A couple of weeks ago I posted Broken Browsers Part One, which I can only pray gave you ample preparation for today’s post, Broken Browsers Part Two!
The truth is, not that much is broken in browsers these days. They’ve been around 15 some years now, so it’s not the biggest surprise all the major flaws to be resolved by now.
In fact, I’d say the reason these two broken behaviors of modern web browsers still exist is because most still (and as I’ll try to convince you, erroneously) consider them features!
The browser should just listen to the caching info sent by the server!
Agreed… WHEN REQUESTING CONTENT FROM THE SERVER!
The fact is, pressing back or forward shouldn’t even request content from the server at all!
As one commenter brought up last week, whatever happened to “offline mode” in web browsers? Because that’s what back/forward should still be… instant “offline mode”!
Anyway, on to the second (and final) part of this browser brokenness brouhaha.
SSL Secure Certificates!
Way back in the day, a secure certificate for your website meant two things:
- Your data was encrypted between the browser and the server.
- The domain you were connecting to was owned by some kind of “legitimate” entity.And way back in the day, in order for a trusted authority (trusted by the web browser developers) to sell you any secure certificate, they first actually did a little background checking (you had to fax them – in South Africa – some sort of proof of your organizational status b.s.).
Nowadays, buying a secure certificate is an entirely automated process: one that only requires you to have access to an email address @ the domain you’re buying the certificate for. All a secure certificate is telling you nowadays is that:
- Your data was encrypted between the browser and the server.
- The owner of the domain you are connecting to dished out $100 to some authority “trusted” by the browser!
I’d like to now take a moment to step back and think about what benefits secure certificates provide to the end user.
They encrypt your data. Okay, although I’m not sure there’s ever been a reported case of a third party sniffing sensitive information on the Internet as it passed through their routers, I can at least see the theoretical benefit this provides.
They verify that the owner of the domain you see in your web browser has paid some money to some company that has paid some money to the creator of your web browser. I don’t see any benefit to this. In fact, I see several drawbacks to this.
For one, users don’t necessarily realize that the only thing that little lock icon is telling them is, that yes, just like their location bar says, they really are connecting to banchofamerica.com!
Phishing has hopefully taught us that the average end-user doesn’t really understand the way URLs are formed, and the fact that they REALLY ARE connecting to brankofamerica.com or www.bo/fa.com/signin.cfm means exactly bum diddly nacho to whether or not the information they are about to type into this web site is securely going where they think it is.
In fact, having that little “secure lock” icon, or any of those other “mcafee site advisor”/”verisign secured seal” logos as a proxy for actually critically examining the site you’re sending info to is a lazy cop-out that doesn’t work.
Secondly, by putting up this artificial barrier to encrypting website traffic, you’re discouraging people from using encryption. I mean, anybody can easily make a self-signed secure certificate for free (from our panel) and get 100% of the encryption benefits of these expensive certs.. but they don’t because browsers bring up a TERRIFYING WARNING that … oh horror of horrors … this certificate was not created by a trusted authority!
Of course, there are other reasons that people don’t use encryption (slightly slower, caching issues!) on websites, but as things are now, if you do want to do it, you’d better be ready to put up with a little extortion!
What should web browsers do?
They should give up on “trusted” certificate authorities. Only tell us that a site is encrypted or not, and then do some anti-phishing checks to see if hey, the site you’re visiting looks like it’s Bank of America, but it’s URL is Bunk of America! (.vn!)
(There are already plenty of anti-phishing technologies being built-in to browsers these days. I’m not sure if they do this or not, but what if a person has saved any login info with the browser, you warn them (heavily) when they try and submit that same login info to a different site! Because everybody uses the same throw-away login info for a ton of unimportant sites, only do this check on a list of heavily phished sites, e.g. ebay/paypal/banks/gmail/etc..)
Other than the phishing issue, what exactly is the point of verifying that the web site you’re visiting is “who they say they are”?
They may be a totally “legit” business who just doesn’t do the best job of storing their customer’s private data. They may be a “legit” company that has poor customer service policies. They may be a “legit” company who practices the best security and customer service, but their web site just looks like it was thrown together by some Vietnamese teenagers.
What can we do about it?
Well, I was thinking about offering a bounty of $1000 for a plugin for Firefox/Chrome that would make it consider any certificate signer a “trusted” certificate signer, but I figured that’d probably rile up all kinds of people and security nerds.
So, rather than trying to bring down “trusted” secure certs… we’re going to bring “trusted” secure certs down… to all kinds of people!
By offering them for just $15/year… forever!
Which, I’m pretty sure, is the cheapest price offered anywhere… by far. This offer is (currently) only good for existing DreamHost customers.. you can add your certificate from our panel’s Manage Domain area.
These certificates are exactly the same as what we used to sell for $100/year! They’re not going to cause any pop-ups in any of your site visitor browsers, and they really do encrypt the data. You can use them with us or any other web host. The reason they’re so cheap is we’re now reselling a different “trusted” certificate signer and our volume is enough that we’ve got a much much better price… and we’re not making anything on them because we feel the whole business is a scam!