Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.
do we need EV SSL certificates any more?
Given the turf wars between Firefox and Google over how they handle and display "secure" web sites, are EV SSL Certificates of any value any more?
To the general public user that is; I know the CAs think they are of value!
The green bar of IE was nice in its day but that has long gone. A LetsEncrypt certificate site looks pretty much the same as an EV certificate site now to all intents and purposes. I mean, how many users are actually checking this - real world users that is, not us.
And are there any policies enforcable by anything that would prevent accessing a NON-EV certificated site?
To the general public user that is; I know the CAs think they are of value!
The green bar of IE was nice in its day but that has long gone. A LetsEncrypt certificate site looks pretty much the same as an EV certificate site now to all intents and purposes. I mean, how many users are actually checking this - real world users that is, not us.
And are there any policies enforcable by anything that would prevent accessing a NON-EV certificated site?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Extended Validation Certificates the only added value was the green bar. There is no difference in the encryption methods or strength.
For banking, I definitely teach friends and family to click the padlock and check the certificate if they want some degree of assurance that they connected to the correct site. I guess an EV certificate gives a little more assurance that it is XYZ bank's site that you are connected to. I am interested to know if this is not the case.
About EV certs. All major browsers have removed all Green Bar indicators.
You can see this in action by clicking https://WellsFargo.com or any other bank in any recent browsers (say... last 2ish years of updates) which will show you the EV info is now gone.
If you happen to see any EV info, when you update your browser likely this will disappear.
So... there's really no visual queue of additional security with EV certs anymore.
The primary reason EV visual queuing was removed relates to David Johnson's comments.
There security of a cert is determined when cert is initially generated + is the exact same across all certs, EV or not.
The EV scam... er... process for allocating these was expensive + time consuming + provided no additional security, so the visual queues related to EV certs were removed.
You can see this in action by clicking https://WellsFargo.com or any other bank in any recent browsers (say... last 2ish years of updates) which will show you the EV info is now gone.
If you happen to see any EV info, when you update your browser likely this will disappear.
So... there's really no visual queue of additional security with EV certs anymore.
The primary reason EV visual queuing was removed relates to David Johnson's comments.
There security of a cert is determined when cert is initially generated + is the exact same across all certs, EV or not.
The EV scam... er... process for allocating these was expensive + time consuming + provided no additional security, so the visual queues related to EV certs were removed.
In Firefox at least, I see that the certificate was issued to, for example, Lloyds Bank PLC, or in your example Wells Fargo and Company, so that would imply that the organisation has been verified. It is now hidden one click away, but still visible. I don't see this with LE or non EV certificates. Is this likely to be removed any time soon? I am not in any way suggesting that EV certificates are "better" than non-EV. I do think that there is some merit in being able to tell a user how to confirm "Yes, you are securely connected and yes it is your bank".
All browsers show issuance chain... which is meaningful to technically inclined folks...
I always use the Grandmother Test.
Yes, I might personally right click on a cert + look at the issuance chain...
Would my Grandmother? Nope. Even if she did, what would the data mean to her.
I use this same test with SEO... running searches... like my Grandmother would run, to test SEO.
Grandmother Test - Highly useful.
I always use the Grandmother Test.
Yes, I might personally right click on a cert + look at the issuance chain...
Would my Grandmother? Nope. Even if she did, what would the data mean to her.
I use this same test with SEO... running searches... like my Grandmother would run, to test SEO.
Grandmother Test - Highly useful.
It's not the chain I am speaking of; what I am mentioning is literally one click away. I click the padlock and see "Wells Fargo" etc. My grandma had she still been around could certainly do that. My parents certainly do. Now, if seeing that info is totally meaningless, I am prepared to say that an EV cert is useless. If the info can be relied upon, then it still has some limited value. I would be interested to read any verifiable source that says that one should not rely upon that information and for what reason. I am not seeking to be argumentative, I am genuinely interested.
Actually I see that only policy owner see EV cert is still useful and needed while the other "camp" of developer see that it is not necessaryt anymore with the trend of it having no real impact to user awareness. Troy Hunt said it all on the demise of EV cert.
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.7.0.pdf
https://www.ssl247.com.co/psd2
https://www.paymentscardsandmobile.com/psd2-explained-payment-services-directive-created/
To be clear, EV isn't gone completely, you can still drill down and inspect the certificate. For the (roughly) 0.0001% of people who know what EV is, which sites should have it and are willing to adapt their behaviour in it's absence, inspecting the certificate is easy.That said, CA/Browser Forum has released its refined EV guidelines for CA compliance and also for organisation that need to (or like to) adopt and comply to Qualified Web Authentication Certificates (QWAC) are EV certificates with the additional vetting process. QWACs are a particular type of SSL/TLS Certificate specified by the EU eIDAS regulation and may be required to meet certain regulatory compliance (e.g., Payment Services Directive 2). Some regulations such as PCI-DSS and IRS tax guidelines require or recommend EV SSL certificates specifically.
The immutable fact here is that any security control that are predicated on user self-assessment simply doesn't work consistently and reliably unless it's overtly obvious via a negative visual indicator (i.e. Chrome's phishing site warning). I know you *want* it to work differently, but it doesn't.
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.7.0.pdf
https://www.ssl247.com.co/psd2
https://www.paymentscardsandmobile.com/psd2-explained-payment-services-directive-created/
I am most interested in whether or not it can still be considered that the first of the two primary purposes are still met with an EV certificate, ie to identify the legal entity that controls a web site.
Personally I believe that the browsers removal of the EV information (green bar) is doing a disservice to the users of the browser. With Google Chrome being the browser of preference and that google is an advertising company first and foremost I can see them depreciating the value of the EV certificate. This being the effect on advertising revenue and the customers preference in the EV green bar.
I tend to agree with David Johnson about this.
The problem that precipitated dropping the Green Bar indication was same problem with normal certs.
Some companies were charging a few dollars/year/EV other people were charging $1000/year/EV.
So marketing hype set who could be convinced into paying a few dollars verses $1000s, with most companies providing very little actual value for their EV process... In other words, you could hack the entire EV process easily, the browsers made it look like EV cert sites were somehow more trustworthy.
The entire normal cert + EV cert ecosystem was highly corrupt.
This led to the creation of HTTPS everywhere initiative, then https://LetsEncrypt.org free certs, then dropping both the lock indicator + the EV green bar indicator from browsers, replacing the cert indicator with a malicious site warning for non-HTTPS sites (eventually).
A complex mess.
The problem that precipitated dropping the Green Bar indication was same problem with normal certs.
Some companies were charging a few dollars/year/EV other people were charging $1000/year/EV.
So marketing hype set who could be convinced into paying a few dollars verses $1000s, with most companies providing very little actual value for their EV process... In other words, you could hack the entire EV process easily, the browsers made it look like EV cert sites were somehow more trustworthy.
The entire normal cert + EV cert ecosystem was highly corrupt.
This led to the creation of HTTPS everywhere initiative, then https://LetsEncrypt.org free certs, then dropping both the lock indicator + the EV green bar indicator from browsers, replacing the cert indicator with a malicious site warning for non-HTTPS sites (eventually).
A complex mess.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial