Extended Validation Certificates Are Really Dead

It&#x27;s actually kind of unfortunate, as in some ways an organization&#x27;s name is a much more meaningful expression of identity than a domain name is. When I visit the website for my bank, I don&#x27;t really care that the entity I&#x27;m communicating with owns &quot;mybank.com&quot;. What I, and I suspect most people, are really concerned with is that the entity they&#x27;re communicating with is the same physical, real-world organization they opened a bank account with in the past.<p>The problem is that legal corporation names are much harder to verify than domain names, and even once verified they don&#x27;t always match user expectations (as Ian Carroll so aptly demonstrated with his Stripe Inc. certificate). Furthermore, and perhaps partially as a result of the aforementioned issues, browsers don&#x27;t treat EV certificates in a way which would allow any meaningful security guarantees to be built on top of them.<p>I wonder if there are ways this situation could be improved. Brand names, for example, are probably more likely to match user expectations than legal company names. Perhaps an alternative to EV could be built around that idea.

Direct link to explainer doc in the Chromium source: <a href="https:&#x2F;&#x2F;chromium.googlesource.com&#x2F;chromium&#x2F;src&#x2F;+&#x2F;HEAD&#x2F;docs&#x2F;security&#x2F;ev-to-page-info.md" rel="nofollow">https:&#x2F;&#x2F;chromium.googlesource.com&#x2F;chromium&#x2F;src&#x2F;+&#x2F;HEAD&#x2F;docs&#x2F;s...</a> (Permalink version <a href="https:&#x2F;&#x2F;chromium.googlesource.com&#x2F;chromium&#x2F;src&#x2F;+&#x2F;bccea73462da42b6366dd4d8dc391ee07c615312&#x2F;docs&#x2F;security&#x2F;ev-to-page-info.md" rel="nofollow">https:&#x2F;&#x2F;chromium.googlesource.com&#x2F;chromium&#x2F;src&#x2F;+&#x2F;bccea73462d...</a>)<p>Chrome mailing list announcement: <a href="https:&#x2F;&#x2F;groups.google.com&#x2F;a&#x2F;chromium.org&#x2F;forum&#x2F;#!topic&#x2F;security-dev&#x2F;h1bTcoTpfeI" rel="nofollow">https:&#x2F;&#x2F;groups.google.com&#x2F;a&#x2F;chromium.org&#x2F;forum&#x2F;#!topic&#x2F;secur...</a><p>Firefox mailing list announcement: <a href="https:&#x2F;&#x2F;groups.google.com&#x2F;forum&#x2F;#!topic&#x2F;firefox-dev&#x2F;6wAg_PpnlY4" rel="nofollow">https:&#x2F;&#x2F;groups.google.com&#x2F;forum&#x2F;#!topic&#x2F;firefox-dev&#x2F;6wAg_Ppn...</a><p>Firefox bugzilla issue: <a href="https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1572936" rel="nofollow">https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1572936</a>

The irritating thing is that EV is the closest thing to a useful thing PKI can provide[1]. And the only reason it&#x27;s being pushed out is because Google doesn&#x27;t like it and hence Chrome has been retiring it. Google&#x27;s previously indicated it essentially wants to build it&#x27;s own system[2] that is... effectively EV. So this is probably the death of a problematic but fixable open system which will be replaced by a proprietary Google-owned one.<p>Firefox, is, of course, following the monopoly lead.<p>[1]HTTPS encryption itself doesn&#x27;t meaningfully require public key infrastructure, it&#x27;s just that without PKI, you don&#x27;t know who sent the encrypted traffic. Since domains are terrible &quot;identities&quot; and it&#x27;s common for large organizations to use many of them that sound similar to scam domains, domain validation really doesn&#x27;t tell anyone anything about whether or not they&#x27;re talking to a trustworthy entity.<p>[2]Basically Google said it wants to &quot;invent&quot; EV certs here, late last year: <a href="https:&#x2F;&#x2F;www.wired.com&#x2F;story&#x2F;google-wants-to-kill-the-url&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.wired.com&#x2F;story&#x2F;google-wants-to-kill-the-url&#x2F;</a>

I&#x27;m pretty disappointed by this. I definitely trust what I see a lot more when I see the legal entity name in the URL through an EV cert. I don&#x27;t really understand why it&#x27;s being removed. It&#x27;s more difficult to get an EV cert because of the additional legal process, and it makes it clear to the user that the website is run by that entity, which is exactly what we want...<p>With Google removing <a href="https:&#x2F;&#x2F;" rel="nofollow">https:&#x2F;&#x2F;</a> from the URL and EV being gone, I don&#x27;t even know what to trust anymore.

