Chrome, Firefox to expunge Extended Validation cert signals

Chrome, Firefox to expunge Extended Validation cert signals




Google and Mozilla have decided to eliminate visual signals in their Chrome and Firefox desktop browsers of special digital certificates meant to assure users that they landed at a legitimate site, not a malicious copycat.

The certificates, dubbed “Extended Validation” (EV) certificates, were a subset of the usual certificates used to encrypt browser-to-server-and-back communications. Unlike run-of-the-mill certificates, EVs can be issued only by a select group of certificate authorities (CAs); to acquire one, a company must go through a complicated process that validates its legal identity as the site owner. They’re also more expensive.

The idea behind EVs was to give web users confidence that they were at their intended destination, that the site computerworld.com, for instance, was owned by its legal proprietor, IDG, and not a fishy – and phishy – URL run by It’s Crooks All the Way Down LLC and chockablock with malware. Browsers quickly took to the concept, rewarding EV-secured sites with in-your-face visual cues, notably the verified legal identity in front of the domain in the address bar. The identity was often shaded in green as an additional tip-off. (Chrome dismissed the green in September 2018 as of Chrome 69.)

But Google and Mozilla claim that EVs are no longer worth calling out in their browsers’ address bars.

“Through our own research as well as a survey of prior academic work, the Chrome Security UX [user experience] team has determined that the EV UI [user interface] does not protect users as intended,” Google wrote in an online document detailing why it is scrubbing EV evidence from the address bar. “Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.”

Plus, Google added, the legal entity’s name takes up valuable browser real estate.

Copyright © 2019 IDG Communications, Inc.






Software

Leave a Reply

Your email address will not be published.