Browser makers have been making a series of changes to the way they display security indicators to users, and in the next major versions of Chrome and Firefox, Google and Mozilla will remove the information about extended validation SSL certificates from the address bar after deciding that it doesn’t communicate any useful information to users.
For many years, browser vendors have struggled to find effective ways to communicate the relative security of a given site to users. Locks, open or closed or missing, stoplight colors, and various combinations thereof have all been tried, with varying degrees of success. In some cases, the indicators were too small or too vague, and in others they didn’t communicate the information they were meant to communicate. Google, Microsoft, Mozilla, and Apple all have tinkered with the icons in the browser address bar recently, specifically with the icon that indicates the status of a site’s certificate and therefore the visitor’s connection to it. Google is planning a major change to that in Chrome 77, removing the EV status information from the address bar altogether and moving it into a drop-down instead.
The reasoning behind the decision is that people apparently don’t pay much attention to the indicator and don’t miss it when it’s gone. Google’s internal research, as well as previous academic research, shows that when the EV certificate information is removed from the address bar, people will still enter sensitive information into a site, with no indication that it’s secure. Extended validation certificates require a higher level of proof of identity for organizations, including the physical presence of the site owner and exclusive control over the domain. But that information is not obvious to people visiting a site with an EV certificate.
“Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended (see Further Reading below). Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection,” Google said.
“Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.”
Mozilla’s reasoning for making the change is similar. The company said users basically don’t notice the EV indicator and so it has no effective use in the address bar.
“In desktop Firefox 70, we intend to remove Extended Validation (EV) indicators from the identity block (the left hand side of the URL bar which is used to display security / privacy information). We will add additional EV information to the identity panel instead, effectively reducing the exposure of EV information to users while keeping it easily accessible,” Johann Hofmann of Mozilla said.
“The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been pitting EV against domains for phishing.”
Firefox 70 is scheduled for release in October and Chrome 77 will be available in early September.