Will tomorrow mark the beginning of the end for EV certificates?

in #security2 years ago

Most people won't know what is happening tomorrow. We probably will be more familiar with 11th September, which marks a date of a terrible terrorist attack 18 years ago. I am not discussing the 11th September attack today; instead, I am talking about the demise of the EV (extended validation) certificates. Starting tomorrow.

Enough of suspense. Tomorrow is actually the date for Chrome 77 to be officially released. This version of the world's most used browser is set to kick-start the beginning of the end of EV certificates.



What are EV certificates?

EV certificates are a tier of SSL certificate that offer higher degree of authentication. For those who are not familiar, SSL certificates are required for websites to implement SSL/TLS encryption. This is to encrypt your web traffic so that others cannot just sniff your data over the air. Apart from being an integral part of the SSL/TLS protocol, the certificate is also commonly used to identify a legitimate domain.

SSL certificates are generally issued by publicly know certificate authorities (CA). In order to procure a SSL certificate, the purchaser will need to prove to the CA that they are the legitimate owner of the website. Hence, having a SSL certificate which is issued by a CA creates a level of trust between users and website owners. Issuance of EV certificates requires a much more stringent process. Therefore, most CA claims that having an EV certificate provides a stronger level of trust.



What is new in Chrome 77?

In Chrome 76, if the website is using a EV certificate, the full company name will be displayed (left of screenshot below). With Chrome 77, that will be dropped and it will be just be shown as a padlock which is similar to any other SSL certificate, even with the one you get for free from "Let's Encrypt".



Why do they implement this change? According to the Chromium development team,

Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.

So basically they are saying that users are not recognizing the differences and therefore, why should they waste precious space on the browser to display something which doesn't make a difference? Being a SSL certificate administrator of my previous company, I am aware of the difference between a standard SSL certificate and a EV one. But, to be frank, I personally do not make an active effort to see if a site is using EV certificate or not. Hence, I kind of agree with the Chromium devs.

So who does this affect the most?

Most users probably do not care about this change and it will be business as usual for them. However, for the certificate issuing companies, their business is certainly going to take a hit. Some of us might still recall that an EV certificate used to be displayed something like this on Chrome, with a bright and big green badge that really makes a difference.


You can still see this familiar sight if you are using the Firefox browser. Here is one from MEW,


But wait, Firefox is also going to change their UI to remove the big green bar too? Yes, you heard it right. Shortly after Chrome devs announced the UI tweak, Firefox devs did the same. And here is what it is going to be like when Firefox 70 is released on 22 Oct,



With major browsers making these UI changes, buying a EV certificate seems not so worthwhile anymore. Personally, I think the EV certificate is not an effective way to improve trust and promote secure user's behavior in the first place. It was however marketed to be essential by the CAs. It is granted that EV certificates should cost more given that additional checks are needed for a EV certificate request, but charging 50% more seems a little too exorbitant :)


So I guess the fun days where the CAs can earn extra profits from EV certificates will soon be over. It will be interesting to see what new product differentiation they will introduce next. For now, I think it is sunset for EV certificates.

The "Raise to 50" Initiative

Under 50 SP and finding it hard to do much on this platform? I might just be able to raise your SP to 50. Check this post to find out more!

This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform:


Hello @culgin friend Thank you for this excellent publication, however I must mention that I particularly use FIrefox until now it has not disappointed me, of course one should not close to try new things in technology. Now as a user many times we do not know what happens under the table. and one trusts that when we use navigation he does everything he needs to do for us to work and use it without problem.
as the programmers say they will make their changes and the users will not realize

but I repeat I only use Firefox.

Greetings friend. I hope you are very well.

I use Firefox too. I will soon write a post on Firefox and why people should use it

Howdy dear @culgin.

Interesting and informative article.

I am a Chrome user and certainly as you said, these new changes may not be noticed by ordinary users, but will impact on the companies issuing EV certificates.

My preference for Chrome is based on the storage of my keys for the sites where I have registered. I always use the keys suggested by the browser and give it all storage control.

I hope that these changes to the new version do not affect this storage system at all because this would really drive me totally crazy if I lost my keys.

Thanks for sharing.

Your friend, Juan.

Do you mean you store your passwords on the Chrome browser?

I actually have to ditch Chrome because recently it started to slow down all my applications.

Consider jumping onto the Firefox bandwagon? ;)

Company policy, a big no to firefox

Thank you so much for writing this or else I wouldn't know that it will be a new release chrome 77 and also about the EV. I have never know about EV but with your post, finally I know what is EV. 😊

Thanks for your comment! And I'm glad it is useful

~Smartsteem Curation Team

Hi @culgin

I'm one of those people, who did not know anything about mentioned "tomorrow" (it's already today!)

