Chrome bumps ineffective EV certificates off the omnibar

Be strong, gentle reader, for change is coming: soon, the name Sophos will blink out and disappear from your Chrome omnibar, like so:

Just kidding! If you’re like many people, you have never, ever noticed that Sophos, and plenty of other brands, plunked down money to get its trusted name up there in that combined address/search bar, and there’s a very good chance that you haven’t changed your browsing behavior just because that name was missing.

According to research from Google’s Chrome Security UX team, you’ve gone right ahead and input your credit card or password even if that badge was missing. So just to keep things simple, and streamlined, and to save precious real estate in the omnibar that’s now being squatted on by names like Sophos, or, say, PayPal, Chrome is going to tuck that badge away under Page Info, which is accessed by clicking the lock icon (which is staying put).

This will happen starting in Chrome Version 77, released today.

Some background: that badge indicates that a company has ponied up for what’s known as an Extended Validation (EV) certificate, which can be displayed in Chrome, in Firefox or in other browsers. When you go to paypal.com, you’ll see that “PayPal, Inc.” text displayed next to the lock, to the left of the site’s address in Chrome’s omnibox.

An EV certification is one of three types of Transport Layer Security (TLS) certificates: domain-validated, organization-validated and extended validation. The difference between them is that, from left to right, there’s more rigorous, and more expensive, checking to see that you are who the certificate says you are.

But in order for EV certificates to deliver that extra security, users have to actually recognize what the presence of the EV badge means, and therefore what the absence of the EV badge means …and then to actually change their behavior if the badge is missing.

But no, that’s not what happens. Google user testing says that users don’t make different decisions in the absence of an EV certificate.

As Google’s Devon O’Brien explained in a Chromium forum post on Sunday:

The Chrome Security UX team has determined that the EV UI does not protect users as intended.

Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.

The EV badge not only takes up valuable screen real estate, he said. Sometimes, it also prominently displays “actively confusing” company names. All of that gets in the way of Google’s push toward “neutral, rather than positive, display for secure connections,” O’Brien said.

In other words, this is another one of the small browser changes that’s going to re-frame security for users, similar to how Google has been re-framing HTTPS from exception to norm by switching its UI from saying HTTPS is “secure” to saying HTTP is “insecure”. With this move, it’s taking aim one level deeper, at the TLS certificates required for HTTPS to work.

Not that EV certificates are going away, mind you. They’re just being tucked down:

Because of these problems and its limited utility, we believe it belongs better in Page Info.

Have I Been Pwned creator Troy Hunt declared EV certificates dead nearly a year ago, right after Apple removed them from Safari on iOS in September 2018 and right before it was about to do the same with Safari on Mojave. Chrome had already stopped displaying it on mobile clients.

Ditto for Firefox. In its own “EV certs are dead” announcement, Mozilla said that starting in desktop Firefox 70, the EV badges will be moved from the identity block (the left-hand side of the URL bar that’s used to display security/privacy information). It will instead be adding additional EV information to the identity panel instead, “effectively reducing the exposure of EV information to users while keeping it easily accessible.”

Mozilla called out the same bad juju that Google did: the same lack of EV cert display effectiveness, as well as “proof of concepts [that] have been pitting EV against domains for phishing.”

This is a reference to work done by Ian Carroll, who spent $100 to register a colliding entity name and got an EV cert for it. Specifically, as Hunt explained, Carroll registered “Stripe Inc” in a different US state than that of the payment processor you’d normally associate the name with. For another $77 to get the EV cert, plus one hour, Carroll set himself up with a convincing company name on a valid, legally obtained EV cert from which to phish were he to be a crook.

Here’s Hunt:

The only proponents of EV seemed to be those selling it or those who didn’t understand how reliance on the absence of a positive visual indicator was simply never a good idea in the first place.