The next version of the Google Chrome web browser, 77, will not indicate whether a site has an EV (Extended Validation) certificate unless the user delves into the Page Information dialog.
EV certificates, introduced in 2007, are issued only after verifying that the applicant is a genuine legal entity. Companies must have a physical existence and commercial presence, and government or non-commercial entities are also verified. The basic requirements for an EV certificate are determined by the CA / Browser forum, which lists the objectives such as helping to protect users against phishing and identifying fraud, as well as facilitating the investigation of scammers.
Such certificates are more expensive and involve the issuer in human controls, as well as automatic verification that the applicant controls the site for which the certificate is required. Web browsers generally show when an EV certificate is used showing the company name along with the lock symbol in the address bar.
The existing Chrome screen for an EV certificate
Now the Chrome security team has announced that "as of version 77, Chrome will move this user interface to the information on the page, which is accessed by clicking on the lock icon ".
The reason is simple. "Through our own research, as well as a survey of previous academic work, the Chrome Security UX team has determined that the EV user interface does not protect users as intended … users do not seem to make safe decisions ( such as not entering the password or credit card information) when the user interface is altered or deleted, as would be necessary for the EV user interface to provide significant protection. "
Earlier this year, Google researchers published the results of an extensive survey, in which Chrome and Safari users browsers were asked how much they trusted a website with and without various indicators, including the EV information display. The depressing conclusion was that "browser identity indicators, such as connection security indicators, do not help users make security decisions." 85 percent of users did not see anything strange on a Google login page with the fake URL accounts.google.com.amp.tinyurl.com citing things like "Google is a secure company "or that they trusted page because their content seemed familiar.
The team has concluded that positive safety indicators are largely ineffective. The address for Chrome will be to highlight negative indicators such as unencrypted connections (HTTP), which are marked as "unsecured", instead of emphasizing when a connection is secure.
Apple has already removed the names of EV-certified companies from the Safari UI.
Since Chrome and Safari do not make an immediately visible distinction between EV and non-EV certificates, their value is doubtful. Security researcher Troy Hunt stated :
And that's it: for all intents and purposes EV is now dead: "the Chrome Security UX team has determined that the EV user interface does not protect users as expected "https: //t.co/W7kCKCCJR8
– Troy Hunt (@troyhunt) August 10, 2019
Google’s announcement will make it harder for certificate providers to market EV certificates. This is also another reason why you could use the free Let Let & # 39; s Encrypt certificates: there is no Let & # 39; s Encrypt EV, but it doesn't matter anymore. ®
Balancing consumerization and corporate control