Over the past year, there has been a lot of controversy about the efficiency of expensive Extended Validation (EV) certificates. Scott Helme questioned whether the EV certificates are worth the paper they are written on. Robyn Weisman wondered if the EV certificates end-of-life is approaching. Troy Hunt declared EV certificates dead.
"The forthcoming changes in Mozilla’s and Google’s browsers UI may place a tombstone on EV certificates."
Both Google Chrome and Mozilla Firefox have announced that they plan to move the EV indicator out of their main UI. The EV info will still be available, but in both browsers, users will have to expand the information window by clicking on the lock icon in order to see it.
The Google announcement reads: “On HTTPS websites using EV certificates, Chrome currently displays an EV badge to the left of the URL bar. Starting in Version 77, Chrome will move this UI to Page Info, which is accessed by clicking the lock icon.”
And here's the Firefox announcement: “In desktop Firefox 70, we intend to remove Extended Validation (EV) indicators from the identity block (the left-hand side of the URL bar which is used to display security / privacy information).”
The reasons behind this development are also spelled out in the announcements. Google says that “Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.”
Users do not change their behavior when they see a green padlock
This is absolutely true: users do not change their behavior when they see a DV padlock rather than an EV entity name. Security researcher Troy Hunt pointed out last year that the top 10 largest sites, including Google, YouTube, Twitter, and Facebook don't use EV certificates, so many users aren't trained to look for the indicators that the certificates provide.
This is precisely what Mozilla noted in their announcement: “The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been pitting EV against domains for phishing.”
EV indicators are an example of "positive indicators", such as the padlock that still Chrome and Firefox use to indicate an HTTPS site. Chrome will eventually remove the padlock icon for HTTPS sites and has already started instead to emphasize a red 'Not secure' warning for all HTTP sites. Firefox 77 will also display 'not secure' alerts for HTTP sites.
Google further notes that "the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections".
Apple has already removed the company name for EV certificates in Safari on iOS 12 and macOS 10.14 last year.
EV certificates: that was then
EV certificates have been around for over a decade and they were initially credited with boosting confidence in online shopping. But that was when most people used non-mobile devices for the web. Today, most of the internet transactions are made through mobile devices. But here is the issue: mobile browsers typically don't display EV indicators at all.
Certificate vendors would charge more for EV certificates to owners of HTTPS websites, such as banks and ecommerce sites, which would undergo an extended validation process. In order to justify the money spent, certificate vendors were trying desperately to convince their clients that expensive EV certificates were much better that other certificates, especially than the free ones offered by Let’s Encrypt.
But history shows that certificate prices are going in one direction, down. While more and more sites are deploying encryption, less and less of them are choosing EV certificates to do it. “The certificate ecosystem is evolving, browser UI is evolving and most CAs don't seem to be evolving with us,” says Scott Helme. He continues, “The deprecation of the EV UI is simply another step in the journey moving us towards a more neutral UI. Users are unfamiliar with the technology but expected to understand and interact with it. The removal of the UI in all mainstream browsers demonstrates the lack of usefulness of EV certificates and browsers being updated to reflect that."
As Hunt wrote, with Safari and now Chrome and Firefox now pushing EV cert indicators behind a padlock,
"this type of certificate is 'really, really dead' "
I can still hear REM singing in the background “It’s the end of the world as we know it. And I feel fine.”