What is the difference between green and yellow address bars in browser for certificate's fields?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

What is the difference between green and yellow address bars in browser for certificate's fields?

Vladimir Belov
Hello.

Many public CAs suggest Extended Validation for certificates of web servers. These certificates cost much more expensive
but in browser we can only see green address bar instead of yellow or blank.
I thought what is the difference between green and yellow address bars in browser for certificate's fields. Maybe there
are some special extensions that can be added by CA during signing of certificate request. I had a talk with a
specialist of technical support of Thawte and he said that "There is no difference in what an Extended Validation
certificate technically from all of our other certificates. It is the cosmetics that they do on a browser. For an
example, the SSL Web Server certificate would have the same properties, extensions, etc, that our Extended Validation
certificates have. The only difference is that the EV certificates display the web browsers URL address bar green when a
successful secured connection has been made". He also refused to answer how browser determines what bar to display -
green or yellow?

So, I think maybe there is a arrangement of CA's companies(Verisign,Thawte and others) with browser's
companies(Microsoft, Opera, Mozilla) that a special root certificate is use for Extended Validation. Therefore, any web
server's certificate which is signed at the top with this special root cert is treated as cert with Extended Validation
and a green bar is displayed.

Who has another point of view?


Regards,

Vladimir.


[sorry, my english isn't good :)]
This is my talk with Thawte technical support:

You have been connected to Macario .
Macario : Good day, how may I help you today?
Vladimir Belov: Hello
Vladimir Belov: What is the difference between green and yellow address bars in browser. What fields in certificate
determine what bar will be - green or yellow?
Macario : Green address bar is when an Extended Validation certificate is installed as that is the highest level
security certificate we offer.
Vladimir Belov: What is the " Extended Validation"? What fields of certificate it sets?
Macario : It is an extended process that we go through to validate the certificate information before it is approved.
Macario : One of the main features of this certificate is having the address bar green.
Macario : If you see a yellow address bar, it is most likely due to having an old version of your browser installed.
Vladimir Belov: I need technical info, more in detail please
Vladimir Belov: What fields of certificate it sets?
Vladimir Belov: Can you switch me to a technical specialist? For example, Duke.
Macario : Sure, let me get you over to our technical support group for further assistance.
Macario has left the session.
Please wait while we find an agent from the transfer TechSupport Thawte department to assist you.
You have been connected to Clifford.
Clifford: Please hold as I review your information, thank you.
Vladimir Belov: Ok. I am waiting.
Clifford: You have reached Technical Support. What specific technical information are you looking for please?
Vladimir Belov: What is the " Extended Validation"? What fields of certificate it sets?
Clifford: Please be more technically specific as to what you mean "fields of certificate" it sets
Clifford: What fields are you referring to?
Vladimir Belov: What fields of x509 certificate it sets?
Clifford: Unfortunately that does not make sense. X.509 is a base64 format of any digital certificate, not just SSL.
Clifford: What fields are you looking for?
Clifford: There is no specific term called "fields" on a certificate. Please describe technically what you are looking
for
Vladimir Belov: What will be the difference in fields of x509-certificate "SSL Web Server Certificates with EV" and for
example "SSL123 Certificates"? "Fields" such as special extensions. Basic fields of x509-certificate are Subject,
Isuuer, NotBefore, NotAfter and so on
Vladimir Belov: Other fields are exyensions such as basicConstraints, keyUsage
Vladimir Belov: Other fields are extensions such as "basicConstraints", "keyUsage"
Clifford: There is no difference in what an Extended Validation certificate technically from all of our other
certificates. It is the cosmetics that they do on a browser. For an example, the SSL Web Server certificate would have
the same properties, extensions, etc, that our Extended Validation certificates have. The only difference is that the EV
certificates display the web browsers URL address bar green when a successful secured connection has been made.
Vladimir Belov: How browser determines what bar green or yellow to display?
Vladimir Belov: If you say that "the SSL Web Server certificate would have the same properties, extensions, etc, that
our Extended Validation certificates "
Clifford: Unfortunately that is information that we cannot disclose.
Vladimir Belov: Why? :)
Vladimir Belov: Is this so secret?
Clifford: That is correct.
Clifford: Are there any other questions I can answer for you at this time?
Vladimir Belov: How browser determines what bar green or yellow to display? :)
Clifford: Do you have any other questions at this time as we cannot disclose this information.
Vladimir Belov: Ok. No.
Clifford: If there is nothing further, thank you for choosing Thawte and have a great day.
Thank you for using thawte Live Chat. You may now close this window.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What is the difference between green and yellow address bars in browser for certificate's fields?

