Avatar of Bob Southwell
Bob Southwell
Flag for Australia asked on

do we need EV SSL certificates any more?

Given the turf wars between Firefox and Google over how they handle and display "secure" web sites, are EV SSL Certificates of any value any more?  

To the general public user that is; I know the CAs think they are of value!

The green bar of IE was nice in its day but that has long gone. A LetsEncrypt certificate site looks pretty much the same as an EV certificate site now to all intents and purposes. I mean, how many users are actually checking this - real world users that is, not us.

And are there any policies enforcable by anything that would prevent accessing a NON-EV certificated site?
GoogleSSL / HTTPSCyber SecurityFirefox

Avatar of undefined
Last Comment
David Favor

8/22/2022 - Mon
David Johnson, CD

Extended Validation Certificates the only added value was the green bar. There is no difference in the encryption methods or strength.
Martyn Spencer

For banking, I definitely teach friends and family to click the padlock and check the certificate if they want some degree of assurance that they connected to the correct site. I guess an EV certificate gives a little more assurance that it is XYZ bank's site that you are connected to. I am interested to know if this is not the case.
David Favor

About EV certs. All major browsers have removed all Green Bar indicators.

You can see this in action by clicking https://WellsFargo.com or any other bank in any recent browsers (say... last 2ish years of updates) which will show you the EV info is now gone.

If you happen to see any EV info, when you update your browser likely this will disappear.

So... there's really no visual queue of additional security with EV certs anymore.

The primary reason EV visual queuing was removed relates to David Johnson's comments.

There security of a cert is determined when cert is initially generated + is the exact same across all certs, EV or not.

The EV scam... er... process for allocating these was expensive + time consuming + provided no additional security, so the visual queues related to EV certs were removed.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Martyn Spencer

In Firefox at least, I see that the certificate was issued to, for example, Lloyds Bank PLC, or in your example Wells Fargo and Company, so that would imply that the organisation has been verified. It is now hidden one click away, but still visible. I don't see this with LE or non EV certificates. Is this likely to be removed any time soon? I am not in any way suggesting that EV certificates are "better" than non-EV. I do think that there is some merit in being able to tell a user how to confirm "Yes, you are securely connected and yes it is your bank".
David Favor

All browsers show issuance chain... which is meaningful to technically inclined folks...

I always use the Grandmother Test.

Yes, I might personally right click on a cert + look at the issuance chain...

Would my Grandmother? Nope. Even if she did, what would the data mean to her.

I use this same test with SEO... running searches... like my Grandmother would run, to test SEO.

Grandmother Test - Highly useful.
Martyn Spencer

It's not the chain I am speaking of; what I am mentioning is literally one click away. I click the padlock and see "Wells Fargo" etc. My grandma had she still been around could certainly do that. My parents certainly do. Now, if seeing that info is totally meaningless, I am prepared to say that an EV cert is useless. If the info can be relied upon, then it still has some limited value. I would be interested to read any verifiable source that says that one should not rely upon that information and for what reason. I am not seeking to be argumentative, I am genuinely interested.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Martyn Spencer

I am most interested in whether or not it can still be considered that the first of the two primary purposes are still met with an EV certificate, ie to identify the legal entity that controls a web site.
David Johnson, CD

Personally I believe that the browsers removal of the EV information (green bar) is doing a disservice to the users of the browser. With Google Chrome being the browser of preference and that google is an advertising company first and foremost I can see them depreciating the value of the EV certificate. This being the effect on advertising revenue and the customers preference in the EV green bar.
David Favor

I tend to agree with David Johnson about this.

The problem that precipitated dropping the Green Bar indication was same problem with normal certs.

Some companies were charging a few dollars/year/EV other people were charging $1000/year/EV.

So marketing hype set who could be convinced into paying a few dollars verses $1000s, with most companies providing very little actual value for their EV process... In other words, you could hack the entire EV process easily, the browsers made it look like EV cert sites were somehow more trustworthy.

The entire normal cert + EV cert ecosystem was highly corrupt.

This led to the creation of HTTPS everywhere initiative, then https://LetsEncrypt.org free certs, then dropping both the lock indicator + the EV green bar indicator from browsers, replacing the cert indicator with a malicious site warning for non-HTTPS sites (eventually).

A complex mess.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Bob Southwell

Thanks all.
David Favor

You're welcome!