Why the first product of ZoTrus launched is a browser?June 1, 2022

Everyone is familiar with browsers. There are already many browsers on the market. Why will the first product of ZoTrus Technology launch be a browser? As the CEO, this article interprets the reasons and mysteries.

The browser is the entrance to the Internet, but the current browsers still have many places that users are not satisfied or do not meet the needs of Internet users, mainly in the following eight points:

  • Although the SM2/SM3/SM4 cryptographic algorithms have become ISO international standards, but major browsers still do not support SM2 SSL certificate that cannot meet the compliance requirements of the "China Cryptography Law". Some Chinese branded browsers support SM2 SSL certificate, but they are charged, which is not in line with the user's perception that browsers are generally free to use.
  • The browser, as the entrance to the Internet, now it becomes the entrance of advertisements. Browser users hate the pervasive advertisements of some browsers.
  • Browsers are used as Internet access portals, and users' online behaviors become so-called "big data". Some browsers will sell users' online behavior data or use these data to send targeted advertisements to users.
  • In the era of HTTPS popularization, some browsers even do not display the HTTPS encryption padlock, and do not remind users that the website that is being visited by HTTP plaintext transmission is unsecure, which is irresponsible for the user's online security.
  • All major browsers have removed the function of displaying the green address bar for websites that deploys the EV SSL certificate, which greatly reduces the visual security of the browser users while surfing the Internet.
  • Since the major browsers only emphasize the importance of HTTPS encryption, while ignoring the importance of website identity authentication, the fake bank website displays the padlock like an authentic bank website, which is a huge online security problem, especially the free SSL certificates are readily available so easy, making fake bank websites and fake government websites almost zero cost and zero threshold!
  • The website security incidents such as SQL injection, web page tampering, trojan virus, etc. occur frequently, although these events have nothing to do with the browser, but is the browser as an entry obliged to remind users to pay attention to this aspect of security?
  • The second application of browser is to check email through the Web. Can browsers make some efforts to protect the cleartext email security?

The author can also list more issues and more areas that can be improved. I believe that readers must also hate some issues, and they must think "how come there is no browser that can solve these problems?". As an old netizen, the author has also deeply the same feeling. And the author, as a veteran who has been deeply cultivated in cryptography technology for 18 years, must make some contributions to this industry when re-entrepreneurship. Therefore, ZoTrus Technology is positioned as a zero trust security provider based on cryptography technology that combining my rich experience in the CA industry and cybersecurity industry, not only to solve the above pain points, but more importantly, to lead and integrate the future of these two industries from the height of industrial development.

The core innovation of ZT Browser is the following five features.

First, let the green address bar come back, because users still need a rapid visual understanding of the identity of the website.

The free SSL certificate is readily available so easy, making fake bank websites and fake government websites almost zero cost and zero threshold! These counterfeit websites have the same security padlock as the authentic websites. How to make users clearly identify the SSL certificate type and real identity of the website have become a problem that is urgently needed to solve. The solution of ZT Browser is to use 4 different icons (T1/T2/T3/T4) with the validated identity information directly displayed in the address bar for different type of SSL certificate, and display. The website that deployed the EV SSL certificate with the strictest validation display as the green address bar, allowing the disappeared green address bar to return to the user's sight.

The return of the green address bar can not only help users simply and quickly identify the identity of the website, but also help the healthy development of the CA industry. Because since the major browsers have canceled the green address bar of the EV SSL certificate, the market share of the EV SSL certificate has fallen from 25% at the highest point to 0.087%. Everyone can imagine how much this impact on the revenue of CA companies.

Perhaps because of this impact, there are many mis-matched cases that have appeared in the organization name in the existing EV SSL certificate and OV SSL certificate that the website is using a gov.cn domain name, but the organization name in the certificate is a company name, not a government agency name. Anyway, the browser address bar does not display the organization name, who cares what the name of the O field in the certificate subject? It is highly recommended that you use the ZT Browser to see the company names bound to gov.cn domain names, not the name of government agencies.

ZT Browser has brought the green address bar back strongly, and everyone can still firmly believe in the security concept of "a bank website that does not display a green address bar is not an authentic bank official website".

green address bar green address bar

Second, provide website trusted identity validation service, play the role of green address bar, and completely solve the problem of DV SSL certificate without trusted identity.

The green address bar is very important, but the application for EV SSL certificate is bound by international standards, which leads to the problem of the organization name in the SSL certificate for many government websites, because it is hard to provide proof document for government agency. And, in order to solve the problem of trusted identity of websites that have deployed DV SSL certificates without identity information, which has a market share of up to 80%, we have simultaneously launched the website trusted identity validation service, so that websites that have deployed DV SSL certificates can also display its trusted identity, and also correct the wrong organization name in the certificate to the correct name. The following picture on the left shows the display effect of directly reading the organization name in the certificate, you can see it is a problem. ZoTrus Technology solves this problem through the website trusted identity validation service that ZT Browser will give priority to display the organization name in the ZoTrus Trusted Website Certification Database, as shown in the right figure below.