Patrick Patterson-5
Hello Vladimir,

The difference is the policy against which the Certificate has been issued - EVSSL Certs are issued according to a standard Certificate Policy outlined by the CA/Browser forum, by Certificate Authorities which have been certified by each of the major browser authors / vendors.

My understanding is that there are two factors that are taken into consideration when signaling to the user that a site is using an EVSSL - the values (probably AKI and Issuer DN) for EVSSL CA Certificates are baked into the browsers, and I believe that some of the CAs also use Certificate Policy values, which are compared against a whitelist that is also baked into the browsers. The EVSSL Certificate policy also mandates that certain fields be present in the Subject DN of the certs. Because of this, I think that your contact at Thawte was slightly mistaken - I believe that the Subject DN fields and inclusion of the certificatePolicy values are NOT standard for a number of the "plain" Server SSL Certs, so these would be extras that are included in EVSSL Certs.

From my understanding, there isn't a specific "arrangement" as you put it - any CA can get accredited for EVSSL, as long as a) they issue certificates to the general public and b) they complete an annual audit by a recognised audit firm that attests that the CA follows the EVSSL Certificate policy. Once a CA has that, they can simply apply to each of the browser vendors, provide them with the results of the audit, probably sign a few legal agreements, and the browser vendor will add them to the approved list.

So there isn't a "special Root", or anything other than that.

As an aside - this isn't an OpenSSL question, unless you are looking for advice on how to code an application to recognise EVSSL Certs. More general questions like this probably belong at the SSL Observatory, or some similar mailing list.

Have fun.

Patrick.


On 2012-06-13, at 12:57 PM, Vladimir Belov wrote:

