Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: EV certificates - what ever happened?  (Read 4680 times)

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
EV certificates - what ever happened?
« on: April 15, 2022, 08:39:54 AM »

What ever happened to EV certificates ? I was a huge fan.
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: EV certificates - what ever happened?
« Reply #1 on: April 15, 2022, 09:49:27 AM »

Hi

EV SSL are not really used anymore but still available to purchase.

The reason for the decline is web broswers no longer dispalying the green bar and the mass introduction of Lets encrypt SSL.

The only clients we see buying paid SSL are usually for wildcard SSL and used on more then 1 server, so is easier for them

Many thanks

John

extract from namecheap

The green bar was a way of displaying this information loud and proud. When you visited a website with an EV SSL, Chrome, Mozilla, Safari, and Firefox would turn the address bar green, and display the registered company name in the address bar before the website URL.

Safari was the first browser to stop with the green address bar, with Google and other major browsers following suit soon after. Although Google removed the green bar with the release of Chrome version 69 in September 2018, it continued to display company information in the address bar until the release of Chrome 77 one year later.

Google explained why this change was being made, stating that “the Chrome Security UX team has determined that the EV UI does not protect users as intended”. The team found that the display could sometimes hinder rather than help, while wider security research indicated that it did not protect against phishing attacks as much as they hoped it would.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: EV certificates - what ever happened?
« Reply #2 on: April 15, 2022, 10:12:38 AM »

So the likes of Google, and other browser manufacturers, had their doubts about user interface effectiveness? Were evil Javascript programs drawing false green bars or something ?- just guessing

I found this very disappointing because I often thought about registering a domain name "barclays-bank-security" and getting an SSL cert for it, just in order to educate people that they need to see the green bar for it to be a real bank not just a site belonging to some random entity such as myself.
Logged

DaveC

  • Reg Member
  • ***
  • Posts: 197
Re: EV certificates - what ever happened?
« Reply #3 on: April 15, 2022, 11:06:25 AM »

So the likes of Google, and other browser manufacturers, had their doubts about user interface effectiveness? Were evil Javascript programs drawing false green bars or something ?- just guessing

I found this very disappointing because I often thought about registering a domain name "barclays-bank-security" and getting an SSL cert for it, just in order to educate people that they need to see the green bar for it to be a real bank not just a site belonging to some random entity such as myself.

Or you create a company called "Barclays Bank" in a jurisdiction where it doesn't yet exist, and then get an EV certificate for your domain.  Perhaps hard to do with large multi-nationals like Barclays, but a famous example is "Stripe Inc.", an online payment provider registered in one US state, where someone registered the name in a different state and obtained a genuine EV cert just to prove a point.  Company names are not unique worldwide, and trademarks only relate to certain industry sectors and regions.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: EV certificates - what ever happened?
« Reply #4 on: April 15, 2022, 12:43:38 PM »

In general the SSL status on browser UI has been dumbed down over the years, it was actually proposed to make it even worse than it is now.

In practice the EV info had limited benefit only anyway, as most people would only take notice if the actual page was warned as insecure so didnt care if the EV had a fancier status in the adress bar.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: EV certificates - what ever happened?
« Reply #5 on: April 15, 2022, 01:37:17 PM »

Understood. Good point about registering a company name in a different territory.

When EV certs we’re first launched, iirc, one had to get a financial stability or <don’t know what I’m talking about/> rating for your company in question. As I remember it, I wouldn’t have been able to get an EV cert way back then (around 2007). Was that requirement relaxed later, or did I just misunderstand it from the beginning?

One thought that came to me some years ago while EV certs were still green was that if users are used to seeing a green certificate displayed for their bank, they might hopefully feel something is very off if they don’t see one, because the site that they are seeing is evil and a con.
« Last Edit: April 15, 2022, 03:37:28 PM by Weaver »
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: EV certificates - what ever happened?
« Reply #6 on: April 15, 2022, 03:10:05 PM »

I certainly don't like how its done today.  Its so subtle I do not even notice it and that just encourages you to not check.

I feel the certificate information should be much more in your face, all the time, so its easier to notice if its changed.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: EV certificates - what ever happened?
« Reply #7 on: April 16, 2022, 11:03:12 AM »

I certainly don't like how its done today.  Its so subtle I do not even notice it and that just encourages you to not check.

I feel the certificate information should be much more in your face, all the time, so its easier to notice if its changed.

They have even made it deliberately harder to check, two clicks now to check a certificate. 
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: EV certificates - what ever happened?
« Reply #8 on: April 16, 2022, 11:11:03 AM »

An idea: Perhaps browsers should have a feature that only genuine banks and other validated institutions can access that draws images in the UI in a way that only a browser itself can do it, not a javascript page or html page. Perhaps drawing a recognisable animated image next to the address bar and outside the main window’s clipping region, an image that is possibly per-site. It would have to be done thoughtfully so that it stands out and cannot be impersonated by ordinary pages because the drawing operations required are impossible for non-privileged software inside the browser environment. This was around at one time with favicons.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: EV certificates - what ever happened?
« Reply #9 on: April 16, 2022, 11:36:40 AM »

They would have to probably heavily restrict browser extensions to stop them trying to imitate it.  Or place it an area where browser extensions cannot place their own icons such as to the left of the address bar on chrome.

The UI now days is largely designed for the masses.

For reference I do agree banks were better with their EV information, it was a very quick easy way to have additional assurance asides from the obvious you not accessing a spoofed/mistyped domain.
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: EV certificates - what ever happened?
« Reply #10 on: April 17, 2022, 08:40:12 AM »

Hi

I think the more modern way to try to help is by using CAA, which limits which CA can register SSL for a domain.

However, it is not widely used at moment but Banks do you use CAA

This would not stop wrong domains though

Many thanks

John
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: EV certificates - what ever happened?
« Reply #11 on: April 17, 2022, 10:34:27 AM »

For me the important problem to address is giving an answer to the user’s question: "what’s the correct domain name for organisation / well-known legal entity x?". x has to be well-known, have a business reputation, a certain minimum turnover depending on the type of organisation and without these restrictions any random joe soap can apply and create confusing names. I recognise that’s not well-defined but I think it could be made so, and the result should not be something like EV certs, because i’m this proposed mechanism, you start with the business / org name and query that, rather than querying a domain name. It would be like a restricted google, a club with restricted membership.

Just musing.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: EV certificates - what ever happened?
« Reply #12 on: April 17, 2022, 11:03:45 AM »

Facebook is an example of where its an utter s**t show for that.

Scammers setting up identical or very similar names.  Someone on my list forwarded an Iceland one I was like "look, there's no tick next to it, its clearly a scam".  Though the fact it was offering free nearly out of date food out of the goodness of their hearts was certainly a clue. ;)

You sign up and who knows what information they are given from your profile.

I miss the days when Facebook wasn't this huge corporate playground and it was just people connecting.  It seems any social network is doomed to get taken over by corporate interests.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: EV certificates - what ever happened?
« Reply #13 on: April 17, 2022, 12:29:43 PM »

When the PS5 first launched someone setup a page to imitate one of the retailers, (I couldnt remember which one), it was designed so it looked like a different division of the retailer.  It was selling PS5's under priced, I am pretty sure the actual retailer had a EV cert, whilst this page didnt so was a useful indicator.
Logged