EV had one advantage: It allowed browser vendors to push for improved standards (like Certificate Transparency adoption) with minimal push-back. It&#x27;s easy to complain about expensive security measures for run-of-the-mill certificates, it&#x27;s much harder to argue about such measures for special extra-secure ones.<p>And since CAs wanted the EV cash cow, they implemented CT and other improvements, and once they had the code, they had little reason to object against applying the same requirement to regular certificates.<p>Another advantage is that when my bank requires me to enter a verified-by-visa password on lookslikephishingbutreallyismybank.com, I can actually verify (with a reasonable degree of certainty) who the site belongs to - even if they could, attackers generally won&#x27;t go through the effort of getting a similar name. But that&#x27;s a power user feature.

Good riddance, IMO. They never meant much to begin with, the validation procedures were basically &quot;can you pay the fee?&quot;, and they only added to user confusion.

I don&#x27;t understand the glee, <i>schadenfreude</i> even. So because the UI side of things didn&#x27;t work out, it is an improvement that now all certificates will go back to the &quot;crusty Perl script fetching a side-channel secret from a webserver&quot; method of &quot;validation&quot;?<p>On the contrary, we should just push for extended validation on all certificates. Whether they come with a fancy UI or not.<p>Because if we are on the topic of https UI effectiveness, then I&#x27;m pretty sure <i>everything we have right now</i> is doing a horrible job and could be removed with much the same tenuous reasoning.

I just replaced an EV certificate with a free AWS provided one on our website. We jumped through a lot of hoops a few years ago to get our EV certificate. This was a tedious process that involved form filling, credit cards, lots of waiting and poorly documented ways of handling the actual certificates. I actually had to append some text files to that were sent via email to get a valid thing that nginx actually understood, etc. I lost non trivial amounts of time with this. Because it was so tedious, we went for long lived certificates. When we switched to amazon we preserved our investment and uploaded the certificate to AWS and used it on an ALB.<p>Since then the market has changed a lot. E.g. Letsencrypt happened and several companies, including amazon, now offer very convenient ways of getting certificates. So, last week the process was as follows: 1) I created anew certificate in the region where I needed it. 2) after waiting for it to deploy, I selected it from a drop down on the ALB where it was needed. End of story. It will take care about renewal, adds no extra cost, and requires no fiddling with text files.

seems like you are completely missing the use case, if you think EV certificates are for frequently visited website.<p>I, for one, always make sure my bank has EV before I enter the password. the fact that most people don&#x27;t doesn&#x27;t change the fact that it does provide additional trust for those who are aware. security isn&#x27;t all or nothing.<p>the second use case is when you first visit a website, which potentially asks for credit card number or anything sensitive, it does improve your trust and reduces the friction with lesser known websites. of course PayPal, as a well known and trusted website doesn&#x27;t need it - nobody is asking themselves if they should trust PayPal. again, it&#x27;s probably not a security boundary, and it&#x27;s probably not impossible to generate bogus ev certs, it&#x27;s better than nothing.

What about for Windows development? I just ordered one through my company in order to bypass &#x27;untrusted app&#x27; dialogs that my non tech savvy users can&#x27;t figure out.

Why do we need multiple CA now? Keep letsencrypt and distrust everyone else. Their business is dead anyway. Domain validation is an automated process and does not require much income to keep working. Just like DNS Roots works without competition.

As someone with a direct interest in this (I run <a href="https:&#x2F;&#x2F;certsimple.com" rel="nofollow">https:&#x2F;&#x2F;certsimple.com</a>, a startup that focuses on steamlining the EV verification process), this is predictable but still hilarious:<p>&gt; Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended (see Further Reading in the Chromium document). Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.<p>Chrome has never tested a verification marker that resembles ANY of the common standards for verification used on Twitter, Whatsapp, Facebook, Apple&#x27;s App Store or Google Play.<p>No research into better indicators has been done because Google do not wish to do research into better indicators. Decisions are:<p>- made by one individual who believes users should be able to detect bad sites because they &quot;don&#x27;t look right&quot;<p>- supported by another person who thinks users can use DNS to decider whether sites are real. Ask a regular web user, or even an infosec expert to determine which out of &quot;google.im&quot;, &quot;google.co.uk&quot; and &quot;withgoogle.com&quot; is actually controlled by Google.<p>- and further supported by somebody else who thinks a study of IE7&#x27;s UI:<p><pre><code> foo.com VeriSign [US] </code></pre> is relevant research (see this article).<p>Yes UX designed in the mid-2000s, prior to modern verification standards, is sub optimal.<p>I&#x27;ve suggested Google&#x27;s UX people investigate better alternatives for years. They&#x27;re not interested.<p>The CAs aren&#x27;t that much better either (being slow to realise how much the market is changing around them) but Google are absolutely not interested in finding out what would be possible with a modern verification UI, or making sure users know who they&#x27;re connected to.