Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Google to bury indicator for Extended Validation certs in Chrome because users barely took notice

Not working as intended, says browser security team

The next version of Google's Chrome web browser, 77, will not indicate whether a site has an EV (Extended Validation) certificate unless the user drills down into the Page Info dialogue.

EV certificates, introduced in 2007, are issued only after verifying that the applicant is a genuine legal entity. Businesses must have a physical existence and business presence, and government or non-commercial entities are also verified. The baseline requirements for an EV certificate are determined by the CA/Browser forum, which lists the objectives as helping to protect users against phishing and identify fraud as well as making it easier to investigate fraudsters.

Such certificates are more expensive, involving the issuer in human checks as well as automated verification that the applicant controls the site for which the certificate is required. Web browsers typically show when an EV certificate is used by displaying the company name alongside the padlock symbol in the address bar.

The existing Chrome display for an EV certificate - will be gone in the next version

The existing Chrome display for an EV certificate

Now the Chrome Security Team has announced that "starting in Version 77, Chrome will move this UI to Page Info, which is accessed by clicking the lock icon."

The reason is simple. "Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended... users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection."

Earlier this year, Google researchers published the results of an extensive survey, in which users of the Chrome and Safari browsers were quizzed about how much they trusted a website with and without various indicators, including display of EV information. The depressing conclusion was that "browser identity indicators, like connection security indicators, do not help users make security decision". 85 per cent of users saw nothing strange about a Google login page with the fake URL accounts.google.com.amp.tinyurl.com, citing things like "Google is a secure company" or that they trusted the page because its contents looked familiar.

The team have concluded that positive security indicators are largely ineffective. The direction for Chrome will be to highlight negative indicators like unencrypted (HTTP) connections, which are marked as "not secure", rather than emphasise when a connection is secure.

Apple has already removed EV-certified company names from the Safari UI.

With both Chrome and Safari making no immediately visible distinction between EV and non-EV certificates, the value of them is doubtful. Security researcher Troy Hunt declared:

Google's announcement will make it harder for certificate providers to market EV certificates. This is also another reason why you might just as well use free Let’s Encrypt certificates – no EV from Let's Encrypt, but it no longer matters. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like