It's not easy being green: EV HTTPS cert seller Sectigo questions Chrome's logic in burying EV HTTPS cert info

Seeing as Google thinks no one cares about location records, we'll remove street addresses from all our sites, says compliance chief


Sectigo’s chief compliance officer has hit out at Google for minimizing the visibility of Extended Validation HTTPS certificates in Chrome.

These are the certificates that contain verified details about the owner of the cert, such as its legal name, government-issued business ID number, and physical location. These records could be displayed in, or be easily accessible from, the browser's address bar. This information is manually verified by humans at the certificate issuer prior to the cert being handed over. The idea being that if someone arrives at a website and wants to be certain it's operated by, say, their bank, they can check the verified details of the owner and see that, indeed, yes, it is their bank.

Google all but hid these extra details in a Chrome update a couple of years ago, arguing that netizens couldn't care less if a site is protected by an EV or a vanilla HTTPS cert – it won't stop them putting in their credit card number or password. Others in the industry have questioned the usefulness of EV certs.

In a chat with The Register, Sectigo CCO Tim Callan said his biz, which among other things is one of the biggest sellers of EV HTTPS certificates, was "going to remove street and postal information from all of our public sites," seeing as Google thinks no one cares where a business is based.

In some browsers, it's very difficult to even find it. And you have to really know what you're doing

"Once upon a time, if you went back to the 2000s, that information was very visible in the browser," Callan said, "and it was considered to be an important value-add, because when I went to your browser, I could drop down and I could see where this business was located."

Over the years, however, browser makers have given the "little green padlock" increasingly less prominence, said Callan – and by browser makers, he means one in particular: Google.

"Like in some browsers, it's very difficult to even find it. And you have to really know what you're doing... Firefox does a good job of displaying certificate information around but in Chrome, that stuff is buried. Burying is such an awkward word. But that'll do – burying of that information."

Burying is indeed what the number-one browser-maker did: when visiting a website that uses an EV HTTPS cert, desktop Chrome 88 displays the owner's legal name under the heading 'Certificate' when you click on the now-grey padlock icon in the URL bar. To get to the location, you need to click on the name, then in the pop-up box click on the 'Details' tab, scroll to the 'Subject' certificate field and then squint at the records in the 'Field Value' box, in which you'll hopefully find the business serial number and official physical location.

With desktop Firefox 78, you click on the grey padlock in the URL bar, and see the verified name in a drop-down box; click on the right-pointing arrow, and it opens up a panel containing the legal name and address. And this is after Firefox's developer Mozilla also downgraded the prominence of EV certs: what used to be a green indicator in the URL bar is now text in a dialog box. Apple's Safari followed suit.

Callan said Google had justified its move within the browser security certificate community by insisting the decision was "data driven." The Chocolate Factory said at the time: "The Chrome Security UX team has determined that the EV UI does not protect users as intended ... users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed." Thus, we're told, it doesn't matter if the EV info is obvious or hidden away.

rage

Had a bad weekend? Probably, if you're a Sectigo customer, after root cert expires and online chaos ensues

READ MORE

“Sure, after you have systematically removed everything that a consumer would see,” sniffed Callan, comparing the certificate to “hazard lights in my car.” He said: “I will use them once a year. But when I need them, I need them. And I need to know where they are. And the fact that I don't use them 364 days a year does not diminish their importance on that other day.”

A couple of years ago, the CA/Browser Forum, the industry's standards-setting body, mulled cutting new HTTPS certificate lifetimes by half, from 27 months to 13 months, at the suggestion of Googler Ryan Sleevi. This would mean certificate-buying organizations would need to renew them roughly annually, thus theoretically boosting revenues for certificate issuers – unless said organizations use free certificates from Let's Encrypt, which is backed by, among many others, the Google Chrome team.

The argument for shorter certificate lifespans is that it encourages organisations to use the latest and greatest encryption protocols with their certs, and minimises the damage potentially done if a certificate falls into the hands of fraudsters: the crooks can only masquerade as a legit outfit with the certificate for no more than about a year. Let's Encrypt's free vanilla certs are valid for 90 days at a time, and it provides tools to automate their regular renewal.

Sectigo, meanwhile, charges $465 a year for a multi-domain EV HTTPS certificate, if you purchase one for five years; the price goes up if you opt for a shorter duration. That does come with 24-hour support, we note. Whether or not you agree that Extended Validation certs are useful, it is in Sectigo's interests to have browsers prominently display the certificates' embedded data, or else its EVs are mostly pointless.

Google has long championed the widespread adoption of HTTPS, seeking for it to be the default, secure protocol for fetching web content everywhere for everyone. Its love for HTTPS stops at EV, it seems.

A spokesperson for Google was not available for comment. ®

Similar topics

Broader topics


Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Hangouts hangs up: Google chat app shuts this year
    How many messaging services does this web giant need? It's gotta be over 9,000

    Google is winding down its messaging app Hangouts before it officially shuts in November, the web giant announced on Monday.

    Users of the mobile app will see a pop-up asking them to move their conversations onto Google Chat, which is yet another one of its online services. It can be accessed via Gmail as well as its own standalone application. Next month, conversations in the web version of Hangouts will be ported over to Chat in Gmail. 

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Updated Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • Google recasts Anthos with hitch to AWS Outposts
    If at first you don't succeed, change names and try again

    Google Cloud's Anthos on-prem platform is getting a new home under the search giant’s recently announced Google Distributed Cloud (GDC) portfolio, where it will live on as a software-based competitor to AWS Outposts and Microsoft Azure Stack.

    Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.

    Its latest update sees Google reposition Anthos on-prem, introduced back in 2020, as the bring-your-own-server edition of GDC. Using the service, customers can extend Google Cloud-style management and services to applications running on-prem.

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • UK competition watchdog seeks to make mobile browsers, cloud gaming and payments more competitive
    Investigation could help end WebKit monoculture on iOS devices

    The United Kingdom's Competition and Markets Authority (CMA) on Friday said it intends to launch an investigation of Apple's and Google's market power with respect to mobile browsers and cloud gaming, and to take enforcement action against Google for its app store payment practices.

    "When it comes to how people use mobile phones, Apple and Google hold all the cards," said Andrea Coscelli, Chief Executive of the CMA, in a statement. "As good as many of their services and products are, their strong grip on mobile ecosystems allows them to shut out competitors, holding back the British tech sector and limiting choice."

    The decision to open a formal investigation follows the CMA's year-long study of the mobile ecosystem. The competition watchdog's findings have been published in a report that concludes Apple and Google have a duopoly that limits competition.

    Continue reading
  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading

Biting the hand that feeds IT © 1998–2022