Displaying website identity is the browser's obligation Displaying website identity is the browser's obligation

Third, display the cloud WAF protection icon in the address bar, enhance website protection awareness, popularize cloud WAF protection applications, and effectively ensure website security.

Only deploying an SSL certificate on a website does not protect the website from being attacked, so ZT Browser does not display https as "Secure” but display as "encrypted". Browsers are used as the entrance to the Internet, but users are ignorant of whether the websites they are browsing are secure. At present, various website attacks have become the norm, and website owners do not know whether their websites have been attacked, unless it is an attack that the website obviously cannot access. Therefore, in order to enhance the security protection awareness of the website owners and website visitors, and meet the compliance requirements of the Cyber Security Law, ZT Browser exclusively displays the WAF protection icon in the address bar, so that the website visitors have seen the WAF protection of the website and cybersecurity protection compliant at a glance. This innovation will definitely promote the popularization and application of cloud WAF in website security protection, thereby driving the rapid and healthy development of the cloud WAF industry.

cybersecurity protection compliant cybersecurity protection compliant

Fourth, website security test in real time, improve the correct deployment level of the SSL certificate, and improve the overall level of website security.

It is not secure on the website without deploying SSL certificate, all browsers will display "Not secure". But once the SSL certificate is deployed, and the browser display "Security", this is also a problem, because an incorrect SSL certificate deployment is still not secure, even bringing more security vulnerabilities to the website. Therefore, ZT Browser has changed the display as "Security" to display the Website Security Rating with rating level, so that the website visitors and website owners be able to understand the security status of this website in time. Website security rating service test the website from three aspects: SSL certificate deployment, cloud WAF protection, and website trusted identity validation, to make a comprehensive test and rating of the website's security protection.

SSL security

During the use of HTTPS protocols to shake hands with the server, ZT Browser have all learned about the security deployment of the SSL certificate, understand whether the website has a trusted cloud WAF protection, understand whether the website identity has passed the certification, then ZT Browser can automatically calculate the score and secure level according to the ZoTrus Website Security Test and Rating Guide. While normal display security padlock, the website security rating level is also displayed. This is the world's exclusive innovation implementation of ZT Browser, which is beneficial to improving the overall level of website security.

Fifth, priority to use the SM2 algorithm to realize HTTPS encryption, and the address bar directly shows the cryptography protection compliant icon.

One of the main features of ZT Browser is to fully support the SM2 algorithm and the SM2 SSL certificate. This is one of the Cryptography Law compliant innovative technologies for website security. With the continuous implementation of the Cryptography Law, all government agencies have also increasingly needed to realize the SM2 compliance for government website security, and gradually began to deploy the SM2 SSL certificate to realize the SM2 HTTPS encryption.

How to simply let the website visitors understand whether a website has deployed a SM2 SSL certificate and “cryptography protection compliant”, the innovation of ZT Browser is to add a " m " icon behind the security padlock to highlight that this website has deployed a ZT Browser trusted SM2 SSL certificate to realize the SM2 algorithm HTTPS encryption. Click the " m " icon to show "Cryptography Protection Compliant", so that users will know whether this website is protected by the SM2 algorithm, and it also let the owner of the website no need to present any compliant certification document, just let the supervision and inspection organization directly use ZT Browser to visit the website, it is very easy to know if this website is the Law compliant. This is an innovation, which greatly reduces the cost of inspection and supervision of the compliance of the Cryptography Law.

It is recommended that all websites in China (especially government websites) deploy RSA/SM2 dual SSL certificates. ZT Browser preferentially adopts the SM2 algorithm to achieve HTTPS encryption, which can not only improve the self-control capabilities of China website security, but also promote SM2 SSL certificate popularization, and it can quickly increase China CA's SSL certificate market share, thereby driving the rapid and healthy development of China CA industry.

cryptography protection compliant

In fact, there are still many innovations and highlights of the ZT Browser. Such as: without annoying advertisement, it is a clean and pure browser, and it is also a free SM2 algorithm supported browser. I will not list them all here. The remaining highlights are left to users to discover. This is the first product released by ZoTrus Technology. As the company's first product for zero trust security, has it solved some of the user's pain points? Of course, the user has the final say. Welcome to download for free to test, experience and enjoy a different zero trust security Internet browser! Although it is free, I always believe that if we focus on the user, everything else will follow.

Click here to download this blog post (PDF format, digital signed and timestamped with global trust and global legal effect, all rights reserved, plagiarism must be punished! Reprint this article, please indicate: Reprinted from ZoTrus CEO Blog)