8

Years ago (~2010-2019) the Extended Validation (EV) Certificates made a lot of sense. The user in their browser would see a clear difference between

  • a "grey" (http/not secured) website
  • a "green lock" (https normal certificate) website
  • and a "green lock with name of the company owning the website" (https ev certificate) website.

Back then having such a certificate meant that normal users would have a clear indication they are actually connected to the website they had in mind.

Today (~2021) in Chrome I no longer clearly "in your face" see the difference anymore between a website with a normal certificate (like my homepage) and a website with one. Knowing their existence I actually had a hard time finding a website that still has one.

So my question is in general: If there still any value for any website to have an EV certificate?

An EV certificate enter image description here

Niels Basjes
  • 263
  • 1
  • 6

1 Answers1

9

If there still any value for any website to have an EV certificate?

Effectively, no, since most browsers now treat them the same as non-EV certificates.

Since fall 2019, the green bar and company information has been removed from all major browsers, such as Google Chrome, Mozilla Firefox, and Microsoft Edge (with Apple’s Safari browser having removed these indicators even earlier). (ssls.com)

If the difference isn't presented to the user, is there really a difference?

As you've shown, there is more information presented when you click through to an EV certificate, but how often will an end user click through? How many end users will understand that seeing the company name there implies anything different about the trust level of the certificate? The decision to bury this information has devalued it, and we will see less sites investing in an EV certificate as a result.

gowenfawr
  • 72,893
  • 17
  • 165
  • 200
  • 1
    It's very much disappointing. At their very end I finally learned they had a really good use, because it's impossible to issue an EV cert off a private root even if the browser trusts the root, because no browser would trust the EV bits of a locally trusted root. – Joshua Feb 11 '21 at 23:01
  • @Joshua what's your source for that claim? I just got finished with an internet deep dive on the subject of EV and as far as I can tell the only motivation anyone would have to promote their use is CAs, to make money selling them now that Let's Encrypt gives out free certs. – Wildcard Jan 25 '22 at 19:35
  • @Wildcard: You can test for this same as I could. Pull a browser from archive that does something special with EV certs, make a private root, import the private root, and use that root to issue an EV cert. The browser won't treat the EV cert as an EV cert and do the fancy address bar thing. – Joshua Jan 25 '22 at 21:13
  • @Joshua that's still only a value proposition if users will actually change their behavior based on the absence of the fancy address bar thing. Which is pretty thoroughly disproven. Troy Hunt and Scott Helme both have some very insightful lengthy blog posts on the subject if you're not persuaded; I'm convinced EV never offered any real security improvements. (Not to mention the failures of CAs to strictly abide by the standards for EV issuance, which Scott Helme also describes in detail.) – Wildcard Jan 25 '22 at 21:55
  • @Wildcard: That's something of a different problem. What it was good for was detecting if your business had forgotten to exclude your bank or your healthcare provider from the SSL interception box like they were supposed to. – Joshua Jan 25 '22 at 22:09
  • @Joshua that's still possible without EV, and without the EV UI indicator. You just have to check the chain of trust for the cert presented by the bank's website and see that it goes to an appropriate CA. Which is what you should be doing anyway, if you care, and if you're unfortunate (or foolish) enough to have your browser deliberately compromised with a trusted private root cert (a.k.a. MITM by design). Again, relying on the absence of a particular UI indicator to change users' behavior isn't security and never was. – Wildcard Jan 25 '22 at 22:26
  • @Joshua but thanks for clarifying what you meant about browsers not trusting the EV bits of a locally trusted root (i.e. not showing the special green UI indicator for them). I still don't think that added any security, but now I understand your original comment. – Wildcard Jan 25 '22 at 22:27
  • EV certs failed to do what they implied: that a site was trustworthy. All they showed is that the site had a legitimate owner, but in no way guaranteed that they were honest to deal with. In the end, they provided no extra technical security over Let's Encrypt or cPanel certs. The latter ones don't even bother with the fields that we had to fill in for the bought ones – Patanjali Sep 16 '23 at 12:53