Despite arguments to the contrary, Extended Validation provides tremendous value.
Last week Troy Hunt, a security expert and educator well known for his Have I Been Pwned? tool, wrote a long column about the value Extended Validation (EV) certificates.
In that post he questioned the value of EV certificates and whether users notice them. Hunt concludes:
“The bottom line is that as of today, the effectiveness of EV certs is entirely dependent on people recognizing [sic] what they mean and actually adapting their behaviour accordingly. It’s hard to argue with that…”
That is certainly true. EV certificates do rely on a user noticing them and using that information. But does that mean EV Certificates do not have value?
Before we delve into this, let’s take a moment to lay out our terms first:
Domain Validation (DV) and Extended Validation (EV) are the two main classes of SSL certificates. DV, as the name suggests, only confirms that the domain shown in your browser’s address bar is the owner of the certificate. This is done using an automated technical measure – such as creating a unique DNS record for said domain.
EV certificates do that as well, but in addition they confirm that the website is operated by a legally established company. This is confirmed by a human employee of a Certificate Authority with the aid of official government databases and other reliable data sources. That company name (and the country it is registered in) are shown to end-users in their browser:
As Troy puts it, DV certificates tell you “the connection is secure,” whereas EV certificates tell you “the connection is secure and you know who you’re talking to.”
On the internet, knowing who you are talking to can be quite valuable. For the cost of a decent restaurant meal you can create a website and claim to be anyone (or anything) without providing much personal information.
Given the sheer volume of online fraud and phishing sites, I think we can all agree that knowing more about who operates a website can be helpful.
Your computer does not truly understand anything about the websites it’s visiting. It will happily serve the content at whatever hostname or IP address you point it to.
From a technical perspective, this is exactly what your browser is meant to do. Though that is often not aligned with the goals of users, who are more interested in connecting to legitimate sites than enjoying the technical marvel of DNS and IP routing.
When we look at the big picture, Google Chrome’s design agrees with this point of view as well.
Chrome is currently in the middle of a very long-term change that will fundamentally reverse the current security indicators. Instead of showing you the padlock icon when a connection is secure, Chrome will be switching to showing a negative indicator when it is not secure.
Here is an excerpt from this plan:
We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure.
The goal of this proposal is to more clearly display to users that HTTP provides no data security.
T0 (now): Non-secure origins unmarked
T1: Non-secure origins marked as Dubious
T2: Non-secure origins marked as Non-secure
T3: Secure origins unmarked
Currently, we are between the “T0” and “T1” stages of the plan – later this year Chrome will begin showing “Not Secure” warnings on more HTTP pages.
One of the reasons Chrome wants to do this is due to how difficult it is for a computer to affirm the security of your connection.
HTTPS can only guarantee your data was sent securely to the server you are connected to. What happens after that is anyone’s guess.
Cloudflare’s Flexible SSL, which provides a secure connection between you and Cloudflare, but not from Cloudflare to the origin server, is an example where your browser is not aware of the entire trip your data is really making across the net.
Chrome would prefer not to deal with the responsibility of confirming your connection is secure. It would rather only say something when it knows it is insecure, because that’s all it can really say.
Which is relatively simple in comparison to judging if a website is legitimate or if you should provide them with your personal information or a credit card. Hopefully, we all know that just because a website uses HTTPS does not mean it’s always a good idea to give it your personal information.
That decision requires more information than the technical guarantees that HTTPS can provide, and that judgment is where the user comes into play.
That’s not to say there aren’t other mechanisms out there to protect users. Systems like Google’s Safe Browsing and Microsoft’s SmartScreen are invaluable tools for protecting users from phishing sites, as well as sites reported to be infected with malware.
But those systems are not perfect. They can sometimes take more than a day to flag a site, which means it misses a crucial window of time where a majority of victims are affected. Those systems are also not used to establish identity and thus only partially overlap with the goals of EV certificates.
Troy says it is a problem that “EV certs are a human control.” But evaluating the real world identity and legitimacy of a site is not something our browsers are well suited for. After all, from a technical perspective, your browser is just as willing to let you log in to FakePaypal.com as it is the real thing.
The value of an EV certificate is clear. It is the ability to know more than your browser can assert through connecting to a hostname, parsing a certificate file, and verifying an encryption key.
Troy is also right that EV – and all HTTPS-related indicators – could be better understood by users. Case in point – before Chrome’s semi-recent redesign, users had a hard time identifying and understanding the padlock icon. Some mistook it for a purse.
But that does not eliminate the need for identity on the web or diminish the value of EV certificates. It just means we need to start explaining it better—a common theme when it comes to security and the average internet user.