Bulletproof TLS Newsletter #56
Firefox and Chrome will remove GUI indicator for Extended Validation certificates
29 August 2019
Author: Hanno Böck

This issue was distributed to 51,592 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Firefox and Chrome will remove GUI indicator for Extended Validation certificates
  2. Short news

Firefox and Chrome will remove GUI indicator for Extended Validation certificates

The developers of Chrome and Firefox have announced a major change in the handling of Extended Validation certificates. Previously these certificates were presented with a green bar in front of the URL that shows the company name. This will be removed in future Chrome and Firefox versions. The information now will be visible only when users click on the lock icon and view the connection details.

Extended Validation certificates contain information about a company that’s validated, unlike Domain Validation certificates, for which the only custom information is the host name of the certificate. EV certificates are usually much more expensive.

Many in the security community have questioned the value of Extended Validation. The certificate authority industry has seen EV used to combat phishing, but that relies on users actually noticing the green bar.

The Google document justifying the change mentions several studies that overwhelmingly conclude that users rarely notice the green EV bar and don’t consider it helpful in making security decisions.

Other criticisms about EV certificates were raised by Ian Carroll, who was able to register a certificate for Stripe, Inc by registering a company with the same name.

Also, in several cases EV certificates have been identified with bogus or wrong information, indicating that the validation checks aren’t as thorough as certificate authorities claim. Certificates for companies located in Default City have been issued (Default City is the default location value used by OpenSSL), and others with inconsistent or wrong information are found on a regular basis.

Short news

Hands-on SSL/TLS and PKI training
(In London, on-site or remote)

The Best TLS Training in the World (covers both TLS and PKI)

If you're a developer, system administrator, or security professional, we'll teach you everything you need to know for your day-to-day work.

Join us for two days full of fun practical work!