Home > Uncategorized > Twitter gets EV SSL but is the message correct?

Twitter gets EV SSL but is the message correct?

This would normally go on SSLFail.com but due to a server outage, I decided to just post it here...

Tim Callan, SSL Evangelist for Verisign, has posted a brief comment that Twitter now enjoys the added cost... um... protection... of EV SSL. I decided to check this out, so I visited https://www.twitter.com and was greeted by my biggest internet pet peeve, a website where only the www or non-www version works properly.

https://www.twitter.com

I decided to remedy this and use https://twitter.com, however I still couldn't get any green demonstrating EV SSL

firefox_mixed_content

Of course, this was probably just a Firefox problem... I'll use the new kid in town, Chrome...

chrome_mixed_content

Hrm... now I'm confused, perhaps Firefox and Chrome both have some sort of problem, because I should be getting the glorious green that is EV SSL somewhere in my address bar. I figured I'd try Internet Explorer first though because I don't want to be accused of prematurely pointing out why Tim's comment is wrong and why EV SSL is useless.

ie_mixed_content

Again, mixed content errors... this time complete with the famous IE pop-up.

Alas, all is not lost... EV SSL and the glorious green bar is available on Twitter. You simply need to provide your credentials on the page with the "broken SSL" and then, after login, you'll be presented with the wonderful green bar.

finally

Now maybe it's just me... but it seems that this is sending the wrong message to most users.

Categories: Uncategorized Tags: , ,
  1. Toby Galino
    May 20th, 2010 at 16:28 | #1

    Looks like a configuration issue that we here at VeriSign are working with Twitter to correct, as Tim mentions, " Yes, we noticed that and have reached out to Twitter to help them with their configuration. I'm sure it will be handled soon." on the brief comments link in your article.

  2. June 9th, 2010 at 14:26 | #2

    Probably because they used mixed content. Without logging in, I also can't find a way to get a green bar.

    At least they seem to forward http://www.twitter.com up to twitter.com without issue. This can be a huge pain depending on your load balancing or ssl-offloading gear.

    Still…why hate on 'www'? :)

  1. No trackbacks yet.