Is the green padlock dead?
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Is the green padlock dead?

A conversation with DigiCert’s Jeff Barto about the green padlock and the future of trust indicators

Today we’re going to wax philosophic about one of the biggest questions facing the SSL/TLS industry: is the green padlock dead?

If it’s not dead, it’s certainly on life support with talk of deprecating it entirely now that the internet is migrating to HTTPS. And admittedly, there are myriad issues facing it—the biggest of which is a misunderstanding over what it means in the first place.

Fortunately, we had the fine folks from DigiCert in our office for a few days last week and I had the opportunity to speak at length with resident DigiCert trust evangelist (and the man behind those monthly threat reports), Jeff Barto, about this very topic (and a range of others).

So, today we’re going to talk about the green padlock, whether it’s dead and what can be done to save it.

Let’s hash it out…

The problem with the green padlock

A couple weeks ago we talked about the fact that 49% of phishing websites now use HTTPS. And while that is an eye-catching statistic itself, there was another tidbit included in that article that helps inform today’s discussion even more: 80% of internet users don’t know what the green padlock means.

80% of people don't know what the green padlock means

The biggest cause of this problem is a lack of standardization and education. There are a handful of browsers that dominate the market: Google Chrome, Microsoft Internet Explorer and Edge, Mozilla Firefox and Apple Safari – you can toss Opera in there too if you’re feeling charitable. Those browsers and their mobile variants all display the green padlock, and other trust indicators, a bit differently.

Here’s a representation of the different ways that browsers display EV SSL certificates.

How the green padlock looks on different browsers

Granted, EV has its own unique debate (one that we’ll get Jeff’s thoughts on in another article), but this illustrates the diverse ways that the different browsers display trust indicators. And that lack of uniformity is not helping.

While many believe that the entire trust ecosystem is in a free-fall, Jeff – who is admittedly a bit more optimistic and hopeful than I am in this regard – thinks it’s actually more of a free-for-all.

“You have Google taking a stab at it, saying what is and isn’t secure. But at the same time you have each browser out there doing their own treatment for what ‘safe and secure’ should look like,” says Jeff. “They’re offering their product to their base to drive up their usership.  They’re not going to play ‘me-too’ or follow each other’s lead unless doing so gives them a shot at stealing share from their competitors. And I think that’s the wrong way to approach this.”

Is the Green Padlock dead?

If a browser does finally kill off the green padlock, Google is the most likely to do it. It’s already announced its intentions to remove the padlock, along with the protocol (https://) at the beginning of the URL, now that HTTPS will be the default state.

how to spot a fake website; Chrome HTTPS visual indicators

That would mean losing a potentially useful trust indicator (two, technically).

“I think that we have done ourselves – and I’m including anyone who’d be reading this in ‘we’ – have done ourselves a shortsighted disservice by limiting the number of trust indicators available. Never mind agreeing on the meaning of them, much less the representation of them. The padlock falls into that category,” says Barto. “The problem isn’t the padlock.  The problem is that we don’t have enough trust indicators, which would provide actual choice.

“And being critical here, we are missing the point and missing the boat.  This isn’t the death of the padlock;  it’s our chance to go and redefine stuff. The padlock is something that I think can be saved. But the method for doing so – that’s where that broader ‘we’ says ’not my job.’ But it is. We’re limiting ourselves to just five trust indicators [the padlock, the EV green bar, the s in https, trust seals, and the new Secure rating] and we’re saying ‘well this one just isn’t working the way it used to, so let’s kill it off’. And if you kill one of them off, you’re going to learn real fast whether that was a wise thing or not and how much people really counted on it. And I have a feeling that’s going to be what we discover – and it might be too late to open that slammed door.”

But, playing devil’s advocate, the green padlock may no longer be necessary, it represents a concept that should now be the default. Previously, to help incentivize more websites moving to HTTPS, you saw things like SEO ranking boosts and positive visual indicators. A poor job was done explaining those indicators, but the purpose behind them was clear.

