EV gets disavowed

Mozilla has announced plans to move the Extended Validation Certificate (EV) indicator for higher assurance, more costly digital certificates out of the address bar of its Firefox browser.

EV information for Firefox 70 on desktop and onwards will appear in the identity panel instead, meaning surfers will now need to click the information window in order to see data designed to provide security assurance.

Mozilla’s Johann Hofmann is candid that the move will “effectively reduce the exposure of EV information to users while keeping it easily accessible”.

An EV certificate for a HTTPS website or software package offers evidence that a particular company or organization is offering a software or website.

Organizations are verified by a Certificate Authority (CA) issuing an EV certificate, priced at a higher premium than regular “domain-validated” digital certificates.

Spot the difference

The effectiveness of EVs has been questionable for years – not least because of doubts whether surfers even notice when an EV cert is deployed on a website.

Web browsers used to show the verified legal identity holding an EV cert before, or in some cases instead of, a domain name.

Security researchers have shown EV certs might be abused to create more convincing phishing attacks.

More recently potential cryptographic shortcomings, in at least some forms of EV certificate deployments, have been demonstrated.

Mozilla is following other browser majors in disavowing the tech.

For example, Google recently announced plans to relegate the prominence of the EV indicator from the mid-September release of Chrome 77 onwards. EV status is already downplayed in the interface of both Apple’s Safari and Microsoft’s Edge browsers.

Web security guru Troy Hunt declared Mozilla’s move as the “final nail in the coffin” for EV certificates, a technology that some infosec critics have been slating for years.

“The only proponents of EV seemed to be those selling it or those who didn't understand how reliance on the absence of a positive visual indicator was simply never a good idea in the first place,” Hunt argues in a blog post.

“The writing might have been on the wall a year ago, but the death warrant is now well and truly inked with both Chrome and Firefox killing it stone cold dead,” he added.

British security researcher Scott Helme agrees that EV certificates had outlived their usefulness.

“Our understanding of browser UI has evolved, and everyone is familiar with the confusion caused by 'Secure' indicators in the browser,” Helme told The Daily Swig.

“The deprecation of the EV UI is simply another step in the journey moving us towards a more neutral UI.”

He added: “Users are unfamiliar with the technology but expected to understand and interact with it. The removal of the UI in all mainstream browsers demonstrates the lack of usefulness of EV certificates and browsers being updated to reflect that,” he added.

While it’s possible to drill down into the certificate and see the entity name, the vast majority of users will not do this.

Hunt added: “I will admit to some amusement in watching all this play out, partly because the ludicrous claims about EV efficacy really come crashing down when it's no longer visible to the end user.”

Meaningful protection?

Google said it reached its decision after running research suggest that EV certs fail to have the desired effect of building confidence among mainstream surfers towards sites that deploy EV certs.

“Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended,” Google said.

“Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.”

Mozilla backs up this assessment. “The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been pitting EV against domains for phishing,” it said.

Security pro Alec Muffett noted that “EV Certs make perfect sense for Onion sites where you want to attribute a raw network address to a commercial entity”, pointing towards one possible application of the much-criticized tech on the dark web.

Patrick Toomey offered a more esoteric, fringe case where the tech might yet have some utility.

Firefox 70 is due to be shipped this October 22.