. The reasons are:

  1. Additional company information confuses users and takes up screen space;
  2. It is emphasized that ev certificate affects user's cognition and delays the progress of default HTTPS experience that makes users imperceptible;
  3. Users do not care about the green mark of EV certificate, and the anti fraud effect is not significant.
  4. Safari has been hiding company information since last year.

However, they are more radical than Safari, just showing a gray icon. The news is seen as a major negative for the certificate industry. The EV sellers who claims to be able to turn the browser address bar green, have 10000 sentences of mother fuck in their mind, and I don't know who they can talk to.

There has been a long-standing conflict between the browser and the certificate provider. It's not the first time that Chrome and certificate providers are in conflict. In August, it proposed to reduce the validity period of the certificate, which was rejected. So, is EV certificate really unnecessary?

EV & UI Design

In today's 1920 wide display resolution, the width left for the browser address bar is at least 1200 pixels. In the Firefox interface, there is a blank space before and after the address bar; on the left side is the privacy icon, on the right side is the reading mode and plug-in shortcut icon. It's reasonable to say that there's such a long company name as "宝鸡有一群怀揣着梦想的少年相信在牛大叔的带领下会创造生命的奇迹网络科技有限公司", but can't even "PayPal Inc." or "Apple Inc."?

Of course, browsers don't always run with maximized windows. How does Firefox deal with address bars? They hide part of the URL. So why can't corporate information get the same treatment? I've seen some people who almost never enter the URL manually. They are always searching for keywords in search engines and clicking links to enter the website. For these people, both of confusing URLs and complex buttons are useless. Just hide them, which can save a large amount of screen space.

n the mobile version, the horizontal space is indeed very less, and even only the domain name is displayed by default, and the complete URL can be seen after clicking. So it's not difficult to display EV information in two lines on the domain name.

Although users are lazy, they are not stupid. Company information is confusing, not a problem; the latest version of Firefox only shows "certificate issued to: PayPal Inc." which is the source of confusion. When clicking on the company information, you will be prompted with the words "Verified by XXX, this website is operated / owned by PayPal Inc." Anyone will know what does that mean.

EV and imperceptible HTTPS

What Mozilla and Google think of imperceptible HTTPS is that whatever you are using EV / OV / DV, it will all display as a small black lock. After all, in order to be imperceptible, they dare to hide http://www. Imperceptible HTTPS is also a non-existent requirement. Insecurity, transmission security and commercial security cannot be simplified as insecurity and security. The users are not the resistance of HTTPS promotion. Whether they can distinguish between black lock and green lock does not automatically make the website support HTTPS.

Even the autocratic Qing government knew that in order to carry out the order of shaving, it was enough to kill those who didn't want to wear pigtails. There was no need to kill Manchus who wear smaller pigtails. Imagine the Manchu soldiers saying to you, what we want is imperceptible pigtails, your hair is too short, which affects other people's cognition of the pigtails. Pull it down and kill him!

EV & Anti fraud

Users don't care about EV, which is the problem of browsers and certificate providers with poor publicity. Users don't care a lot, including HTTPS. Users are too lazy to type https://, the industry has proposed HSTS preload instead of giving up HTTPS.

Users don't care about the code signing certificates of Windows Drivers and Mac OS apps. Why don't you hide the signing information? Oh, I'm sorry. It's about Microsoft and Apple. Mozilla and Google can't help it.

Some users have just begun to pay attention to the meaning of green bar, and it is very helpful to fraud if EV is killed. If you receive an e-mail, there is a link https://www.аpple.com, which allows you to see the HTML source code. Do you dare to click it? Don't worry about the link, though it's not Apple's official website. So far it's still a non-existent site. The letter 'а' in the website is not an ordinary small letter A.

@ViafaSia also found a phishing site that used the let's encrypt method DV certificate. Each letter of apple in the website is another similar character. Here is another one, https://раураӏ.com , open it with your Firefox, and then open the real https://paypal.com . You will known, Mozilla is just an idiot which stands with Google. Chrome displays IDN domains in another ways.

You may have some tips to identify fake links, such as mouse over the links to see the real URL from the browser's status bar, or pay attention to whether it is an HTTPS link. But still can't escape the advanced phishing website.

EV & Safari

Although Safari has hidden EV company information for a long time, until the latest iOS / iPad OS 13.2 and Catalina, Safari still displays the green address bar for EV certificate sites. Google takes users as the puppet, to order the certificated sellers. Google's face says, 'if Apple dare to light the light, I dare to set it on fire'. Mozilla make wind behind Google, just like a dog.

It's always been easy for certification companies to make money. Google doesn't like it. When Chrome gets bigger, it has the right to speak. Finally, it can give directions. It's not enough to have Mozilla's support. By the way, it get Safari into the water to justify himself.

Some people say that EV is so expensive and doesn't support wildcard, it's not bad to suppress it. Google has the ability to launch competitive products to promote the development of the industry, but now it's going to kill EV directly.

What will happen to EV?

Maybe EV will quit the stage of history, maybe it will be reborn after all parties play games. It's time for them to take some action.

  1. The EV upstream enterprises pay money to browser. After all, their necks are in the hands of others, money should be divided;
  2. Provides a preload list like HSTS (or a better HPKP), and sites using EV certificates are automatically submitted to the list. The browser judges the similarity of domain names, once reaches the threshold, directly prompt users and report to anti fraud organizations;
  3. Reduce price, and popularize EV / OV to enterprises and organizations with the popularity of HTTPS.

