Browsers removing extended validation indicators? We can do better
Internet privacy and security is a hot topic, and has been for years. You don’t need to look far to see news of major data breaches, phishing schemes and stolen identities.
The U.S. Congress is working on regulations to protect internet users, and the EU has adopted the GDPR. And yet now, the simple symbol of encryption and validity, the extended validation (EV) indicator in browsers, is being dismissed and discontinued. Both Google and Mozilla have announced their plans to remove the simple EV user interface (UI) feature.
What is EV and why is it important?
For the past decade, organizations have used the EV process when obtaining SSL/TLS certificates for their websites. This standardized, multi-step process entails a certificate authority (CA) confirming that the organization controlling the certificate’s domain is in good standing, that the organization is legitimate, that the address and phone number of the organization are correct, and finally confirming the authority of the person ordering he certificate.
All this information, which can take weeks or months to compile and verify, is inserted into the EV certificate and is cryptographically signed to prevent imitation and alteration.
The main alternative to the EV certificate is the domain validated (DV) certificate. Issuing a DV certificate is a short, often automated process which confirms only that a website owner controls the domain in the DV certificate. No owner identity or contact information is included.
Why can we no longer trust the lock?
Until recent years, phishing and malware was found almost exclusively on unencrypted http websites. Scammers didn’t need to spend the time or money needed to obtain even a DV certificate. Internet users were also trained to “look for the lock,” which indicates an SSL certificate (DV or EV).
Before long, Chrome and Firefox began using “not secure” warnings when users tried to access unsecured, http websites. Around the same time, Let’s Encrypt began offering its anonymous, automated DV certificates to everyone, phishers included (in part though financial support from Google and Mozilla). Phishing on DV certificate-holding websites – which display the lock – has skyrocketed, while phishing on EV certificates remains very rare.
According to research that included a study of 3,494 encrypted phishing websites in February 2019, EV certificates account for 0 percent of phishing websites, OV certificates account for 4.15 percent of phishing websites, and a staggering 95.85 percent of phishing websites have DV certificates.
In short, the lock icon shown on DV websites should not inspire much trust. Browsers have been using a distinctive EV UI to help internet users identify websites with EV certificates. This UI goes beyond the lock icon and displays more identifying information from the website’s EV certificate.
Why will the EV UI be discontinued?
The main reasoning that browser companies give for removing EV indicators in 2019 is that users don’t understand or act on them, and that these indicators are therefore unnecessary. But this argument misses the mark. EV indicators contain valuable information that contributes to the safety of internet users. Rather than taking away this valuable resource, browsers should take this opportunity to educate users on the resource and its importance.
Additionally, not all internet users are created equal. While there certainly are those that may not use or understand EV indicators, others do. Removing EV indicators stands to hurt those who rely on them. Looking deeper, even more users may ignore EV indicators when their internet experience is positive. But these users tend to become more aware of security certificates once affected by a hack or a phishing scheme.
Browsers can do better.
To relate EV indicators to the physical world, let us consider seatbelts. Most people would never ride in a car without a seatbelt, one of the most common positive safety indicators. We expect a seatbelt to be available when riding in a vehicle, and we expect it to look, feel and operate in a certain way. Adopting the seatbelt took a cultural shift in knowledge and expectations, but now, it is a ubiquitous and consistent sign of security.
The EV indicator can, given proper resources, become as constant, important and understood as the seatbelt. Just as seatbelts have become standardized, browser companies and operating systems should work together to make the EV UI a standardized symbol across all browsers and devices.
Rather than discard the EV indicator, browser companies and operating systems should recognize that the EV indicator is a valuable tool, one that has the potential to change, adapt and grow as the internet landscape develops. With how vastly EV certificates differ from DV certificates, now is the time to educate the public and raise awareness to help users protect themselves from phishing scams.