> Hello.
>
> Many public CAs suggest Extended Validation for certificates of web servers. These certificates cost much more expensive but in browser we can only see green address bar instead of yellow or blank.
> I thought what is the difference between green and yellow address bars in browser for certificate's fields. Maybe there are some special extensions that can be added by CA during signing of certificate request. I had a talk with a specialist of technical support of Thawte and he said that "There is no difference in what an Extended Validation certificate technically from all of our other certificates. It is the cosmetics that they do on a browser. For an example, the SSL Web Server certificate would have the same properties, extensions, etc, that our Extended Validation certificates have. The only difference is that the EV certificates display the web browsers URL address bar green when a successful secured connection has been made". He also refused to answer how browser determines what bar to display - green or yellow?
>
> So, I think maybe there is a arrangement of CA's companies(Verisign,Thawte and others) with browser's companies(Microsoft, Opera, Mozilla) that a special root certificate is use for Extended Validation. Therefore, any web server's certificate which is signed at the top with this special root cert is treated as cert with Extended Validation and a green bar is displayed.
>
> Who has another point of view?
>
>
> Regards,
>
> Vladimir.
>
>
> [sorry, my english isn't good :)]
> This is my talk with Thawte technical support:
>
> You have been connected to Macario .
> Macario : Good day, how may I help you today?
> Vladimir Belov: Hello
> Vladimir Belov: What is the difference between green and yellow address bars in browser. What fields in certificate determine what bar will be - green or yellow?
> Macario : Green address bar is when an Extended Validation certificate is installed as that is the highest level security certificate we offer.
> Vladimir Belov: What is the " Extended Validation"? What fields of certificate it sets?
> Macario : It is an extended process that we go through to validate the certificate information before it is approved.
> Macario : One of the main features of this certificate is having the address bar green.
> Macario : If you see a yellow address bar, it is most likely due to having an old version of your browser installed.
> Vladimir Belov: I need technical info, more in detail please
> Vladimir Belov: What fields of certificate it sets?
> Vladimir Belov: Can you switch me to a technical specialist? For example, Duke.
> Macario : Sure, let me get you over to our technical support group for further assistance.
> Macario has left the session.
> Please wait while we find an agent from the transfer TechSupport Thawte department to assist you.
> You have been connected to Clifford.
> Clifford: Please hold as I review your information, thank you.
> Vladimir Belov: Ok. I am waiting.
> Clifford: You have reached Technical Support. What specific technical information are you looking for please?
> Vladimir Belov: What is the " Extended Validation"? What fields of certificate it sets?
> Clifford: Please be more technically specific as to what you mean "fields of certificate" it sets
> Clifford: What fields are you referring to?
> Vladimir Belov: What fields of x509 certificate it sets?
> Clifford: Unfortunately that does not make sense. X.509 is a base64 format of any digital certificate, not just SSL.
> Clifford: What fields are you looking for?
> Clifford: There is no specific term called "fields" on a certificate. Please describe technically what you are looking for
> Vladimir Belov: What will be the difference in fields of x509-certificate "SSL Web Server Certificates with EV" and for example "SSL123 Certificates"? "Fields" such as special extensions. Basic fields of x509-certificate are Subject, Isuuer, NotBefore, NotAfter and so on
> Vladimir Belov: Other fields are exyensions such as basicConstraints, keyUsage
> Vladimir Belov: Other fields are extensions such as "basicConstraints", "keyUsage"
> Clifford: There is no difference in what an Extended Validation certificate technically from all of our other certificates. It is the cosmetics that they do on a browser. For an example, the SSL Web Server certificate would have the same properties, extensions, etc, that our Extended Validation certificates have. The only difference is that the EV certificates display the web browsers URL address bar green when a successful secured connection has been made.
> Vladimir Belov: How browser determines what bar green or yellow to display?
> Vladimir Belov: If you say that "the SSL Web Server certificate would have the same properties, extensions, etc, that our Extended Validation certificates "
> Clifford: Unfortunately that is information that we cannot disclose.
> Vladimir Belov: Why? :)
> Vladimir Belov: Is this so secret?
> Clifford: That is correct.
> Clifford: Are there any other questions I can answer for you at this time?
> Vladimir Belov: How browser determines what bar green or yellow to display? :)
> Clifford: Do you have any other questions at this time as we cannot disclose this information.
> Vladimir Belov: Ok. No.
> Clifford: If there is nothing further, thank you for choosing Thawte and have a great day.
> Thank you for using thawte Live Chat. You may now close this window.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What is the difference between green and yellow address bars in browser for certificate's fields?

Jeffrey Walton-3
In reply to this post by Vladimir Belov
On Wed, Jun 13, 2012 at 12:57 PM, Vladimir Belov
<[hidden email]> wrote:
> Hello.
>
> Many public CAs suggest Extended Validation for certificates of web servers.
> These certificates cost much more expensive but in browser we can only see
> green address bar instead of yellow or blank.
Race to the bottom FTW!

I wonder how they are going to ruin this, next....

Jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: What is the difference between green and yellow address bars in browser for certificate's fields?

Steffen DETTMER
In reply to this post by Vladimir Belov
Hi all!

> Many public CAs suggest Extended Validation for certificates
> of web servers. [...] I had a talk with a specialist
> of technical support of Thawte [...] He also refused
> to answer how browser determines what bar to display -
> green or yellow?

See thawte Certification Practice Statement, Version 3.3[1], at
page 96 in the PDF (section D. EV CERTIFICATE CONTENT AND PROFILE)

    7. EV Certificate Policy Identification Requirements

    (a) EV Subscriber Certificates

    Each EV Certificate issued by thawte to a Subscriber will
    include thawte's EV OID in the certificate's certificatePolicies
    extension. thawtes EV OID used for this purpose is
    2.16.840.1.113733.1.7.48.1

Wikipedia has a list with links to other CA EV OIDs in the page
Extended_Validation_Certificate[2].

Interesting would be to have some non-Thawte certificate with
2.16.840.1.113733.1.7.48.1 - I think depending on the check
implementation it could happen to appear green...



> Vladimir Belov: If you say that "the SSL Web Server
> certificate would have the same properties, extensions, etc, that
> our Extended Validation certificates "
> Clifford: Unfortunately that is information that we cannot disclose.
> Vladimir Belov: Why? :)
> Vladimir Belov: Is this so secret?
> Clifford: That is correct.

I consider this unacceptable. This is not just "Security through
obscurity" [3], because the "Certification Practice Statement" in my
opinion MUST NOT be secret. Interestingly, I had to use the Thawte
web search function to locate the document, I think it better should
be easy to find. Trust is all about believing that CPS are strictly
followed -- and that they are sufficient for customers need.
So they must be available I think.
I'm afraid this shows how uninterested users are in trust...



Regards,
Steffen

[1]
https://www.thawte.com/assets/documents/repository/cps/Thawte_CPS_3_3.pd
f
[2] http://en.wikipedia.org/wiki/Extended_Validation_Certificate
[3] http://en.wikipedia.org/wiki/Security_through_obscurity
 
--
End of message.









































































 
About Ingenico: Ingenico is a leading provider of payment, transaction and business solutions, with over 17 million terminals deployed in more than 125 countries. Over 3,600 employees worldwide support merchants, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue.
More information on http://www.ingenico.com/.
 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
 P Please consider the environment before printing this e-mail
 
 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What is the difference between green and yellow address bars in browser for certificate's fields?

Jakob Bohm-7
On 6/14/2012 8:02 AM, Steffen DETTMER wrote:

> Hi all!
>
>> Many public CAs suggest Extended Validation for certificates
>> of web servers. [...] I had a talk with a specialist
>> of technical support of Thawte [...] He also refused
>> to answer how browser determines what bar to display -
>> green or yellow?
> See thawte Certification Practice Statement, Version 3.3[1], at
> page 96 in the PDF (section D. EV CERTIFICATE CONTENT AND PROFILE)
>
>      7. EV Certificate Policy Identification Requirements
>
>      (a) EV Subscriber Certificates
>
>      Each EV Certificate issued by thawte to a Subscriber will
>      include thawte's EV OID in the certificate's certificatePolicies
>      extension. thawtes EV OID used for this purpose is
>      2.16.840.1.113733.1.7.48.1
>
> Wikipedia has a list with links to other CA EV OIDs in the page
> Extended_Validation_Certificate[2].
>
> Interesting would be to have some non-Thawte certificate with
> 2.16.840.1.113733.1.7.48.1 - I think depending on the check
> implementation it could happen to appear green...
>
>
>
>> Vladimir Belov: If you say that "the SSL Web Server
>> certificate would have the same properties, extensions, etc, that
>> our Extended Validation certificates "
>> Clifford: Unfortunately that is information that we cannot disclose.
>> Vladimir Belov: Why? :)
>> Vladimir Belov: Is this so secret?
>> Clifford: That is correct.
> I consider this unacceptable. This is not just "Security through
> obscurity" [3], because the "Certification Practice Statement" in my
> opinion MUST NOT be secret. Interestingly, I had to use the Thawte
> web search function to locate the document, I think it better should
> be easy to find. Trust is all about believing that CPS are strictly
> followed -- and that they are sufficient for customers need.
> So they must be available I think.
> I'm afraid this shows how uninterested users are in trust...
>
Or it shows how badly screwed up a company can become when bought up
by a consumer product giant like Symantec.

Over the past 2 to 3 years, Symantec has bought up large part of the
CA industry, starting with the ones formerly owned by Verisign, but
recently adding more to its dominant position.

The "rebranding" of the old websites and the corresponding organization
changes have led to lots of confusion, broken links, misrouted support
calls, lost information etc.

--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]