I am shopping around for a SSL certificate and I took this screenshots from Chrome
and
Is the second site certificate showing errors less secure than the other not showing errors?
Asked
Active
Viewed 1,477 times
0
-
Ideally, you should look at their certificates for the specific details. – timuzhti Nov 27 '15 at 10:54
3 Answers
3
There are two different security information shown: about the certificate itself and about the encryption algorithm. The second part (i.e. "obsolete cipher suite...") is independent from the certificate and depends on the setup of the server.
But the first part is about the certificate itself. The main difference here is that the first site uses a certificate from a CA supporting certificate transparency while the second site does not. This means that the first CA is more transparent about the certificates it issued than the second and thus can be more trusted. Certificate transparency is (at least with Chrome) for now primarily required for extended validation (EV) certificates. But in the future Chrome will probably require it for other certificates too.
Another difference in the certificate part is "Unable to check whether the certificate has been revoked". Chrome only checks selected certificates for revocation, like the EV certificates and some others Google thinks are important. Obviously the certificate for the second site was not important enough to get checked against revocation and thus the certificate can be considered less secure, at least within the Chrome browser.
And finally the information for the first site show more information about the site you visit, while for the second site you got no information except who signed the certificate. This is because the first certificate is an EV certificate where the CA checks business information etc to verify the identity of the owner. In contrast the cheaper domain validated (DV) certificates check only if the party owns the domain, by checking if it is has access to specific mail addresses or can create specific files on the server. This is much more easy to spoof and thus these certificates are less trustworthy.
Of course, most clients don't understand all of these anyway but they might understand the difference between a reassuring green bar for EV certificates and only a small indication of security for the other certificates. At the end it is easy for an attacker to get a DV certificate for its own site. But it will be much harder to get an EV certificate because of the additional verification procedures.
Steffen Ullrich
- 184,332
- 29
- 363
- 424
2
I don't get why Chrome gives that report. Also I'm not able to reproduce it.
But this has little to do with the certificate vendor. Even though having a stable CRL/OCSP server available 24/7 is a mark of a good CA, I don't think this applies here. Chrome doesn't/shouldn't actually care. (Details below.)
Chrome shows two assessment icons for an encrypted connection:
- Site identity information (top icon, based on certificate)
- Connection information (bottom icon, based on connection)
The official definitions of the icons are here:
They are still relatively new, they were only introduced in October:
And furthermore, there's an 11 page document that tries explain on low level:
- Lucas Garron (@lgarron), Chrome Security UI developer, 2015-03-23, Chrome Security Status UI Logic
Site identity information (top icon, based on certificate)
I'm confused by the message "Unable to check whether the certificate has been revoked". The reason is that a current version of Chrome should not even have checked in the first place.
Are you running Chrome on a Mac? That might have something to do with it.
Connection information (bottom icon, based on connection)
Running "obsolete cipher suite" AND "resources which are not secure" will give the red icon. You can diagnose further with the F12 tools and the "Network" panel there.
DevTools "Security Panel" on the horizon
A "Security" panel has been announced for the Chrome F12 DevTools. Doesn't help right now, but maybe this might help diagnose these problems further in the future.
StackzOfZtuff
- 17,783
- 1
- 50
- 86
1
These errors arent really related to the certificate themselves. You can use modern or obsolete cipher suites with the same certificate.
The first connection is more secure, but the certificates MAY be identical in security. Its related to server cipher configuration choices.
In the second case certificate revocation information was not available which again, while a service based around the certificates, are not affected by the certificates themselves. However this service is likely provided by the certificate authority so may be an indicator of their security culture.
Not saying the certificates are equally secure, but there isnt enough information provided there to say one certificate is better than the other.
user2867314
- 610
- 3
- 12