使用 acme.sh 管理 Let’s Encrypt Wildcard SSL 证书

Certbot 可以申请 Wildcard 证书,但更新不便。

安装

curl https://get.acme.sh | sh

配置 API

编辑 ~/.bashrc ,加入以下内容(以 cloudflare 为例):

export CF_Key="123456789"

export CF_Email="[email protected]"

保存后,执行:

source ~/.bashrc

申请证书

acme.sh --issue --dns dns_fs -d dallas.lu -d *.dallas.lu

值得一提的是,如果有多个域名,各自使用不同的 DNS,可以参考以下命令:

acme.sh --issue \
-d dallas.lu --dns dns_cf \
-d *.dallas.lu --dns dns_cf \
-d a.com --dns dns_namecom \
-d *.a.com --dns dns_namecom \
-d b.com --dns dns_dp \
-d *.b.com --dns dns_dp

安装证书

acme.sh --install-cert -d dallas.lu \
--key-file /etc/nginx/certs/dallas.lu.key \
--fullchain-file /etc/nginx/certs/dallas.lu.fullchain.cer \
--reloadcmd "service nginx restart"

一切配置妥当后,开启 acme.sh 的自动版本更新:

acme.sh --upgrade --auto-upgrade

Using Let’s Encrypt Wildcard SSL Cert

Let's Encrypt has announced the official support of the Wildcard certificate FINALLY.

Apply

Run command on your VPS:

~/certbot-auto certonly \
-d dallas.lu \
-d *.ngrok.dallas.lu \
-d *.dallas.lu \
-d other.com \
-d *.other.com \
--manual \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory

Use --cert-name to set cert name, otherwise the domain name after the first '-d' param will be used as the cert name.

IP logged notice

The IP of the request machine will be logged, but it will not be public now. If worry about the important one of IPs on the VPS,you can modify the config files in /etc/sysconfig/network-scripts and restart the network service to change your IP temporarily. Type 'Y' to continue.

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

DNS txt records

Add a txt record.

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.dallas.lu with the following value:

QQxHqbXK2aWM8qRWpAyenXo2QotSejV_ERnnc6MUEqU

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

TIPS: if you want root.com and *.root.com verified in the same cert, you should add the params for each domain, for example: '-d dallas.lu -d *.dallas.lu'. AND, you need add multiple txt records. Use 'nslookup' to verify:

nslookup
> set type=txt
> _acme-challenge.dallas.lu
Server:		8.8.8.8
Address:	8.8.8.8#53
 
Non-authoritative answer:
_acme-challenge.dallas.lu text = "I6Tys5RebMhWaBxN1e4fBaBj2OF7jUPl92tdDtfKjao"
_acme-challenge.dallas.lu text = "QQxHqbXK2aWM8qRWpAyenXo2QotSejV_ERnnc6MUEqU"

Cert

After verification:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dallas.lu/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dallas.lu/privkey.pem
Your cert will expire on 2018-06-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

We don't talk about configuring SSL certs now. If failed to verify some domains, just run the command again. The value of txt records will not change after verified.

知乎漫游指南

知乎已经成为获取知识和以获取知识为理由消磨时间拖延正经事儿的不二选择,尽管知乎上涌入了大量的各色用户,甚至有大神不断声明离开。既然是知识的集散地,那就不仅有精英到平民的方法论价值观输出,也应该有术业有专攻的散户的精彩回答。所以,希望知乎用户不必激进的认为「知乎被傻逼占领了」。

Continue reading

匹配麻将和牌的正则表达式

正则表达式一般用来描述字符串,所以我们把麻将和牌的组合先变成字符串。麻将中包含以下牌面:

  • 条:幺鸡、二条、三条、四条、五条、六条、七条、八条、九条
  • 筒:一筒、二筒、三筒、四筒、五筒、六筒、七筒、八筒、九筒
  • 万:幺万、二万、三万、四万、五万、六万、七万、八万、九万
  • 其他:红中

牌的摆放顺序和搭配也很重要,能影响人的判断,决定能否及时上听、避免漏和;同样,也能够简化正则匹配问题。所以在这里假设已经按搭配成「刻、顺子、对子、杠」,顺子中以上面列表顺序从小到大依次排好。

Continue reading

CentrioHost 泛域名 SSL 证书续费事件

一年前在 http://www.v2ex.com/t/81933 获知消息,于是无脑入了两个。今年9月13号,Paypal 发来邮件说 Kamrul H. Bappy 通过循环付款向我收费 $5,我等了两天没有收到任何相关的邮件,就通过 Paypal 得知收款人是 CentrioHost 的。登录该站一看,什么订单信息都没有了,以为和 Godaddy 一样,既然用不到服务了,就申请退款吧。

Continue reading

黑客社会工程学攻击2

黑手不出,谁与争锋!阔别4年,社工尸再现江。

2008年

《黑客社会工程学攻击》上市,它是当时国内第一本“社工尸”图书,启智中国式社工黑商。荣获当年最为畅销的安全黑客类图书,被誉为中国版的《欺骗的艺术》。该书曾是当年官方淘宝店以及代理淘宝店的“镇店之宝”。在售罄之后,有读者曾以高出原书几倍的价格才从其他渠道购得。

Continue reading

Nginx 反向代理 Google App Engine

*.appspot.com 经常被 GFW 重置链接也就算了,Google 也已经停止了免费版的 Google Apps 的申请。这就导致跑在 Google App Engine 上的应用不能绑定自定义域名,也就无法通过更改解析到可用 IP 的方式,使其在中国大陆可被访问了。尽管如此,还有一个反向代理的办法,就像 Sina App Engine 绑定域名的原理一样,可以做到用自己的域名来访问 Google App Engine 上的应用。

Continue reading

CentOS6 yum 安装 pptp

与一键安装包的方式相比,通过 yum 方式安装的好处是便于管理,可以通过 yum update 命令来升级程序版本。
Continue reading