Skip to main content
banner image
venafi logo

EV Certificates: It’s the End of the World as We Know It (and I Feel Fine)

EV Certificates: It’s the End of the World as We Know It (and I Feel Fine)

silhouette of a person waving goodbye at an airport
August 20, 2019 | Guest Blogger: Anastasios Arampatzis


Over the past year, there has been a lot of controversy about the efficiency of expensive Extended Validation (EV) certificates.

Scott Helme questioned whether the EV certificates are worth the paper they are written on. Robyn Weisman wondered if the EV certificates end-of-life is approaching. Troy Hunt declared EV certificates dead.


 

"The forthcoming changes in Mozilla’s and Google’s browsers UI may place a tombstone on EV certificates."

 

Both Google Chrome and Mozilla Firefox have announced that they plan to move the EV indicator out of their main UI. The EV info will still be available, but in both browsers, users will have to expand the information window by clicking on the lock icon in order to see it.

 

How much do you know about your machine identities? Read our Dummies guide.
 

The Google announcement reads: “On HTTPS websites using EV certificates, Chrome currently displays an EV badge to the left of the URL bar. Starting in Version 77, Chrome will move this UI to Page Info, which is accessed by clicking the lock icon.”
 

And here's the Firefox announcement: “In desktop Firefox 70, we intend to remove Extended Validation (EV) indicators from the identity block (the left-hand side of the URL bar which is used to display security / privacy information).”
 

Chrome 77 is currently scheduled to ship on September 10 and Firefox 70 on October 22 this year.
 

The reasons behind this development are also spelled out in the announcements. Google says that “Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.”


Users do not change their behavior when they see a green padlock

This is absolutely true: users do not change their behavior when they see a DV padlock rather than an EV entity name. Security researcher Troy Hunt pointed out last year that the top 10 largest sites, including Google, YouTube, Twitter, and Facebook don't use EV certificates, so many users aren't trained to look for the indicators that the certificates provide.
 

This is precisely what Mozilla noted in their announcement: “The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been pitting EV against domains for phishing.”
 

EV indicators are an example of "positive indicators", such as the padlock that still Chrome and Firefox use to indicate an HTTPS site. Chrome will eventually remove the padlock icon for HTTPS sites and has already started instead to emphasize a red 'Not secure' warning for all HTTP sites. Firefox 77 will also display 'not secure' alerts for HTTP sites.  
 

Google further notes that "the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections".
 

Apple has already removed the company name for EV certificates in Safari on iOS 12 and macOS 10.14 last year.


EV Certificates: That was Then

EV certificates have been around for over a decade and they were initially credited with boosting confidence in online shopping. But that was when most people used non-mobile devices for the web. Today, most of the internet transactions are made through mobile devices. But here is the issue: mobile browsers typically don't display EV indicators at all.
 

Certificate vendors would charge more for EV certificates to owners of HTTPS websites, such as banks and ecommerce sites, which would undergo an extended validation process. In order to justify the money spent, certificate vendors were trying desperately to convince their clients that expensive EV certificates were much better that other certificates, especially than the free ones offered by Let’s Encrypt.
 

But history shows that certificate prices are going in one direction, down. While more and more sites are deploying encryption, less and less of them are choosing EV certificates to do it. “The certificate ecosystem is evolving, browser UI is evolving and most CAs don't seem to be evolving with us,” says Scott Helme. He continues, “The deprecation of the EV UI is simply another step in the journey moving us towards a more neutral UI. Users are unfamiliar with the technology but expected to understand and interact with it. The removal of the UI in all mainstream browsers demonstrates the lack of usefulness of EV certificates and browsers being updated to reflect that."
 

As Hunt wrote, with Safari and now Chrome and Firefox now pushing EV cert indicators behind a padlock,
 

"this type of certificate is 'really, really dead' "

I can still hear REM singing in the background “It’s the end of the world as we know it. And I feel fine.”
 

Learn more about machine identity protection. Explore now. 
 

Related posts

 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Wall of coding, in blue and black

What Are the Best Use Cases for Symmetric vs Asymmetric Encryption?

old ciphertext mechanism on a desk with an hourglass

Traditional Cryptographic Attacks: What History Can Teach Us

two people shaking hands

Does TCP Fast Open Improve TLS handshakes?

About the author

Guest Blogger: Anastasios Arampatzis
Guest Blogger: Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat