29 August 2019
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.
The developers of Chrome and Firefox have announced a major change in the handling of Extended Validation certificates. Previously these certificates were presented with a green bar in front of the URL that shows the company name. This will be removed in future Chrome and Firefox versions. The information now will be visible only when users click on the lock icon and view the connection details.
Extended Validation certificates contain information about a company that’s validated, unlike Domain Validation certificates, for which the only custom information is the host name of the certificate. EV certificates are usually much more expensive.
Many in the security community have questioned the value of Extended Validation. The certificate authority industry has seen EV used to combat phishing, but that relies on users actually noticing the green bar.
The Google document justifying the change mentions several studies that overwhelmingly conclude that users rarely notice the green EV bar and don’t consider it helpful in making security decisions.
Other criticisms about EV certificates were raised by Ian Carroll, who was able to register a certificate for Stripe, Inc by registering a company with the same name.
Also, in several cases EV certificates have been identified with bogus or wrong information, indicating that the validation checks aren’t as thorough as certificate authorities claim. Certificates for companies located in Default City have been issued (Default City is the default location value used by OpenSSL), and others with inconsistent or wrong information are found on a regular basis.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof SSL and TLS, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.