The little gold SSL padlock, that is.
VeriSign is reported to be saying some interesting things about changes they would like to see to increase user trust in SSL certificates. Most would agree that the level of protection from SSL encryption has made a huge improvement to online commerce for a very minimal investment (even “official” intermediary-signed SSL certs can be purchased for as little as $30/each). However the ubiquity of SSL, and lack of a unified standard root authority, has included a trade-off in terms of validity of the certificates. In other words, as the old adage goes, the lower the barrier to adoption the higher the rate of fraud.
So, if you are a certificate-selling company, you are probably debating how to introduce new controls to (re)establish the trustworthiness of the padlock (and raise prices). The browser companies are thusly also considering how to upgrade the padlock to represent the upcoming upgrade in “assurance”. Well, actually, to be fair they are considering how to represent the assurance that was supposed happen in the first place, now that the current icon has been watered-down to represent “RC4128” and not much more:
When the padlock was first invented by Netscape in the early days of the Web, it stood for a secured connection with an identified Web site. That changed when some certification authorities started lowering their verification standards and discounting certificates, said Judy Shapiro, vice president of marketing at Comodo. “Browsers did an end-run around this. Nobody expected anyone to delete what was a key part of the certificate issuance process, which was the business verification,” she said. “Browsers were unprepared to display high assurance and low assurance certificates in a different way.”
Kudos to Comodo for saying so…I guess if you have lost control of a currency’s value, you have to print new currency to restablish control.
Speaking as a person who’s run an internet presence company for 10+ years… people don’t look at the padlock, they don’t even look at the warnings. Wrong name, expired, self-signed…. when the warning pops up, people just click on “ok” and go ahead. Its as if they have been trained to ignore popups of any kind.