
SSL 'site seals' are even worse than you thought - nailer
https://certsimple.com/blog/site-seal-ssl
======
joshmoz
Head of Let's Encrypt here.

We considered introducing a site seal because it's a common request but we've
decided not to do it (at least for now) for reasons similar to many in this
post.

It's hard to design a seal that accurately conveys the value added to a site's
security by a CA, and the potential for abuse is high. A CA seal either means
nothing or implies too much because having a cert from a trusted provider is
just one part of what it means to be a secure website.

~~~
theandrewbailey
Don't do it!

I want Let's Encrypt to do what it is supposed to: free automated
certificates. Let third party tools (like Qualys SSL Labs) rate how good it
is.

------
vtlynch
The article mentions this, but its really unbelievably that until recently, at
least one major CA was using Flash for their site seal. Incredible how they
can justify the security risk and the bloat of Flash in 2015 just so that
their logo can animate.

------
raimue
Recently I found out that Comodo TrustLogo always displays the site report for
www.* even when used on a different subdomain secured by another CA. It is
quite useless to include such a site seal even if users wanted to verify it.

[https://twitter.com/raimue/status/692018439502848000](https://twitter.com/raimue/status/692018439502848000)

------
ogsharkman
Good article, but the font for some reason is killing me and I can't figure
out why.. It's almost like parts of letters are missing.

~~~
nailer
What OS & browser? I can check it out. We use the same font as Medium used to
(for readability reasons), but they've changing to system fonts (which are
probably better) and I want to cut down on the page size anyway.

~~~
ogsharkman
Windows 8.1/Chrome 48.0.2564.97

~~~
nailer
Thanks! I've moved to a font which looks better on the Windows font renderer.
It's fixed now.

------
feld
But I like collecting site seals

[https://feld.me/index.html](https://feld.me/index.html)

------
nailer
Author here. So yeah: site seals link to useful info, but their UI doesn't
encourage users to click on it: instead it expects users to use the presence
of an image in the browsers content area as a source of trust.

Most of HN already knows that, so more importantly:

\- The reason the site seal uses JS (rather than a simple link) is that the
link is actually to the CA's sales page, not the site report - there's no
'nofollow' so it's a massive search engine rank boost to the CA.

\- There's a bunch of studies from non-security industry sources about how
'site seals' actually impact conversions. Some are positive, some are
negative, but the biggest takeaway is that 'site seals' increasing
conversations is by no means a foregone conclusion:

[http://info.usertesting.com/OnDemandWebinarOptimizeYourWebFo...](http://info.usertesting.com/OnDemandWebinarOptimizeYourWebFormsforMaximumConversionJan2015_ViewVideo.html)

[http://www.widerfunnel.com/conversion-rate-
optimization/do-m...](http://www.widerfunnel.com/conversion-rate-
optimization/do-mcafee-or-hackersafe-security-badges-increase-e-commerce-
conversion-rate)

[http://www.getelastic.com/best-practice-gone-
bad-4-shocking-...](http://www.getelastic.com/best-practice-gone-
bad-4-shocking-ab-tests/)

[https://vwo.com/blog/website-credibility-and-conversion-
kill...](https://vwo.com/blog/website-credibility-and-conversion-killers/#)

[http://www.quicksprout.com/2013/10/31/the-7-things-every-
gre...](http://www.quicksprout.com/2013/10/31/the-7-things-every-great-
checkout-page-needs/)

[http://blog.optimizely.com/2013/12/08/ab-test-assumption-
sec...](http://blog.optimizely.com/2013/12/08/ab-test-assumption-security-
badges-increase-conversions/)

[https://econsultancy.com/blog/5499-why-good-checkout-
design-...](https://econsultancy.com/blog/5499-why-good-checkout-design-is-
more-important-than-trustmarks)

[https://econsultancy.com/blog/7941-which-e-commerce-
trustmar...](https://econsultancy.com/blog/7941-which-e-commerce-trustmarks-
are-most-effective/)

[http://baymard.com/blog/site-seal-trust](http://baymard.com/blog/site-seal-
trust)

~~~
aardshark
You have a typo on [https://certsimple.com/why-ev-
ssl](https://certsimple.com/why-ev-ssl)

"Cost money, because they require the certificate authority to check who your
are."

~~~
nailer
Thanks Aardshark! Fixed.

