Google to bury indicator for Extended Validation certs in Chrome because users barely took notice
Not working as intended, says browser security team
The next version of Google's Chrome web browser, 77, will not indicate whether a site has an EV (Extended Validation) certificate unless the user drills down into the Page Info dialogue.
EV certificates, introduced in 2007, are issued only after verifying that the applicant is a genuine legal entity. Businesses must have a physical existence and business presence, and government or non-commercial entities are also verified. The baseline requirements for an EV certificate are determined by the CA/Browser forum, which lists the objectives as helping to protect users against phishing and identify fraud as well as making it easier to investigate fraudsters.
Such certificates are more expensive, involving the issuer in human checks as well as automated verification that the applicant controls the site for which the certificate is required. Web browsers typically show when an EV certificate is used by displaying the company name alongside the padlock symbol in the address bar.
Now the Chrome Security Team has announced that "starting in Version 77, Chrome will move this UI to Page Info, which is accessed by clicking the lock icon."
The reason is simple. "Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended... users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection."
Earlier this year, Google researchers published the results of an extensive survey, in which users of the Chrome and Safari browsers were quizzed about how much they trusted a website with and without various indicators, including display of EV information. The depressing conclusion was that "browser identity indicators, like connection security indicators, do not help users make security decision". 85 per cent of users saw nothing strange about a Google login page with the fake URL accounts.google.com.amp.tinyurl.com, citing things like "Google is a secure company" or that they trusted the page because its contents looked familiar.
The team have concluded that positive security indicators are largely ineffective. The direction for Chrome will be to highlight negative indicators like unencrypted (HTTP) connections, which are marked as "not secure", rather than emphasise when a connection is secure.
Apple has already removed EV-certified company names from the Safari UI.
With both Chrome and Safari making no immediately visible distinction between EV and non-EV certificates, the value of them is doubtful. Security researcher Troy Hunt declared:
And that’s that - for all intents and purposes, EV is now dead: “the Chrome Security UX team has determined that the EV UI does not protect users as intended” https://t.co/W7kCKCCJR8— Troy Hunt (@troyhunt) August 10, 2019
Google's announcement will make it harder for certificate providers to market EV certificates. This is also another reason why you might just as well use free Let’s Encrypt certificates – no EV from Let's Encrypt, but it no longer matters. ®