Chrome, Firefox Ditch EV SSL Padlock System

John Lister's picture

Chrome and Firefox will stop indicating when websites have received an "extra level of verification" to prove they are in fact genuine. The move is largely due to the fact that most users aren't aware of the Extended Validation SSL (EV SSL) system.

The Extended Validation SSL (secure socket layer) security certificates go beyond the standard SSL certification scheme, which browsers use to show that data being sent to and from a website is in fact encrypted and secure. This means that communication is encrypted, and that no one can eavesdrop or steal data mid-stream. In other words, the site uses a secure connection.

In addition to SSL, Extended Validation certificates prove that the certificate is in fact owned by the organization they claim to be. Though, technically speaking: if a website with Extended Verification was hijacked (by hackers, for example), "proof of ownership" in the form of an SSL certification wouldn't have any merit, anyway.

That aside, getting an Extended Validation SSL certificate costs businesses extra as it involves human checks, rather than purely automated verification. The check makes sure the organization really exists: for example, that a business is registered and has a valid physical location such as an office.

Organization Name Appears in Address Bar

If a website has Extended Validation SSL, the name of the organization operating it appears in the address bar between the padlock symbol (showing a secure site) and the website address.

The system was introduced in 2007. If you'd never heard of it - you're not alone.

Both Google and Mozilla both say their browsers will stop showing the organization name in the address bar, and instead any Extended Validation SSL certificate details will only appear when users click on the padlock symbol to get more information about the page.

According to Google, research shows the system is so little known that it isn't effective. There's also no evidence that the presence or absence of the Extended Validation organization name makes any difference to whether users correctly gauge whether a site is trustworthy. (Source: googlesource.com)

Major Sites Shun System

It's been a bit of a chicken-and-egg situation. One of the reasons many users don't know about the system is because many leading websites - including ten of the largest sites online - simply don't use the system. And, the reason many sites don't use the system is because users don't know about it. (Source: zdnet.com)

It's also part of a change in policy by Google to move away from "positive security indicators", which it finds ineffective, and instead emphasize negative indicators such as highlighting when a website is "not secure".

Drawing attention to sites that don't have Extended Validation would be both confusing (because it would happen on so many legitimate sites) and arguably unfair - because the web tech community doesn't consider Extended Validation SSL certificates to be a must-have.

What's Your Opinion?

Have you ever noticed the name of an organization before the website address? Did you know it indicated a site with Extended Validation? Are the browser makers right to stop indicating it?

Rate this article: 
Average: 4.5 (10 votes)

Comments

Enroc's picture

I've seen it a few times, I like the idea they are trying to do. I can't see why the indication would make any difference to the browser itself.

Quetzalcoatlus's picture

Agreed it's a terrible idea to imply that any site is more secure just because it's extra validated. Just makes good phishing attempts even easier to pull off when you fake that and certs mean nothing when there are so many stolen CA keys floating around and CAs operated by, if not malicious then at least not impartial, actors like state intelligence agencies