Developers of Google Chrome and Mozilla Firefox have announced an upcoming break with the Extended Validation certificates that today show a company’s name in the address bar of HTTPS sites.
In Chrome 77, which is due out in September, sites that use Extended Validation (EV) certificates will no longer have a space in the address bar to display the site owner’s name.
Something similar is happening in desktop Firefox 70, scheduled for an October release, and the intent is the same.
Both Mozilla and Google are moving the EV information to behind the padlock icon, which users can click on to view certificate information. Mozilla says its change to EV indicators is about “reducing the exposure of EV information while keeping it easily accessible”.
EV certificates have been around for over a decade and in their early days, when most people used non-mobile devices for the web, they were credited with boosting confidence in online shopping.
Certificate vendors could charge more for EV certificates to owners of HTTPS websites, such banks and e-commerce sites, which would undergo an extended validation process.
The sites would then have their address and later company name in a green block in the address bar. The idea was that users could see the entity behind a site more easily, which would therefore make phishing harder.
But as security researcher Troy Hunt pointed out last year, the top 10 largest sites today, including Google, YouTube, Twitter and Facebook don’t use EV certificates, so many users today aren’t trained to look for the indicators that the certificates provide.
Google explains that its new approach to EV certificate indicators in Chrome 77 is because the Chrome Security UX team “has determined that the EV UI does not protect users as intended”.
“Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection,” Google says.
Additionally, EV indicators are an example of “positive indicators”, such as the padlock that still Chrome uses to indicate an HTTPS site.
Chrome will eventually remove the padlock icon for HTTPS sites and has already started instead to emphasize a red ‘Not secure’ warning for all HTTP sites. Firefox 77 will also follow Google Chrome’s lead on ‘not secure’ alerts for HTTP sites.
Google further notes “the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome’s product direction towards neutral, rather than positive, display for secure connections”.
Another issue is that today smartphones account for a much larger share of interactions on the web and mobile web browsers typically don’t display EV indicators as prominently, if it all.
Apple already removed the company name for EV certificates in Safari on iOS 12 and macOS 10.14 last year.
As Hunt wrote today, with Safari and now Chrome and Firefox now pushing EV cert indicators behind a padlock, this type of certificate is “really, really dead”.
More on Google Chrome and Mozilla Firefox security