Hacker News new | ask | show | jobs
by prognu 954 days ago
The logical solution for browser vendors is to also roll back the URL bar by 10 years, where we had different indicators for extended validation, normal certificates and plaintext. I guess a blue EU-logo whenever Article-45 compliant CAs are used would make sense. Then we just have to teach people: blue is for "government snoop mode".
2 comments
agwa 954 days ago
eIDAS in fact forces browser vendors to do that, but there are two problems with what you're suggesting:

1. Good luck teaching 99% of people to be wary when they see the blue address bar. People generally do not understand address bars, which is a large part of why browsers removed the EV indicator.

2. There is a strong possibility that a future version of eIDAS will force businesses in the EU to get certificates from an eIDAS CA. At that point, people in the EU will be seeing the blue address bar constantly, and most of the time the certificate will in fact be legit.

link
prognu 954 days ago
Teaching users is of course the tricky part, and I'm not trying to excuse the insane draft regulation here. That said, eIDAS doesn't force browser vendors to visually distinguish Article 45-forced CA certificates from traditional CAB CA certificates, and I doubt they considered the possibility. So re-adding the distinction is a valid band-aid. Your second point can be addressed relatively easily by businesses getting multiple certificates. Then, the browser can show 'trusted' only if one of the certificates is not from a Article 45-forced CA.
link
immibis 954 days ago
I thought the blue address bar would have a person's name and country in it. That person has a good lawsuit case against the government if it's faked. Or, are we worried the DE government will make up a fake Larry Ellision and MITM oracle.com with it? Larry Ellision would easily win that lawsuit.
link
immibis 954 days ago
I thought that was the whole intention of eIDAS. Everyone gets a government approved certificate they can use to sign their websites if they want to, and then the URL bar shows their identity. They don't have to sign websites with their identity, but they have the option to.
link