Now that HTTPS is basically mandatory, the pendulum has swung in the other direction and the indicators are negative. Your website doesn’t earn points for doing what’s expected, it loses them for not doing it.

That was also the logic behind Google’s ill-advised Secure/Not Secure indicators, which created a binary that was especially confusing given internet users’ conflation of “safe” with “secure.”Web browsers' UI for HTTPS

But, in that debacle, Jeff sees a ray of hope.

“They’re clearly willing to change their mind,” says Jeff. “They changed course before.  Like when they changed course on how you can view a certificate in the details. And on not displaying the ‘www.’ in the URL. They’re doing what works best for them, but they’re also being practical about it and listening to user demands.”

So, how do we save the green padlock?HTTPS Phishing: 49% of Phishing Websites now sport the green padlock

From Jeff’s perspective, there are a few things that need to occur to both save the green padlock, and to improve trust indicators in general. Eventually an industry-wide coalition is going to need to be built – one where stakeholders can reach a reasonable consensus – before that can happen though, it’s critical to get Google to the table.

Google has a massive market share. Its Chrome browser, its Android OS, its search engine and its ad business are all tops in their respective markets. Unfortunately, on the internet, nothing happens without Google.

But are we framing this debate the right way?

“I think that there is a tendency – [this is a] Jeff Barto opinion entirely – this a case where in this industry, we take browser actions like this personally. We’re taking it personally what Google is doing. Look, Google’s number one priority is to sell ads. Everything they do leads towards that – not towards blowing up our marketplace – at all. I don’t think their point is simply to get rid of the padlock or whatever.  They’re doing the kinds of things which make their ad-selling vehicles the most fruitful as possible,” says Barto. “Clearly, if they’re willing to change their mind on positions that they’re being very up front about, something speaks to them.”

The issue will be figuring out what the value proposition that speaks to Google is actually going to be.

Jeff Barto
Jeff Barto, DigiCert

“I think Google’s willing to listen,” says Jeff. “I don’t know if it’s that they want all the good ideas to come from themselves or not, but I think there’s an opportunity being missed here.”

But getting Google to have the conversation doesn’t fix the green padlock;  it just gets a foot in the door. Moving forward, there needs to be collaboration amongst the various parts of the industry: CAs, browsers and – most importantly – consumers.

“I’m a pragmatist and I’m a capitalist, so no matter what, the consumer pays the bills. Unless we as a group are addressing the consumers we’re only talking amongst ourselves,” says Barto.

“And my personal bet is we’re going to fall into the same trap of arguing and trying to accommodate or appease one another, and blinding ourselves to what makes a difference out there.  It’s a very threat filled internet out there.  It’s threatening to businesses who need to make a profit, and its especially threatening to consumers who just want to have an inherently trusted experience.  The more we worry about serving our own motivations, the less we succeed at pleasing those who actually bring us the money.”

But hey, once we get the right parties to have the conversation, and figure out what conversation we should be having – this partnership should be simple, right?

“Hypothetically if there is a partnership to drive the meaning of ‘safe’ and ‘secure’ with the padlock, maybe we can move on to EV and seals, and this opens the door to moving onward on with trust indicators that haven’t even been invented yet. But with The SSL Store’s prominence, DigiCert’s prominence in the CA space, plus like-minded competitors, and a major browser or two – Microsoft seems to look this way all the time and maybe Apple, too – together we can be the arbiters of what ‘safe’ and ‘secure’ and ‘trusted’ actually mean. And that goes waaaaaaaaay beyond ‘does it do encryption or not?’  I think we’re missing out on so much and part of it is working together to define a standard outside of the normal realm of the CAB Forum – where the mode of operation seems broken because competitors don’t put their own needs as secondary, and CAs and browsers grit their teeth trying to figure out who’s going to get more power or priority.

“This is our opportunity to put the customer first, and make a difference – and a lot of money doing so.”

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.