Last week, google developers that are in charge of the Google Chrome web browser project made the decision to disable separate labeling of EV-level certificates (Extended Validation) in Google Chrome.
Si previously for sites with similar certificates the verified company name was displayed by the certification center in the address bar, now for these sites the same secure connection indicator will be displayed than for certificates with domain access verification. And it is that from what will be the next version of Google Chrome 77, the information on the use of EV certificates will be shown only in the drop-down menu that is displayed when clicking on the secure connection icon.
Taking this move as a reference, last year (in 2018), the folks at Apple made a similar decision for the Safari browser and rolled it out in iOS 12 and macOS 10.14.It is important to emphasize that EV certificates confirm the claimed identification parameters and require the certification center to verify the documents in the domain and the physical presence of the resource owner.
Why will the entities that issue the certificates no longer be displayed in the browser bar?
This move by Google developers is derived from a study conducted by Google, where it was shown that the indicator used previously for EV certificates it did not provide the expected protection for users who did not pay attention to the difference and did not use it when making decisions about entering sensitive data on sites.
Permanence in the Google study It was found that 85% of users were not prevented from entering with the presence credentials in the address bar URL «accounts.google.com.amp.tinyurl.com" instead of "accounts.google.com«, If it appears on the typical interface page of the Google site.
Through our own research, as well as a survey of previous academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended.
Users do not seem to make safe decisions (such as not entering password or credit card information) when the UI is altered or removed, as the EV UI would need to provide significant protection.
Additionally, the EV badge takes up valuable screen real estate, can feature actively misleading company names in a prominent user interface, and interferes with Chrome's product steering toward a neutral, rather than positive, display for secure connections. .
Due to these issues and its limited usefulness, we think it belongs best to the information on the page.
The alteration of the EV user interface is part of a broader trend among browsers to improve their security user interface surfaces in light of recent advances in understanding this problematic space.
To arouse trust in the site for most users, it turned out to be enough just to make the page similar to the original.
As a result, it was concluded that positive safety indicators are not effective and it is worth focusing on organizing the output of explicit warnings about the problems.
For example, a similar scheme has recently been applied to HTTP connections that are explicitly marked as insecure.
At the same time, the information displayed for EV certificates takes up too much space in the address bar, it can lead to additional confusion when viewing the company name in the browser interface, and it also violates the principle of product neutrality and is used for spoofing.
For example, the Symantec Certification Authority issued an Identity Verified EV certificate, the name of which showed deceived users, especially when the real name of the open domain did not fit in the address bar.