Extended Validation Certificates are Dead

142395 · Sep 27, 2018

https://www.troyhunt.com/extended-validation-certificates-are-dead/

That's it - I'm calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from "barely there" to "as good as non-existent". This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS (it'll also be gone in Mac OS Mojave when it lands next week):
Click to expand...

I've been observing decrease for EV cert and continuing change how each browser (including mobile) show cert info. I'm not happy about both, but can understand that majority of user don't care it so it's the inevitable consequences.
I found an old thread: tho it's problematic that CA didn't check name collision it still doesn't mean EV is completely useless - it's just benefit of EV don't balance to its cost especially as these CA do poor job.
So do we just have to rely on URL and DV cert to identify sites? And trust these CT scheme which seems to have full of issues?

guest · Aug 12, 2019

Extended Validation Certificates are (Really, Really) Dead
August 13, 2019
https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/

Almost one year ago now, I declared extended validation certificates dead. The entity name had just been removed from Safari on iOS, it was about to be removed from Safari on Mojave and there were indications that Chrome would remove it from the desktop in the future (they already weren't displaying it on mobile clients).
The only proponents of EV seemed to be those selling it or those who didn't understand how reliance on the absence of a positive visual indicator was simply never a good idea in the first place.

The writing might have been on the wall a year ago, but the death warrant is now well and truly inked with both Chrome and Firefox killing it stone cold dead. Here's the Google announcement: [...] And here's the Firefox announcement: [...]
With both browsers auto-updating for most people, we're about 10 weeks out from no more EV and the vast majority of web users no longer seeing something they didn't even know was there to begin with!

I will admit to some amusement in watching all this play out, partly because the ludicrous claims about EV efficacy really come crashing down when it's no longer visible to the end user.
Click to expand...

But it's the reasons why they're doing this that I find particularly interesting, for example in the Chrome announcement:

Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.
That absolutely nails it - users aren't going to change their behaviour when they see a DV padlock rather than an EV entity name.

In fact, Mozilla went even further and referenced the great work that Ian Carroll did when he registered a colliding entity name and got an EV cert for it:

More recently, it has been shown that EV certificates with colliding entity names can be generated by choosing a different jurisdiction. 18 months have passed since then and no changes that address this problem have been identified.
Click to expand...

Log in or Sign up

Extended Validation Certificates are Dead

142395 Guest

guest Guest

Log in or Sign up

Extended Validation Certificates are Dead

142395 Guest

guest Guest

Useful Searches