I am FURIOUS and some of you SHOULD BE too!

[Robust]

I'm just angry that Norton is marking these sites as unsafe when they clearly aren't. You need to go through a 2-week application process with Safe Web OR purchase a RIDICULOUSLY priced $399/yr Symantec SSL cert (I've only ever paid like $10 per year maximum for mine before I heard of LetsEncrypt) for automatic trust.

From the wording of this page it appears like they will class any kind of OV or EV cert as 'secure'. This is not an unfair way to do things, as anyone can get an SSL certificate, and 'Secure' to a general user indicates more that they should trust the site, rather than just that the connection is secure (which is what it actually means). I don't entirely blame Norton for using the wording more cautiously.

Norton have always been a pretty trigger-happy AV though. If it matters so much to you, get your site 'rated', tell your users to get a better AV, or pay for an OV/EV SSL cert (it does not need to be from Symantec, as your OP says, if I understand correctly).

 

[frm]

Norton have always been a pretty trigger-happy AV though. If it matters so much to you, get your site 'rated', tell your users to get a better AV, or pay for an OV/EV SSL cert (it does not need to be from Symantec, as your OP says, if I understand correctly).

This is where it's somewhat confusing. This is what the Norton Seal generator says:

https://www.websecurity.symantec.com/install-norton-secured-seal

Here's the lowest costing SSL cert from them:

https://www.websecurity.symantec.com/ssl-certificate?inid=prodmenu_sslhome

And here's what Safe Web says:

Which means you're "trusted", even though the most basic SSL cert does not validate anything other than a secure connection.

If you don't get their SSL cert, you're "untrusted" unless it looks like they might crawl your page, community members say it's safe and Norton marks it as such, or you submit a manual appeal which can take 2+ weeks (in some instances 3+ months until you point it out to them on their customer forums).

tell your users to get a better AV

Easier said than done. Your site is blocked prior to them becoming a "user".

So, let's say you're writing for a general audience and you spent hours creating a detailed tutorial on how to cook the perfect steak, you even take awesome photos of the process and include a video tasting at the end. However, someone with Safe Web lands on your site because Google deems it as excellent content and it ranks well for the keywords ("how to cook the perfect steak": 1-10K searches per month on Google) that user typed in. But, they're scared off to read your recipe because it says your site is to be untrusted so they click the back button. Let's just say for the moment that you have Amazon affiliate links on there for a pan that makes that steak even better and hypothetically that 1 user that clicked the back button would've bought it and other stuff while on Amazon too: You lost out on commission.

Your site might not have that general of an audience, so you may not care to target 100% of the segment for your niche. Mine does, however.

To know that 1 person was affected by this makes me mad because I can't just tell them to get better AV; I've lost their visit, possibly forever because they made the mental connection that X site = unsafe far after the fact.

 

[Sim]

'Secure' to a general user indicates more that they should trust the site

Not anymore - browsers no longer give any visual indication of the type of SSL certificate, so from an end-user's (psychological) perspective there is now no tangible difference between a site with a free cert and one with a paid cert - https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/

More the point, users never actually understood what any of it meant anyway - which is why the browsers no longer give a visual indication of the type of cert in use.

 

[frm]

Not anymore

In this specific case, it's true. This is because Norton is placing a page that blocks your site entirely, as well as somehow injecting a green checkmark on search results, to tell you it should or shouldn't be trusted, probably due to:

browsers no longer give any visual indication of the type of SSL certificate

and it somewhat forces webmasters to buy their certificate (which @eva2000 pointed out earlier won't even be trusted by Chrome in October) in order to ratify the matter on the spot other than waiting for verification that can take 3 months.

For most, this shouldn't be an issue. But, it did have a negative impact on my site and I'm glad that it was brought to my attention. Other wise, I may have lost several more visitors (and may have already lost some) as my site is so broad and I value every visit.

 

[Robust]

Not anymore - browsers no longer give any visual indication of the type of SSL certificate, so from an end-user's (psychological) perspective there is now no tangible difference between a site with a free cert and one with a paid cert - https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/

More the point, users never actually understood what any of it meant anyway - which is why the browsers no longer give a visual indication of the type of cert in use.

I meant more that it’s what people perceive than it’s what the browsers deliver now.

The average user has no clue what a certificate or SSL is. They just see “secure” or “not secure”. EV never said EV, it just said the company name, browsers have never referenced visually what kind of certificate is being used.

 

[cwe]

FWIW, I use Let's Encrypt SSL certs on my forums. I checked them with the URL listed in the OP and all came back good. I have never had any contact with Norton before. YMMV.

 

[motowebmaster]

I submitted my site on Norton Safeweb years ago, back when I wasn't https and running vb3.8. Today it still shows my site as safe, and domain-validated SSL, but not recommending personal or financial info. I'm using LetsEncrypt as well, with HSTS.

My contributing-gripe is getting off of the FortiNet and Palo Alto blocklists, because my motorcycle-forum is somehow considered a bad site. Maybe if I offered tattooed girls on the front page holding six-shooters they would give me a break