Hacker News new | past | comments | ask | show | jobs | submit login
SSL 'site seals' are even worse than you thought (certsimple.com)
19 points by nailer on Jan 28, 2016 | hide | past | favorite | 12 comments



Head of Let's Encrypt here.

We considered introducing a site seal because it's a common request but we've decided not to do it (at least for now) for reasons similar to many in this post.

It's hard to design a seal that accurately conveys the value added to a site's security by a CA, and the potential for abuse is high. A CA seal either means nothing or implies too much because having a cert from a trusted provider is just one part of what it means to be a secure website.


Don't do it!

I want Let's Encrypt to do what it is supposed to: free automated certificates. Let third party tools (like Qualys SSL Labs) rate how good it is.


The article mentions this, but its really unbelievably that until recently, at least one major CA was using Flash for their site seal. Incredible how they can justify the security risk and the bloat of Flash in 2015 just so that their logo can animate.


Recently I found out that Comodo TrustLogo always displays the site report for www.* even when used on a different subdomain secured by another CA. It is quite useless to include such a site seal even if users wanted to verify it.

https://twitter.com/raimue/status/692018439502848000


Good article, but the font for some reason is killing me and I can't figure out why.. It's almost like parts of letters are missing.


What OS & browser? I can check it out. We use the same font as Medium used to (for readability reasons), but they've changing to system fonts (which are probably better) and I want to cut down on the page size anyway.


Windows 8.1/Chrome 48.0.2564.97


Thanks! I've moved to a font which looks better on the Windows font renderer. It's fixed now.


But I like collecting site seals

https://feld.me/index.html


Author here. So yeah: site seals link to useful info, but their UI doesn't encourage users to click on it: instead it expects users to use the presence of an image in the browsers content area as a source of trust.

Most of HN already knows that, so more importantly:

- The reason the site seal uses JS (rather than a simple link) is that the link is actually to the CA's sales page, not the site report - there's no 'nofollow' so it's a massive search engine rank boost to the CA.

- There's a bunch of studies from non-security industry sources about how 'site seals' actually impact conversions. Some are positive, some are negative, but the biggest takeaway is that 'site seals' increasing conversations is by no means a foregone conclusion:

http://info.usertesting.com/OnDemandWebinarOptimizeYourWebFo...

http://www.widerfunnel.com/conversion-rate-optimization/do-m...

http://www.getelastic.com/best-practice-gone-bad-4-shocking-...

https://vwo.com/blog/website-credibility-and-conversion-kill...

http://www.quicksprout.com/2013/10/31/the-7-things-every-gre...

http://blog.optimizely.com/2013/12/08/ab-test-assumption-sec...

https://econsultancy.com/blog/5499-why-good-checkout-design-...

https://econsultancy.com/blog/7941-which-e-commerce-trustmar...

http://baymard.com/blog/site-seal-trust


You have a typo on https://certsimple.com/why-ev-ssl

"Cost money, because they require the certificate authority to check who your are."


Thanks Aardshark! Fixed.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: