[csjr]

If I understand correctly, Chrome shows that "Secure" label on sites using HTTPS.

What bothers me is that non technical users will start to trust the same "Secure" label.

On phishing, what stops someone from registering a shady domain and securing it w/ Lets Encrypt?

[lstamour]

Eventually they’ll remove or downplay the secure label if the site doesn’t support modern TLS standards.

There’s no reason for users to trust a site when they see a secure icon, when the web goes secure by default, we’ll start to see this icon gradually disappear, reducing its importance. Secure TLS will need to be the default and it should be recognized in the browser that the transmission is secure but the site and its contents shouldn’t necessarily be trusted. Until and unless other trust standards are developed and promoted this way — like secure DNS — I see no reason why web browsers should highlight secure web pages. If anything they should indicate if people are about to use a new site, vs loading a commonly visited site to warn you about phishing attempts. They could also protect your privacy for you. But I think site identity validation and secure data transport should be independent concepts in browser UI.

[Something1234]

Chrome should have 3 levels of security.

* HTTP (Red Box and Complaining)

* HTTPS w/ Let's Encrypt (No compliants, but no true secure lock.)

* HTTPS w/ a paid certificate (True magical green box)

In fact I think this should apply to all browsers. This might not deal with all of the issues, but it would be a good start. Feel free to point out where I'm wrong.

[firloop]

What makes Let's Encrypt less secure than a paid certificate? Or do you mean EV certs for the "magical green box"?

[cheeze]

Even EV certs don't really matter. Case in point: https://stripe.ian.sh/

Let's Encrypt isn't the problem here. Expecting all CAs to properly verify what is and isn't a phishing website is unreasonable IMO. It just won't happen. Smaller CAs have hundreds of thousands of certs... it's just not possible.

The real issue is that a cert only says "Your communication between this site is encrypted, and you're speaking to the owner of this certificate" (Assuming it hadn't been compromised.) Certs don't make any guarantee that the person you are talking to is a good guy, nor that they aren't trying to trick you into giving your password to them.

[dane-pgp]

Will the extra magic of the green box make users more secure? Does paying for a certificate make the certificate more trustworthy?

These are actually serious questions that I think the CA/Browser Forum are discussing (particularly in terms of the issuing requirements and UI representation for EV certificates), but I think it often boils down to the "feeling" of security, relying on the supposition that criminals would be less successful if their site didn't have the magical green box, or that they would be easier to catch by tracing the credit card payment they used to buy their certificate.