A few hours ago the new online certificate repository that the most recent weeklies are using was updated with several new roots, and an additional CA, Comodo, was also provisionally EV-enabled
The new and the updated CAs are
- America OnLine
- Cisco
- Comodo
- Digicert
There is no need to download an updated Weekly (if you have one of the two recent ones). When you next restart one of the Opera 9.50 Weeklies with support for online certificate updates, it will immediately download the indexes, and download the new certificates when necessary. Please give it a minute to finish the update.
Here are a couple of testsites:
- AOL: https://new.aol.com/ . This site will verify in newer versions, but not in older (Warning about issuer). Known problem: The security level is low due to problems with the CRL (Unsupported format, and currently no plans to support it. The connection will fail in the first build). AOL is aware of the problem, and was already working on updating their CRL system
- Comodo EV sites:
- https://www.sslcertificaten.nl/
- https://comodocertificationauthority-ev.comodoca.com/
- https://secure.comodo.com/example.html
Known Issues: The complex certificate chain system used by Comodo encounters some, mostly hidden, problems with our OpenSSL certificate verification support, and that will cause some EV sites to not be recognized. We will try to fix it, but it may not be advisable to include a fix in 9.50.
[*] DigiCert:
- https://vpn.osrmedical.com/Citrix/AccessPlatform1/auth/login.aspx In older versions this will validate to an Entrust root (see in the Certificate details view of the security toolbar dialog), after this remote update of 9.50 the root will instead be "Digicert High Assurance".
- https://www.iwanttss.com/ In older versions this site will trigger an unknown issuer warning, after this update it will also validate to "Digicert High Assurance"
[/LIST]
I do not currently have testcases for Cisco, as they have not yet started issuing certificates from the new root.
More about known issues:
- We know there are some problems with OCSP and CRL responses (the two kinds of revocation information) from some Certificate Authorities. These problem may lead to the website getting a lower security level. We are looking into these problems together with the CAs. In last week's build some of the CRL problems will cause a "Fatal Error 50", in the most recent build that has been fixed. We may decide to work around some of these, but they should preferably be fixed by the CA.
- At least one CA (who is not in our repository) is using CRLs with a critical extension, which will cause the secure connection to fail with error code 554. In this case we are following the standard, although one might wonder why the specification says "Although the extension is critical, conforming implementations are not required to support this extension". The problem have been "fixed" internally by recognzing the extension, then ignore it, as we do not need it.
.
Sorry if I’ve missed this in the release notes, however I can’t get EV working on my Intel Macbook Pro using the latest weekly build 4784. Working fine on my work Windows XP machine.hartley231Update: scratch that! Just tried https://brokerage.comdirect.de/ and I have a green EV background. Maybe something to do with the specific site?
Hartley: Please see my articles on EV in Opera (there are some extra requirements), and also note that we have only EV enabled some CAs.
When is Thawte Extended Validation CA getting uploaded?
After testing, and when we are ready with the legal framework. The currently EV-enabled CAs are only enabled provisonally.
How come https://www.paypal.com/ still shows yellow in the adressbar?In the security tab It says: “the connection to this server is secure”and paypal uses EVhttps://www.sslcertificaten.nl/ however does show green.
Regarding Paypal: “It ain’t EV ’til it’s EV, all EV”.Paypal is using content from sites that are not EV certificate, and as such the identity of all who created the content is not sufficiently proven.See my articles for more information: http://my.opera.com/yngve/blog/2008/04/08/new-in-kestrel-end-of-the-extended-validation-wait http://my.opera.com/yngve/blog/2007/06/19/it-aint-ev-til-its-ev-all-ev
Hi yngve,When opening https://www.paypal.com/ here I get the grey ?in the address bar. But if I then mask as Internet Explorerthen I get the lock with the yellow background.Is this how it should be?.cheerblinkybill
blinkybill: I have no problem with Paypal by going direct to the URL, even going indirectly via the unsecure accesspoints with redirects.
Hi yngve,Just updated to the new Opera 9.5 beta2 and stillwww.paypal.com shows a grey ?.I am using Windows XP SP2 and I installed Operausing the Classic Installer.I tried it at work with Opera and it shows theLock with the Yellow Background so I got noclues as to why mine doesn’t. Could this bea bug somewhere?.cheersblinky
What does the information in the security panel of the dialog displayed when you click on the “?” say?This new feature performs a lot of extra data verification, and if one of them cannot be completed then the site won’t get a secure indication.
Hi Yngve,Here is a screenshot mate of the Grey ?.http://img155.imageshack.us/my.php?image=paypalrv2.jpgcheersblinky
I’ve a problem on this sitehttps://banking.bw-bank.de/security panel says, that there’s nosecure connection available.What’s wrong ?
t1gershark: I am not sure what is causing it, but there seems to be a problem with the CRLs (the revocation check). Such problems means that we have no reliable information about whether or not the certificate is relly valid, thus a reduced security level.
Thanks for your response yngve.Reduced security level is good, but the panel says that there’s no security at all 🙂
Hi yngve,Just installed the latest 9.5 beta and nowwww.paypal.com shows the yellow backgroundwith the lock.cheersblinky
Hi yngve,Are you heard about PetName systems? Interesting reading!http://www.skyhunter.com/marcs/petnames/IntroPetNames.htmlBye!