[cabfpub] Chrome security warning discrepancy?

Ben Wilson ben.wilson at digicert.com
Sun Jan 25 15:25:14 UTC 2015


Time for an international treaty on browser security indicators?

See
http://en.wikipedia.org/wiki/Vienna_Convention_on_Road_Signs_and_Signals#Tra
ffic_lights.



From: Stephen Davidson [mailto:S.Davidson at quovadisglobal.com] 
Sent: Saturday, January 24, 2015 12:09 PM
To: Ben Wilson; Dean Coclin; CABFPub (public at cabforum.org)
Subject: RE: Chrome security warning discrepancy?

 

In Chrome all valid SSL normally have "identity verified".  The difference
is that DV and OV show the URL, while EV shows the Subject O.

 

I think Chrome is showing "identity not verified" for SHA1-based certs with
validity into 2016.  

 

Regards, Stephen

 

 

 

From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Saturday, January 24, 2015 2:58 PM
To: Dean Coclin; CABFPub (public at cabforum.org <mailto:public at cabforum.org> )
Subject: Re: [cabfpub] Chrome security warning discrepancy?

 

Dean wrote, "Does anybody understand this?"

 

My response - "no".

 

From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Dean Coclin
Sent: Saturday, January 24, 2015 9:55 AM
To: CABFPub (public at cabforum.org <mailto:public at cabforum.org> )
Subject: [cabfpub] Chrome security warning discrepancy?

 

I recently downloaded the newest version of Chrome (Version 40.0.2214.91 m)
and am now baffled by the certificate information. Here are 2 examples:

 

This screen shot shows https://www.Marriott.com. First it shows the green
lock and https as a normal indication of a secure connection. But below it
says the site is using outdated security settings. I thought if it said
this, then we would see a yellow indication (triangle or question mark)
above. Have things changed?

 

Further, it says "Identity not verified" even though the site has undergone
OV vetting and all information in the cert about the company was checked.

 



 

Contrast this to the 2nd site below,
https://www.carbon2cobalt.com/statuslogin.asp which has a DV cert yet says
"Identity verified":

 



Both sites have had their domain names "validated" yet why say "Identity
verified" with a DV cert and not an OV cert?

Does anybody understand this?

Thanks,
Dean

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150125/89ee8cef/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 56335 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150125/89ee8cef/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 23665 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150125/89ee8cef/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150125/89ee8cef/attachment-0001.p7s>


More information about the Public mailing list