Browsers and SSL Support

Larry Seltzer from discusses the state of SSL support in current browsers and how SSL errors can be made more user friendly while maintaining safety. He mentions support for the new EV SSL Certificates:

Both browsers support EV (Extended Validation) certificates, which are a new class of SSL certificates. EV certs are very expensive certificates issued only to incorporated organizations after actual background checks. To some extent, older versions of SSL were supposed to do the same thing, but over the years laziness and price wars diminished the authoritativeness of the older SSL regime. So you might say that EV certs represent a "do-over" for the trusted certificate industry.

He mentions that the current problem with EV SSL Certificates is what users think about them:

The real problem is for users to learn to expect the green bar and to learn to interpret the screen in front of them when it's telling then that something is wrong, as opposed to right. This is the real failing of modern browsers and of the Web in general.

He also discusses how the new version of Firefox is likely to make SSL errors more difficult to get around:

Hmmm...Maybe some things will be getting harder to do in Firefox 3. This seems to be Nightingale's message, that it will err more on the side of safety than convenience, and this is the message from Lord's blog as well. But simultaneously he acknowledged that many error messages are cryptic and need to be made more human-readable. He's right that both can be done. It also sounds like there will be ways to bypass the warnings, effectively whitelisting sites against such errors; these whitelists will be techie features.

The ideal situation is that site admins will get a lot of grief from users as life becomes inconvenient for Firefox 3 users, and they will demand the errors be fixed. With a group as big and influential as Firefox users, this could happen to some degree, but I'd put more money on users demanding hacks to turn off the new "protections." Firefox's developers may be doing the right thing, but users don't always take kindly to that.

Browsers and SSL Support - [eWeek]

Originally posted on Sun Oct 21, 2007