Why do Firefox and Chrome want to kill EV certificate

In the latest versions of Firefox and Chrome, when visiting HTTPS sites using EV certificates, the address bar does not display the green lock icon and company information, instead, it displays the same gray lock icon as DV certificate sites.

As early as August this year, Firefox announced that it would cancel the special display of EV certificates when it released 70.0 in October. The reasons are:

  1. Additional company information confuses users and takes up screen space;
  2. It is emphasized that ev certificate affects user's cognition and delays the progress of default HTTPS experience that makes users imperceptible;
  3. Users do not care about the green mark of EV certificate, and the anti fraud effect is not significant.
  4. Safari has been hiding company information since last year.

However, they are more radical than Safari, just showing a gray icon. The news is seen as a major negative for the certificate industry. The EV sellers who claims to be able to turn the browser address bar green, have 10000 sentences of mother fuck in their mind, and I don't know who they can talk to.

There has been a long-standing conflict between the browser and the certificate provider. It's not the first time that Chrome and certificate providers are in conflict. In August, it proposed to reduce the validity period of the certificate, which was rejected. So, is EV certificate really unnecessary?

EV & UI Design

In today's 1920 wide display resolution, the width left for the browser address bar is at least 1200 pixels. In the Firefox interface, there is a blank space before and after the address bar; on the left side is the privacy icon, on the right side is the reading mode and plug-in shortcut icon. It's reasonable to say that there's such a long company name as "宝鸡有一群怀揣着梦想的少年相信在牛大叔的带领下会创造生命的奇迹网络科技有限公司", but can't even "PayPal Inc." or "Apple Inc."?

Of course, browsers don't always run with maximized windows. How does Firefox deal with address bars? They hide part of the URL. So why can't corporate information get the same treatment? I've seen some people who almost never enter the URL manually. They are always searching for keywords in search engines and clicking links to enter the website. For these people, both of confusing URLs and complex buttons are useless. Just hide them, which can save a large amount of screen space.

n the mobile version, the horizontal space is indeed very less, and even only the domain name is displayed by default, and the complete URL can be seen after clicking. So it's not difficult to display EV information in two lines on the domain name.

Although users are lazy, they are not stupid. Company information is confusing, not a problem; the latest version of Firefox only shows "certificate issued to: PayPal Inc." which is the source of confusion. When clicking on the company information, you will be prompted with the words "Verified by XXX, this website is operated / owned by PayPal Inc." Anyone will know what does that mean.

EV and imperceptible HTTPS

What Mozilla and Google think of imperceptible HTTPS is that whatever you are using EV / OV / DV, it will all display as a small black lock. After all, in order to be imperceptible, they dare to hide http://www. Imperceptible HTTPS is also a non-existent requirement. Insecurity, transmission security and commercial security cannot be simplified as insecurity and security. The users are not the resistance of HTTPS promotion. Whether they can distinguish between black lock and green lock does not automatically make the website support HTTPS.

Even the autocratic Qing government knew that in order to carry out the order of shaving, it was enough to kill those who didn't want to wear pigtails. There was no need to kill Manchus who wear smaller pigtails. Imagine the Manchu soldiers saying to you, what we want is imperceptible pigtails, your hair is too short, which affects other people's cognition of the pigtails. Pull it down and kill him!

EV & Anti fraud

Users don't care about EV, which is the problem of browsers and certificate providers with poor publicity. Users don't care a lot, including HTTPS. Users are too lazy to type https://, the industry has proposed HSTS preload instead of giving up HTTPS.

Users don't care about the code signing certificates of Windows Drivers and Mac OS apps. Why don't you hide the signing information? Oh, I'm sorry. It's about Microsoft and Apple. Mozilla and Google can't help it.

Some users have just begun to pay attention to the meaning of green bar, and it is very helpful to fraud if EV is killed. If you receive an e-mail, there is a link https://www.аpple.com, which allows you to see the HTML source code. Do you dare to click it? Don't worry about the link, though it's not Apple's official website. So far it's still a non-existent site. The letter 'а' in the website is not an ordinary small letter A.

@ViafaSia also found a phishing site that used the let's encrypt method DV certificate. Each letter of apple in the website is another similar character. Here is another one, https://раураӏ.com , open it with your Firefox, and then open the real https://paypal.com . You will known, Mozilla is just an idiot which stands with Google. Chrome displays IDN domains in another ways.

You may have some tips to identify fake links, such as mouse over the links to see the real URL from the browser's status bar, or pay attention to whether it is an HTTPS link. But still can't escape the advanced phishing website.

EV & Safari

Although Safari has hidden EV company information for a long time, until the latest iOS / iPad OS 13.2 and Catalina, Safari still displays the green address bar for EV certificate sites. Google takes users as the puppet, to order the certificated sellers. Google's face says, 'if Apple dare to light the light, I dare to set it on fire'. Mozilla make wind behind Google, just like a dog.

