.:Computer Defense:.

This would normally go on SSLFail.com but due to a server outage, I decided to just post it here...

Tim Callan, SSL Evangelist for Verisign, has posted a brief comment that Twitter now enjoys the added cost... um... protection... of EV SSL. I decided to check this out, so I visited https://www.twitter.com and was greeted by my biggest internet pet peeve, a website where only the www or non-www version works properly.

I decided to remedy this and use https://twitter.com, however I still couldn't get any green demonstrating EV SSL

Of course, this was probably just a Firefox problem... I'll use the new kid in town, Chrome...

Hrm... now I'm confused, perhaps Firefox and Chrome both have some sort of problem, because I should be getting the glorious green that is EV SSL somewhere in my address bar. I figured I'd try Internet Explorer first though because I don't want to be accused of prematurely pointing out why Tim's comment is wrong and why EV SSL is useless.

Again, mixed content errors... this time complete with the famous IE pop-up.

Alas, all is not lost... EV SSL and the glorious green bar is available on Twitter. You simply need to provide your credentials on the page with the "broken SSL" and then, after login, you'll be presented with the wonderful green bar.

Now maybe it's just me... but it seems that this is sending the wrong message to most users.

I wanted to take a minute to mention a new project that Marcin and I have started that we're calling SSLFail.com. One of the primary purposes of the site is a gallery of images of sites with failed SSL due to invalid certs, bad domain names, etc. Browsers can add more and more protection against sites with poor SSL implementations, but until these big players on the web ensure they have valid SSL, users are going to continue to click through these error messages.

This isn't all the site will be though. Expect to see future discussions on our reasoning for the gallery, as well as tips and tricks and anything else.

We've already added two additional contributors. Jay Graver and Romain Gaucher.

Romain Gaucher mentioned this on twitter and I had to post a screenshot for anyone who hasn't seen it... it's awesome.

Guess what, this isn't a post about the recent Rogue CA presentation... just something I came across that frustrated me.

I recently went to check out adsense to see if it's ever actually made me any money. Being Canadian and using google.ca hourly (since google.com forces me to google.ca I might as well type it myself), I typed in www.google.ca/adsense. I was kicked over to https://www.google.ca/adsense and had the following appear in Firefox

I know it's obvious what the problem is, but let's look at my other screenshots since I took the time to take them.

Now why can't a company like Google get their SSL certs right? How's the general public ever supposed to trust SSL if major web-based companies are too lazy to get proper SSL certs? I'm actually rather disppointed by this. I've actually trained some of my family to not venture into sites with improper SSL certs (or at least investigate them first) and this would confuse them and set all the effort that I've made back several steps.

We always talk about educating the user, and I believe that SSL is something we can properly educate the end user about, however that requires an effort on the part of the website / vendor in question. This time Google has failed.