Upcoming changes in Google Chrome and Mozilla Firefox may finally spark the end for Extended Validation certificates as the browsers plan to do away with showing a company’s name in the address bar.
When connecting to a secure web site, an installed SSL/TLS certificate will encrypt the communication between the browser and web server. These certificates come in a few different flavors, with some claiming to offer a more thorough verification process or extra perks.
One certificate, called EV Certificates, are known for having a browser display the owner of the certificate directly in the browser’s address bar. This allegedly makes the site feel more trustworthy to a visitor.
In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive “trustworthy” certificate.
In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name.
With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt’s predictions are coming true.
EV Certificates will soon be dead.
Chrome decides to drop the company info
In a recent announcement by Chromium developers on the Security-dev mailing list, Google has stated that they will be removing the EV Certificate indicator from the browser’s address bar starting in Chrome 77, which is scheduled for release on September 10th.
This means that the main feature of EV certificates, which is to show a company’s name in the address bar, is going away as shown below.
The EV certificate identity indicator will now be moved into the page info bubble shown when you click on the padlock.
Google is making this change as they determined that the EV indicator does not protect users as intended and takes up valuable screen real estate.
“Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended (see Further Reading in the Chromium document). Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome’s product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.”
Firefox is making the change too
Soon after Chrome’s announcement, Mozilla also announced that starting in Firefox 70 they will be removing the EV certificate’s identity information from the address bar.
Like Chrome, the EV information will also be moved to the Firefox page info doorhanger a user sees when they click on the icon.
Mozilla’s reasons for making this change are similar to Google’s; that there is no clear indication that EV certificates provide any positive security indicators.
The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been pitting EV against domains for phishing.
More recently, it has been shown that EV certificates with colliding entity names can be generated by choosing a different jurisdiction. 18 months have passed since then and no changes that address this problem have been identified.
The Chrome team recently removed EV indicators from the URL bar in Canary and announced their intent to ship this change in Chrome 77. Safari is also no longer showing the EV entity name instead of the domain name in their URL bar, distinguishing EV only by the green color. Edge is also no longer showing the EV entity name in their URL bar.
But EV Certificates make a site more trustworthy!
You may be saying, “but all of the certificate vendors state that EV certificates make a site feel more trustworthy to visitors as they know it went through a more stringent verification process!”.
That may not be quite true as shown by security researcher Ian Caroll who showed that there is no name collision support for the EV issuance process.
This means that a person can create a company in a different state than a well-known company of the same name. They could then use that new company to get an EV Certificate that pulls the company name into the address.
For example, Caroll created a new company in Kentucky called “Stripe, Inc”, which is a clone of the well-known payment company, and was able to get a EV certificate showing that company name on his site.
This could easily be used as an elaborate phishing scam to trick users into thinking they are on the well known site based on the EV Certificate identity indicators in the address bar, when they are instead having their credentials stolen by attackers.