It's always been easy for certification companies to make money. Google doesn't like it. When Chrome gets bigger, it has the right to speak. Finally, it can give directions. It's not enough to have Mozilla's support. By the way, it get Safari into the water to justify himself.

Some people say that EV is so expensive and doesn't support wildcard, it's not bad to suppress it. Google has the ability to launch competitive products to promote the development of the industry, but now it's going to kill EV directly.

What will happen to EV?

Maybe EV will quit the stage of history, maybe it will be reborn after all parties play games. It's time for them to take some action.

  1. The EV upstream enterprises pay money to browser. After all, their necks are in the hands of others, money should be divided;
  2. Provides a preload list like HSTS (or a better HPKP), and sites using EV certificates are automatically submitted to the list. The browser judges the similarity of domain names, once reaches the threshold, directly prompt users and report to anti fraud organizations;
  3. Reduce price, and popularize EV / OV to enterprises and organizations with the popularity of HTTPS.

使用 acme.sh 管理 Let’s Encrypt Wildcard SSL 证书

Certbot 可以申请 Wildcard 证书,但更新不便。

安装

curl https://get.acme.sh | sh

配置 API

编辑 ~/.bashrc ,加入以下内容(以 cloudflare 为例):

export CF_Key="123456789"

export CF_Email="[email protected]"

保存后,执行:

source ~/.bashrc

申请证书

acme.sh --issue --dns dns_fs -d dallas.lu -d *.dallas.lu

值得一提的是,如果有多个域名,各自使用不同的 DNS,可以参考以下命令:

acme.sh --issue \
-d dallas.lu --dns dns_cf \
-d *.dallas.lu --dns dns_cf \
-d a.com --dns dns_namecom \
-d *.a.com --dns dns_namecom \
-d b.com --dns dns_dp \
-d *.b.com --dns dns_dp

安装证书

acme.sh --install-cert -d dallas.lu \
--key-file /etc/nginx/certs/dallas.lu.key \
--fullchain-file /etc/nginx/certs/dallas.lu.fullchain.cer \
--reloadcmd "service nginx restart"

一切配置妥当后,开启 acme.sh 的自动版本更新:

acme.sh --upgrade --auto-upgrade

Using Let’s Encrypt Wildcard SSL Cert

Let's Encrypt has announced the official support of the Wildcard certificate FINALLY.

Apply

Run command on your VPS:

~/certbot-auto certonly \
-d dallas.lu \
-d *.ngrok.dallas.lu \
-d *.dallas.lu \
-d other.com \
-d *.other.com \
--manual \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory

Use --cert-name to set cert name, otherwise the domain name after the first '-d' param will be used as the cert name.

IP logged notice

The IP of the request machine will be logged, but it will not be public now. If worry about the important one of IPs on the VPS,you can modify the config files in /etc/sysconfig/network-scripts and restart the network service to change your IP temporarily. Type 'Y' to continue.

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

DNS txt records

Add a txt record.

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.dallas.lu with the following value:

QQxHqbXK2aWM8qRWpAyenXo2QotSejV_ERnnc6MUEqU

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

TIPS: if you want root.com and *.root.com verified in the same cert, you should add the params for each domain, for example: '-d dallas.lu -d *.dallas.lu'. AND, you need add multiple txt records. Use 'nslookup' to verify:

nslookup
> set type=txt
> _acme-challenge.dallas.lu
Server:		8.8.8.8
Address:	8.8.8.8#53
 
Non-authoritative answer:
_acme-challenge.dallas.lu text = "I6Tys5RebMhWaBxN1e4fBaBj2OF7jUPl92tdDtfKjao"
_acme-challenge.dallas.lu text = "QQxHqbXK2aWM8qRWpAyenXo2QotSejV_ERnnc6MUEqU"

Cert

After verification:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dallas.lu/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dallas.lu/privkey.pem
Your cert will expire on 2018-06-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

We don't talk about configuring SSL certs now. If failed to verify some domains, just run the command again. The value of txt records will not change after verified.

CentrioHost 泛域名 SSL 证书续费事件

一年前在 http://www.v2ex.com/t/81933 获知消息,于是无脑入了两个。今年9月13号,Paypal 发来邮件说 Kamrul H. Bappy 通过循环付款向我收费 $5,我等了两天没有收到任何相关的邮件,就通过 Paypal 得知收款人是 CentrioHost 的。登录该站一看,什么订单信息都没有了,以为和 Godaddy 一样,既然用不到服务了,就申请退款吧。

Continue reading

Nginx 配置 Namecheap 证书

这年头,SSL 应用真是太广泛了——不仅仅是电子商务,连写个博客、建个论坛也会有人上个SSL——中国的网民们被活生生地逼成了一个个的网络工程师;自从有了GFW以后,劳苦大众的计算机知识水平与日俱增,上个小网页各种SSH、VPN,和米国等发达帝国国民大范围使用类似 iPad 等拥有傻瓜界面的数码产品形成鲜明对比。

Continue reading