ZT Browser released the global public beta version on June 1st. In 10 days, the user has covered 35 countries and regions around the world (and anonymous download in Tor network). The popularity of this has exceeded my surprise, as the Chief Architect. However, it is not surprising to think of it, because Mr. Dean Coclin, the chairman of the famous international organization-CA/Browser Forum, held the 56th face-to-face meeting in Poland, forwarded my email to the forum members and participants, my plan is to have the opportunity to insert a slot to introduce ZT Browser in the conference, but because the agenda is full and don’t have an available slot. The author is sincere thanks to the Forum Chairman for the strong support.
The email forwarding time is at 9:15 pm. From the sudden increase in the request volume of the website, it can be seen from the traffic data that everyone is very interested in my presentation topic, and they visited the ZT Browser website (www.ztbrowser.com) through the introduction of the presentation file, and many visitor have downloaded the ZT Browser. This article briefly introduces the main content of my presentation.
The CA/Browser Forum Working Conference was held in Warsaw, Poland (June 6 to 8), with experts and representatives from world-renowned 26 CAs (11 onsite and 15 remote)，4 major browsers, auditors and invited guests. I hope to have the opportunity to talk about some topic at this meeting on June 3 after the ZT Browser released on June 1, so I contacted Dean by email on June 3 (Friday). The conference was held on Monday, and it's a bit abrupt to insert a presentation indeed (I think, now), but these topics can attract the attention of the attendees, of course, it shows that the topics I want to talk about are very important.
The first topic is to point out that many OV SSL certificates and EV SSL certificates in the subject O field are seriously mismatched with the actual identity of the website. I hope that the CA/Browser Forum can discuss and find a solution. I has already mentioned this issue in a blog post, so I won't repeat it here. Please refer to "Displaying website identity is the browser's obligation". The key to this problem is that the 4 major browsers no longer display the green address bar, so no one care about the O filed in the certificate. But CA operators like the green address bar, the author is from a CA. Therefore, the return of the green address bar by ZT Browser has been welcomed by the CA community.
The second topic is to introduce the solution from ZT Browser for the above problems. In addition to throwing this topic and hoping that the CA/Browser Forum will have a solution, the ZT Browser has come up with its own solution. First, in the browser address bar, not only the green address bar and organization name of the EV SSL certificate are displayed, but also the light green address bar and organization name of the OV SSL certificate, and the light green address bar and personal name of the IV SSL certificate. I would also like to thank a CA expert for suggesting that we originally displayed the OV SSL certificate and the IV SSL certificate as white address bar, but because the background color of the address bar is white, the address bar information is mixed with other displays, this CA expert suggested changing to light green bar, because OV SSL certificate validation is only slightly looser than EV SSL certificate, but it also validates the identity of the website. We thought this was a good suggestion and quickly released an updated version to adopt it.
The second is to propose a remedial solution for users who have deployed DV SSL certificates that have not validated the identity of the website – Website Trusted Identity Validation Service. We must face up to the fact that 83% of websites have deployed DV SSL certificate, we need a website identity validation service to make up for it. After passing the website trusted identity EV certification, ZT Browser can display the green address bar and organization name just like the website deploying EV SSL certificate. You can use ZT Browser to visit the government website: www.usa.gov and other countries government websites, as long as the website deploys an SSL certificate, it can be displayed as a green address bar and organization name, regardless of the type of SSL certificate deployed on the website, the SSL certificate is responsible for transmission encryption, while the identity information is displayed by the browser and validated by the Website Trusted Identity Validation Service.
The third topic introduces the website security concept and security rating service of ZT Browser. We do not think that the website is really secure if only SSL certificate is deployed, and this part for website security rating only accounts for 60%. Another 20% are given to cloud WAF protection, a website without any security protection is insecure even if an SSL certificate is deployed. The remaining 20% is given to the website trusted identity validation, because a fake bank website may also deploy an SSL certificate and may also have cloud WAF protection, but it is impossible to pass the trusted identity validation as a bank website.
The fourth topic introduces the SM2 algorithm and SM2 SSL certificate support of ZT Browser. The author hopes that the CA/Browser Forum will have the opportunity to discuss the inclusion of the SM2 algorithm in the SSL certificate baseline requirement, so that all browsers can support SM2/SM3/SM4 algorithm, which has become an international standard, that it will truly become an international standard that can be widely used. Users can freely choose which SSL certificate algorithm for the website among the RSA/ECC/SM2 algorithms. There is no need to deploy two SSL certificates with different algorithms like now. The author will continue to make efforts to promote this matter to be realized as soon as possible.