EV certificates are dead

Original author: Troy Hunt
  • Transfer
That's it, I said it: extended validation certificates are dead. Of course, you can still buy them (and some companies will sell you with pleasure!), But their benefits have now decreased from “hardly” to “nonexistent”. The change was due to a number of factors, including an increase in the popularity of mobile devices, the removal of the visual EV indicator from browsers, from iOS (and also from MacOS Mojave):

For illustration, I chose the Comodo website, because they showed such despair associated with selling EV, just a month ago sending me a sales letter with the heading "How to get the green address bar for your website." In the letter, they begin to tell the "alternative" version of the truth:

Indeed, this is how Firefox looks today, but they completely forget to mention in the advertising letter that this is a purely arbitrary visual indicator that is left to the discretion of browser developers. Obviously, Apple has already killed it, but even for many people on Chrome, the Comodo website actually looks very different (Chrome experiment):

The letter says how EV fights phishing, and states the following:

Displaying a verified company name allows you to quickly identify the legal entity behind the website, which makes phishing and deception difficult.

In other words, if we see the name of the company - this leads to a higher level of trust, and if you invert this statement, then if we do not see the name of the company, this leads to a decrease in trust, isn’t it? The problem is that people simply do not expect to see the name of the company, and there is a very simple, effective demonstration of why this is so:

Ten of the world's largest sites: nowhere EV

Comodo continues to convince of the effectiveness of EV, citing "recent research":

“A recent DevOps.com study found that customers are 50% more likely to trust and buy on sites with a green address bar.”

They refer to a long page in ComodoStore and although this is not explicitly stated anywhere, but the words imply that the research was somehow independent and impartial: “Devops.com surveyed” and other similar phrases. I talked about this back in July , but this screenshot says everything you need to know about the motives of the “survey”:

I honestly tried to get to know the customer of this work, first writing the author Tony Bradley, and not receiving the answer, asked on Twitter at @TechSpective , where he is the chief editor, and @devopsdotcom (by the way, my followers), who published the poll:

In the end, already quite an obvious fact was confirmed by Tony Bradley. He apologized for the late reply, because he rarely logged on Twitter, and called the customer - Comodo CA.

I would like to see this indication in the report itself, because Comodo involvement clearly leads to bias. It’s as if the oil company orders a report with the conclusion that fossil fuels are not harmful to the environment, or the tobacco company will declare that smoking is not harmful to health. If you still think that DevOps.com actually believes in the "benefit" of EV certificates, take a look at their own:

This resource is mentioned repeatedly in the promotional letter to Comodo, but let's move on. They further declare that you can “activate the green address bar” by simply purchasing an EV certificate:

"To activate the green address bar on your website, you just need to purchase and install the SSL Extended Validation (EV) certificate."

Only not in the world's most popular browser for iOS:

And not in Chrome for Android, the most popular OS in the world:

Let's see Microsoft Edge on iOS, and again this predictable result:

These are very, very important screenshots that reduce the value of EV by two key reasons. Firstly, almost 2/3 of all page views in the world come from mobile devices . That is, the screenshots above show the prevailing view that the site owner should think about. Secondly, as a result, companies cannot tell their customers to expect EV, because most of them will never see it. Despite this, Comodo assumes that EV has the benefit of a “longer green security line”:

"The big green security bar is a very clear signal to the user that the site is safe."

Do you know what exactly is such a signal? A green icon next to the Chrome URL on the desktop! And if you read it and think, “Wait, Chrome no longer does that,” then you are absolutely right. The icon no longer stands out and there is no word Secure : The

change in Chrome 69 of September 4 affected not only DV, but also sites with EV:

Here I try to emphasize that visual indicators remain entirely at the discretion of browser developers and change over time. Thus, the phrase "How to get the green address bar on your site" is now even more incorrect than when it was written! In fact, the only more or less accurate representation of EV in this letter is a recognition that you cannot receive an EV wildcard certificate.. But wait! There is an easily accessible solution, just a bit more expensive, it is called a multi-domain certificate , this is the default option for Comodo's Enterprise SSL Pro with EV Multi-Domain really save you $ 5002.44 *:

* Note: you need to spend $ 9746.75 to get these savings

For clarity, this is not a four-year certificate. As the text below shows, the CA / B Forum rules limit the maximum validity of a certificate to two years, and then you need to manually repeat the verification and issue process. But damn, it will not allow us to sell certificates for 4 years!

And what if you do not renew the certificate? Well, you get this :

You might think, “Well, that’s kind of obvious, as is the case with DV,” but there are nuances. First, the neglect of certificate renewal occurs with alarming regularity, and this happens with big guys. For example, Microsoft forgot to update secure.microsoft.co.uk in 2001 . Too long ago? They did not renew the certificate for the Azure domain in 2013 . And of course, these problems not only at Microsoft: so, of HSBC forgot to renew the certificate in 2008 , from Instagram such trouble happened three years ago , and in LinkedIn - in the past year . There are many, many other examples, and they all make one and the same truism clear: if there is an important and repetitive task, automate it!

Which brings me to the second point: certificate renewal should be automated, and this is something that you simply cannot do if identity verification is required. With a DV certificate, automation is simple, it is the cornerstone of Let's Encrypt and a really important attribute of this service. I recently spent some time with a development team at a large European bank, and they were seriously thinking about abandoning EV for just that reason. In fact, not only for this reason, there was also a risk that they would need to get a new certificate very quickly (for example, because of compromised keys), which is much more difficult for EV than for DV. In addition, long-term certificates actually create additional risks due to a broken revocation procedure.therefore, fast iterations (for example, Let's Encrypt certificates last 3 months) become an advantage. Certificates valid for two years is not an advantage, except in terms of making money on them ...

(Paradoxically, the LinkedIn story from the link above is related to TheSSLStore.com which is a reseller of certificates. You understand the risks, but instead offer automation as part of the decision to renew the certificate, they offer solutions "that scale to enterprise-class" by CAs, such as Comodo, which, of course, push EV. No mention of the Let's Encrypt. She was loudly criticized for issuing certificates ishingovym sites (with the proper verification of the domain name), but Comodo has issued the same number!

The lack of support for a wildcard is one of the main technical reasons why EV should be avoided (other reasons are basically just common sense), and filling in the subjectAltName field can hardly be called a sufficient alternative. For example, we have a wildcard certificate on our Report URI site , so you can send reports to https: // [my company name] .report-uri.com, and we have hundreds of such subdomains. Comodo will be happy to support this scale:

In addition, Scott Helm and I really do not have $ 808 thousand, this is also far from the real wildcard certificate, because at the time of its issuance you will have to specify all host names instead of dynamic maintenance.

And the last point in this marketing letter is the promise of a guarantee:

It refers directly to the page with super expensive multi-domain EV certificates and does not even try to explain the essence of the guarantee, which is a bit strange. But this is completely understandable, because no one really knows what a guarantee is and whether anyone has applied for it at least once . Seriously - this should not be a frivolous statement, Scott and I honestly tried to figure it out at the beginning of the year - and simply could not get direct answers. When I managed to enter into dialogue, I was accused of being “out of nerds”:

Andreas Mallek : Andy, these guys do not want to admit their difference - they are too nerdy to understand that normal people have different needs than people in nerdville. I’m going to have Nerdville, I’ll come back to deal with the problems of my clients from the normal world. See you.
Troy Hunt : Andreas, I asked a very reasonable question and this is important because the certificates are sold with a guarantee, and I try to understand what this means. Real customers want to know what this guarantee covers and are there documented examples of its use? Do you know about them?

By all accounts, this was a very unexpected answer not from anyone, but from the executive director of CertCentreAfter all, he seems to be the first to appreciate the high importance of the guarantee for a certificate (provided that it is really important, of course). If you pay such a company for a product with a stated set of functions, then being a “nerd” is quite normal to ask how these functions work, and this should not lead to ridicule from the guy managing this company. Unfortunately, instead of answering the question, Andreas applied the tried and tested ostrich method:

What really raises questions is that the guarantee is sold for money (of course, you do not receive a guarantee with Let's Encrypt certificate), but they are not ready to explain what exactly you get for your money. CertCentre also actively promotes the guarantee as an “element of the highest level of security” :

But friends, if you can’t even write the word Warranty correctly , what are the real chances of understanding what it does ?!

Another nail in the coffin of EV is Scott's Semiannual Alexa Top 1M report from last month. There is encouraging statistics of the transition of sites from HTTP to HTTPS:

HTTPS sites are already 52%, which is very good for the Internet as a whole. But I was interested in this comment regarding EV:

"Despite the strong growth of HTTPS at the first million sites, there is no growth in the share of EV certificates."

In numbers: in February, 366,005 sites forwarded HTTP requests to HTTPS and 19 802 of them used EV certificates, which is 5.41% of HTTPS sites. In August, 489,293 were redirected to HTTPS, and 25,158 of them had EV certificates, which is 5.14%. In other words, the EV market share declined by about 5%.

(Note: 489,293 really makes up 52% ​​of the million sample, because 47,000 sites failed to scan and were excluded from the statistics).

It turns out that many sites actually refuse EV certificates. A month ago, Scott gave a detailed list of the major sites that used EV earlier : among them Shutterstock, Target, UPS and the British police. Around the same time, I noticedthat even Twitter abandoned EV.

The Twitter story is a bit strange, because in fact you could see or not have an EV certificate on their site, depending on your location. This also says something about the effectiveness of EV: if they are ready to remove or add it, then people are unlikely to behave differently and trust the site without EV less. But this is the basis on which the EV mechanic is built!

Disinformation campaigns are not only Comodo and CertCentre, but many others, for example:

In addition to the choice of historical browsers (how old is this image ?!), the following statement is made in the article by reference :

"Web security experts recommend using the EV SSL certificate for platforms such as e-commerce, banks, social media, healthcare, government and insurance platforms."

I am not sure whom they refer to in the first words, but I know that, apart from banks, this statement simply does not hold water for other industries. It is easy to demonstrate how fundamentally wrong it is.

Here are the world 's largest e-commerce sites . Click on each one and see if they have EV:

  1. Amazon
  2. Netflix
  3. ebay

You can say that Alexa incorrectly classified Netflix as an e-commerce site, well then look at the next most popular walmart.com - and get the same result. There is no EV anywhere.

Moving on. With social media, the same situation :

  1. Facebook
  2. Twitter
  3. LinkedIn

As discussed earlier, Twitter has a small identity crisis in terms of whether it supports EV, so for accuracy, check out the fourth largest website: Pinterest .

On the world's most popular healthcare sites, the same:

  1. National Institute of Health
  2. Webmd
  3. Mayo Clinic

No EV. At all. Not the only one.

I could not find a clear list of the largest public websites, so I pulled the data from the night crawling Alexa Top 1M from Scott and chose the largest sites in the .gov area. The National Institute of Health is the largest, but we have already reviewed it, so take the following three:

  1. Indian Agency for Unique Identification (which has other fundamental problems with HTTPS support )
  2. India Tax Inspectorate
  3. GOV.UK

By now you have already realized that the chance to meet EV is at least somewhere minimal. You are right - not a single hit.

Finally, the top insurance sites :

  1. United Services Automobile Association
  2. Kaiser Permanente
  3. Geico

We found one! USAA really has an EV certificate! The other two don't, but that's at least something, right?

If “web security experts” recommend EV for these classes of sites, then obviously these sites do not listen to them. So such recommendations are poetic.

Another set of unsubstantiated claims about SSL is that EV "increases the conversion of transactions", "reduces the departure from the shopping cart" and "protects against phishing attacks." One can understand why they make such statements: the reason is visible in the form of buttons immediately below the text:

So, we again returned to obvious bias. But hey, they are just trying to do business, so I understand the motives. You can still assume that starting such a business, they themselves would like to increase the conversion, is not it? Well, it's funny:

Even the EV seller is smart enough not to spend money on it! In addition, we recall that the “green address bar” itself has now completely disappeared thanks to the most popular browser in the world, which killed it in version 69.

There is an argument with phishing. It is often stated that EV somehow reduces it. This is exactly what is stated on the slide from the Entrust presentation from the beginning of this year:

There is a whole bunch of frauds here, and for analysis it is best to read this thread from Ryan Slevi. He analyzed the study on which the slide is based.

Ryan is a very smart cryptographer who works on Chromium, and he has an excellent ability to display any nonsense clearly. In the end, he summarizes the situation: “In general, this is a bad article. But worse, they are trying to pass it off as a “data” study. At the same time, an erroneous methodology and a selective approach are used to support a business model that relies on users who are fully responsible for detecting changes in the user interface. ”

That is, we return to the fact that EV will be effective only if people change their behavior due to a change in UI. In reality, people do not know what to pay attention to, and this change itself gradually ceases to exist. Either the change is too insignificant for people to pay attention to it. Remember the first screenshot in the article where Safari browser no longer displays the registered company name in the EV certificate? Compare it with the screenshot of my blog, also open in Safari on iOS 12:

See the difference? The EV site URL and the castle next to it are now green, while the DV site is black. So now, in order to create a corresponding wait for users, they need to tell them to look for green URLs and a lock ... unless they use Chrome, which has deleted all the green elements altogether! It is obvious how ridiculous it is to explain to users such nuances in the browser, especially considering the speed of their change.