Consider sharing this post on "project hope" telegram channel with others. I think everyone could benefit from reading this publication. Personally I didn't hear about EV until today. So thx for bringing it up.

Would you think that simple websites (onepagers) would need any certificates? Is users trust needed while they are visiting just simple/informative sites (which do not collect any data?)

Personally I always preferred Firefox over chrome, and currently I'm testing Brave Browser. I'm sure you've heard about this one as well.


Under 50 SP and finding it hard to do much on this platform? I might just be able to raise your SP to 50.

Did many users contacted you asking for delegation? Just curious.

Cheers, upvote on the way!

Thanks for dropping by again my friend. I am trying to only post economic/blockchain/crypto/investment/Steem related posts to the Tele group. But since you asked me to, I have broadcasted it :)

On your question, if it is just a one pager site, there is no functional reason to put a SSL certificate. However, for aesthetic reasons, you might still want to have one. That is because browsers like Chrome are starting to display a red warning on sites without SSL encryption. Hence, if you don't want your visitors to be alarmed, it still makes sense to install a free certificate (e.g. from Let's Encrypt).

I prefer Firefox too. Heard of Brave because of Basic Attention Token. Earning of BAT by viewing ads isn't enabled for my country yet, so I don't see an incentive on switching.

As for my #raiseto50 initiative, so far I have delegated to 2 Steemians. If you have any new users you want to help, feel free to refer them to me :)

I just realized that I never actually thanked you for this amazing comment @culgin


@culgin, Without any doubt this aspect falls on the subject of Unimportant because many don't look towards that aspect inturn many just take a look if particular website is Safe or not.

Posted using Partiko Android

Has anyone found that blockchain could actually solve this ridiculous monopoly of SSL certs? or am I just being bully our here?

I mean... it has ALL it needs to implement what we have currently as CA's! At least...

Then the derived structure is just a matter of scale... Need to put this to my blockchain homework...

Would love to see this implemented... I am sick of creating SSL certs...

You are right. Blockchain can certainly be used to replace most if not all of the functions a CA perform. For instance, the CRL and OCSP can be ported to a public blockchain, open for browsers to query.

The main "value" CA brings is that they do the work of verifying the ownership of the domain. That portion can technically be automated as well through using DNS TXT record verification method. With that automated, it can be verified in a decentralized manner.

Will be nice to see someone embark on this project. Perhaps "Let's Encrypt" will be the most likely candidate for such implementation

Please do remember me if you find something like this... I would be the kind of guy to launch something like this =)

I think the EV certificate is not an effective way to improve trust and promote secure user's behavior in the first place.

Yep! maybe Mozilla (DoH) could be even more effective to improve trust, protect user privacy and promote secure user's behavior among many other things. Yeah! screw CAs!! ;)

I have to do updates on my computer.

My pc is a pentium and I use win7. I really need a change.

Chrome takes me running with that of its updates and its synchronization with Windows.

I hope these changes don't affect the smaller users!

Hello dear @culgin, to be honest I am sure that most of the users of these search engines are not aware of these certificates, in my case it is now that I find out what these types of certificates are and their existence.

Thanks for the information. I like staying on top of developments as popular as these. Though, I wonder if there is something significant that motivated this change.

Hi @culgin you were sponsored by @coach.piotr for the HoboDAO content contest and you won 1st place!

You received an upvote and resteem from the HoboDAO.


Congratulations @hobo.media, you are successfuly trended the post that shared by @culgin!
@culgin got 6 TRDO & @hobo.media got 4 TRDO!

"Call TRDO, Your Comment Worth Something!"

To view or trade TRDO go to steem-engine.com
Join TRDO Discord Channel or Join TRDO Web Site

Thank you so much for participating in the Partiko Delegation Plan Round 1! We really appreciate your support! As part of the delegation benefits, we just gave you a 3.00% upvote! Together, let’s change the world!

Hi @culgin!

Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 4.037 which ranks you at #3884 across all Steem accounts.
Your rank has not changed in the last three days.

In our last Algorithmic Curation Round, consisting of 105 contributions, your post is ranked at #71.

Evaluation of your UA score:
  • Some people are already following you, keep going!
  • You have already convinced some users to vote for your post, keep trying!
  • Try to work on user engagement: the more people that interact with you via the comments, the higher your UA score!

Feel free to join our @steem-ua Discord server