Technology

R.I.P Extended Validation Certificates

Oct 2019

What is an Extended Validation Certificate anyway? Aren’t all certificates the same? In addition to securing a website, Extended Validation (EV) Certificates were designed to give consumers added confidence that your website really does belong to you. Generally, a company selling EV certificates will dive deeper to validate the certificate purchaser’s domain, legal entity, physical and operational existence and is authorized to issue the certificate. When the validations are performed EV Certificates will display the Entity’s name in green next to the padlock in the address bar, as shown in the example below. It is intended to give web visitors warm fuzzies that this is in fact the website they wish to browse.  

This sounds like a good idea because who wouldn’t want the warm fuzzies when they visit a website? The problem is popular browsers have been slowly removing the functionality to view the benefits of the EV cert. Safari removed this functionality over a year ago and Chrome removed this functionality on September 10, 2019. Firefox will remove this functionality on October 22, 2019. Here is an example of the same web address above but in a newer Chrome version:

Notice how the entity name and color has been removed and it looks like any other secure website. What companies selling EV certificates fail to tell you is the added benefit of EV certificates is entirely dependent on browser functionality.  

So why are browsers removing that functionality? To paraphrase Google and Mozilla’s announcement, they are doing it because it is ineffective at changing users’ behavior in trusting a website. Therefore, EV certificates do not provide any additional value. It also has been demonstrated that with little effort and cost, anyone can legally obtain an EV with the intent of spoofing an EV certificate. So much for the additional value for your consumers. 

The next time you are buying a certificate or renewing one, don’t buy into the hype that Extended Validation Certificates are the best protection for you and your consumers as it is, in fact, a waste of money.  

 If our Cybersecurity Solutions Team can assist you in assessing your current cybersecurity posture or providing recommendations for improvement, contact us. 

Having held executive positions at firms of all sizes, the Richey May Technology Services team is able to provide practice executive advice to solve most difficult technology, cloud, and cybersecurity problems.  

References: 

https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/

https://groups.google.com/a/chromium.org/forum/m/#!msg/security-dev/h1bTcoTpfeI/jUTk1z7VAAAJ