do we need EV SSL certificates any more?

Bob Southwell
Bob Southwell used Ask the Experts™
on
Given the turf wars between Firefox and Google over how they handle and display "secure" web sites, are EV SSL Certificates of any value any more?  

To the general public user that is; I know the CAs think they are of value!

The green bar of IE was nice in its day but that has long gone. A LetsEncrypt certificate site looks pretty much the same as an EV certificate site now to all intents and purposes. I mean, how many users are actually checking this - real world users that is, not us.

And are there any policies enforcable by anything that would prevent accessing a NON-EV certificated site?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
Extended Validation Certificates the only added value was the green bar. There is no difference in the encryption methods or strength.
Martyn SpencerSoftware Developer / Linux System Administrator

Commented:
For banking, I definitely teach friends and family to click the padlock and check the certificate if they want some degree of assurance that they connected to the correct site. I guess an EV certificate gives a little more assurance that it is XYZ bank's site that you are connected to. I am interested to know if this is not the case.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
About EV certs. All major browsers have removed all Green Bar indicators.

You can see this in action by clicking https://WellsFargo.com or any other bank in any recent browsers (say... last 2ish years of updates) which will show you the EV info is now gone.

If you happen to see any EV info, when you update your browser likely this will disappear.

So... there's really no visual queue of additional security with EV certs anymore.

The primary reason EV visual queuing was removed relates to David Johnson's comments.

There security of a cert is determined when cert is initially generated + is the exact same across all certs, EV or not.

The EV scam... er... process for allocating these was expensive + time consuming + provided no additional security, so the visual queues related to EV certs were removed.
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

Martyn SpencerSoftware Developer / Linux System Administrator

Commented:
In Firefox at least, I see that the certificate was issued to, for example, Lloyds Bank PLC, or in your example Wells Fargo and Company, so that would imply that the organisation has been verified. It is now hidden one click away, but still visible. I don't see this with LE or non EV certificates. Is this likely to be removed any time soon? I am not in any way suggesting that EV certificates are "better" than non-EV. I do think that there is some merit in being able to tell a user how to confirm "Yes, you are securely connected and yes it is your bank".
David FavorFractional CTO
Distinguished Expert 2018

Commented:
All browsers show issuance chain... which is meaningful to technically inclined folks...

I always use the Grandmother Test.

Yes, I might personally right click on a cert + look at the issuance chain...

Would my Grandmother? Nope. Even if she did, what would the data mean to her.

I use this same test with SEO... running searches... like my Grandmother would run, to test SEO.

Grandmother Test - Highly useful.
Martyn SpencerSoftware Developer / Linux System Administrator

Commented:
It's not the chain I am speaking of; what I am mentioning is literally one click away. I click the padlock and see "Wells Fargo" etc. My grandma had she still been around could certainly do that. My parents certainly do. Now, if seeing that info is totally meaningless, I am prepared to say that an EV cert is useless. If the info can be relied upon, then it still has some limited value. I would be interested to read any verifiable source that says that one should not rely upon that information and for what reason. I am not seeking to be argumentative, I am genuinely interested.
Exec Consultant
Distinguished Expert 2018
Commented:
Actually I see that only policy owner see EV cert is still useful and needed while the other "camp" of developer see that it is not necessaryt anymore with the trend of it having no real impact to user awareness. Troy Hunt said it all on the demise of EV cert.
To be clear, EV isn't gone completely, you can still drill down and inspect the certificate. For the (roughly) 0.0001% of people who know what EV is, which sites should have it and are willing to adapt their behaviour in it's absence, inspecting the certificate is easy.

The immutable fact here is that any security control that are predicated on user self-assessment simply doesn't work consistently and reliably unless it's overtly obvious via a negative visual indicator (i.e. Chrome's phishing site warning). I know you *want* it to work differently, but it doesn't.
That said, CA/Browser Forum has released its refined EV guidelines for CA compliance and also for organisation that need to (or like to) adopt and comply to Qualified Web Authentication Certificates (QWAC) are EV certificates with the additional vetting process. QWACs are a particular type of SSL/TLS Certificate specified by the EU eIDAS regulation and may be required to meet certain regulatory compliance (e.g., Payment Services Directive 2). Some regulations such as PCI-DSS and IRS tax guidelines require or recommend EV SSL certificates specifically.  

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.7.0.pdf
https://www.ssl247.com.co/psd2
https://www.paymentscardsandmobile.com/psd2-explained-payment-services-directive-created/
Martyn SpencerSoftware Developer / Linux System Administrator

Commented:
I am most interested in whether or not it can still be considered that the first of the two primary purposes are still met with an EV certificate, ie to identify the legal entity that controls a web site.
Top Expert 2016

Commented:
Personally I believe that the browsers removal of the EV information (green bar) is doing a disservice to the users of the browser. With Google Chrome being the browser of preference and that google is an advertising company first and foremost I can see them depreciating the value of the EV certificate. This being the effect on advertising revenue and the customers preference in the EV green bar.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
I tend to agree with David Johnson about this.

The problem that precipitated dropping the Green Bar indication was same problem with normal certs.

Some companies were charging a few dollars/year/EV other people were charging $1000/year/EV.

So marketing hype set who could be convinced into paying a few dollars verses $1000s, with most companies providing very little actual value for their EV process... In other words, you could hack the entire EV process easily, the browsers made it look like EV cert sites were somehow more trustworthy.

The entire normal cert + EV cert ecosystem was highly corrupt.

This led to the creation of HTTPS everywhere initiative, then https://LetsEncrypt.org free certs, then dropping both the lock indicator + the EV green bar indicator from browsers, replacing the cert indicator with a malicious site warning for non-HTTPS sites (eventually).

A complex mess.
Bob SouthwellComputer Guru

Author

Commented:
Thanks all.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You're welcome!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial