Most people won't know what is happening tomorrow. We probably will be more familiar with 11th September, which marks a date of a terrible terrorist attack 18 years ago. I am not discussing the 11th September attack today; instead, I am talking about the demise of the EV (extended validation) certificates. Starting tomorrow.
Enough of suspense. Tomorrow is actually the date for Chrome 77 to be officially released. This version of the world's most used browser is set to kick-start the beginning of the end of EV certificates.
What are EV certificates?
EV certificates are a tier of SSL certificate that offer higher degree of authentication. For those who are not familiar, SSL certificates are required for websites to implement SSL/TLS encryption. This is to encrypt your web traffic so that others cannot just sniff your data over the air. Apart from being an integral part of the SSL/TLS protocol, the certificate is also commonly used to identify a legitimate domain.
SSL certificates are generally issued by publicly know certificate authorities (CA). In order to procure a SSL certificate, the purchaser will need to prove to the CA that they are the legitimate owner of the website. Hence, having a SSL certificate which is issued by a CA creates a level of trust between users and website owners. Issuance of EV certificates requires a much more stringent process. Therefore, most CA claims that having an EV certificate provides a stronger level of trust.
What is new in Chrome 77?
In Chrome 76, if the website is using a EV certificate, the full company name will be displayed (left of screenshot below). With Chrome 77, that will be dropped and it will be just be shown as a padlock which is similar to any other SSL certificate, even with the one you get for free from "Let's Encrypt".
Why do they implement this change? According to the Chromium development team,
Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.
So basically they are saying that users are not recognizing the differences and therefore, why should they waste precious space on the browser to display something which doesn't make a difference? Being a SSL certificate administrator of my previous company, I am aware of the difference between a standard SSL certificate and a EV one. But, to be frank, I personally do not make an active effort to see if a site is using EV certificate or not. Hence, I kind of agree with the Chromium devs.
So who does this affect the most?
Most users probably do not care about this change and it will be business as usual for them. However, for the certificate issuing companies, their business is certainly going to take a hit. Some of us might still recall that an EV certificate used to be displayed something like this on Chrome, with a bright and big green badge that really makes a difference.
You can still see this familiar sight if you are using the Firefox browser. Here is one from MEW,
But wait, Firefox is also going to change their UI to remove the big green bar too? Yes, you heard it right. Shortly after Chrome devs announced the UI tweak, Firefox devs did the same. And here is what it is going to be like when Firefox 70 is released on 22 Oct,
With major browsers making these UI changes, buying a EV certificate seems not so worthwhile anymore. Personally, I think the EV certificate is not an effective way to improve trust and promote secure user's behavior in the first place. It was however marketed to be essential by the CAs. It is granted that EV certificates should cost more given that additional checks are needed for a EV certificate request, but charging 50% more seems a little too exorbitant :)
So I guess the fun days where the CAs can earn extra profits from EV certificates will soon be over. It will be interesting to see what new product differentiation they will introduce next. For now, I think it is sunset for EV certificates.
The "Raise to 50" Initiative
Under 50 SP and finding it hard to do much on this platform? I might just be able to raise your SP to 50. Check this post to find out more!
This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform: