Chrome and Firefox Changes start the End of EV Certificates

Posted by & filed under Security News.

Upcoming changes in Google Chrome and Mozilla Firefox may finally spark the end for Extended Validation certificates as the browsers plan to do away with showing a company’s name in the address bar.

When connecting to a secure web site, an installed SSL/TLS certificate will encrypt the communication between the browser and web server. These certificates come in a few different flavors, with some claiming to offer a more thorough verification process or extra perks.

One certificate, called EV Certificates, are known for having a browser display the owner of the certificate directly in the browser’s address bar. This allegedly makes the site feel more trustworthy to a visitor.

In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive “trustworthy” certificate.

In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name.

With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt’s predictions are coming true. EV Certificates will soon be dead.

Chrome decides to drop the company info

In a recent announcement by Chromium developers on the Security-dev mailing list, Google has stated that they will be removing the EV Certificate indicator from the browser’s address bar starting in Chrome 77, which is scheduled for release on September 10th.

This means that the main feature of EV certificates, which is to show a company’s name in the address bar, is going away as shown below.

EV Certificate indicators in Chrome 76 and 77

 

The EV certificate identity indicator will now be moved into the page info bubble shown when you click on the padlock.

EV information shown in the page info bubble

 

Google is making this change as they determined that the EV indicator does not protect users as intended and takes up valuable screen real estate.

“Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended (see Further Reading in the Chromium document). Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome’s product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.”

Firefox is making the change too

Soon after Chrome’s announcement, Mozilla also announced that starting in Firefox 70 they will be removing the EV certificate’s identity information from the address bar.

EV Certificate indicators in Firefox 68 and 70

 

Like Chrome, the EV information will also be moved to the Firefox page info doorhanger a user sees when they click on the icon.

EV information shown in the page info bubble

 

Mozilla’s reasons for making this change are similar to Google’s; that there is no clear indication that EV certificates provide any positive security indicators.

The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been pitting EV against domains for phishing.

More recently, it has been shown that EV certificates with colliding entity names can be generated by choosing a different jurisdiction. 18 months have passed since then and no changes that address this problem have been identified.

The Chrome team recently removed EV indicators from the URL bar in Canary and announced their intent to ship this change in Chrome 77. Safari is also no longer showing the EV entity name instead of the domain name in their URL bar, distinguishing EV only by the green color. Edge is also no longer showing the EV entity name in their URL bar.

But EV Certificates make a site more trustworthy!

You may be saying, “but all of the certificate vendors state that EV certificates make a site feel more trustworthy to visitors as they know it went through a more stringent verification process!”.

That may not be quite true as shown by security researcher Ian Caroll who showed that there is no name collision support for the EV issuance process.

This means that a person can create a company in a different state than a well-known company of the same name. They could then use that new company to get an EV Certificate that pulls the company name into the address.

For example, Caroll created a new company in Kentucky called “Stripe, Inc”, which is a clone of the well-known payment company, and was able to get a EV certificate showing that company name on his site.

Fake Stripe Site

 

This could easily be used as an elaborate phishing scam to trick users into thinking they are on the well known site based on the EV Certificate identity indicators in the address bar, when they are instead having their credentials stolen by attackers.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.