Returning to the About SSL site, there is a video where the speaker explains the advantages of EV in the same theses that we reviewed. Video about 6 minutes, if you have the patience to watch:

We can go directly to the interesting, for example, when the lead (and Comodo product marketing manager ) talks about the criticality of EV for a financial transaction:

“At the most critical moment when deciding whether to complete a transaction, this striking visual indicator (green line EV) with information confirming the company name, location and certification authority gives the necessary confidence to make a decision.”

The thesis is supported by a screenshot of the site Excalibur Cutlery & Gifts : You

probably already feel that it will be ... and you are right:

No EV. No commercial DV at all, but a quite normal free Let's Encrypt certificate. The video is like from an archaic era: it opens sites in IE8 on Windows XP ... I can’t do anything, but there is a feeling that the situation is somewhat ... outdated. It turned out that it is:

I would not evaluate the video almost a decade ago from today's positions, but the same theses are expressed there as they are today. And of course, an article with this video is referenced by a tweet that was published just a month ago under the guise of an "Important Guide to the Advanced SSL Validation Certificate," so everything is fair.

Comodo is not the first time uses to promote EV sites that do not have EV. Most recently, someone showed me a letter from Comodo with a reminder about the renewal of the domain:

Naturally, he became interested in the site Mostlydead.com and wanted to see how the “sales increase by 20%” (according to Ken Creece) went. Well, you understand, because EV "increases consumer confidence." It looks like no more:

The more you delve into the topic, the more you are convinced that EV ... is almost dead. After all, this is not just a random site that has moved from EV to DV. This is a site specifically chosen to demonstrate the value of EV.! It should be an example of EV value, and Comodo advertises it to this day. However, we see that Ken Crease has clearly changed his mind about the effectiveness of EV (and maybe he never had that opinion).

The situation with EV is starting to look like this:

But we have not finished yet: I want to mention another site that previously had an EV certificate, and now has returned to DV. This is the site:

Translator's note: the HIBP website with a database of stolen accounts was launched by Troy Hunt himself.

I changed the certificate the day before yesterday, and so far no one even mentioned it. No one. Not a soul, and my audience is much better versed in such things than your average user. Naturally, there was no shortage of people who might have noticed a change over this period:

Almost two years ago I wrote aboutyour journey into the world of EV-certificates . As in many of my articles, I studied on the go; I wanted to go through the EV certification process myself (others have always done it before), and I wanted to see if it really had any meaning. At that time I honestly did not understand and finished the article like this:

“All these pieces with EV certificates are difficult to measure in terms of value. I have no idea how many more people will check their email address in the service, how much more media coverage or donations they will receive. No idea at all. ”

Two years later, I am quite convinced of the conclusion: there is no value. But this does not mean that there is a disadvantage in the availability of such a certificate, there are simply no advantages. As the renewal date was approaching (December 14), I called and asked to withdraw it in advance in order to return to the free, released Cloudflare. There is absolutely no reason to pay for renewal (I immediately paid $ 472 for a two-year certificate), and there was no reason to wait for the expiration date, except for aversion to losses , and it has as much sense as EV certificates.

I often wondered what was the point of paying for EV or DV certificates in an era of freely available certificates. I visit many companies around the world, discussing HTTPS, and when I try to probe this question, I regularly hear the phrase “I haven’t fired anyone yet for buying IBM.” I was looking for a good link to explain the meaning of this phrase - and found a great one in the definition of FUD from Wikipedia :

“By spreading dubious information about the shortcomings of lesser-known products, an established company can prevent decision makers from choosing these products instead of their own, regardless of their relative technical merit. This is a recognized phenomenon, embodied by the traditional axiom of purchasing agents, that “no one has yet been fired for purchasing equipment from IBM”. The goal is for IT departments to buy the technically worst software because top management is more likely to recognize the brand. ”

In other words, people make ignorant decisions about what they consider to be “safe” because of the marketing FUD. I suspect that a similar mentality is with companies placing third-party "security seals" on their websites. They do not have enough knowledge and understanding that they actually can increase the risks , but damn, they were so advertised!

So yes - there is no more EV on HIBP, and no one will miss him, which is fully consistent with the experience of others who refused extended validation certificates:

"This month we abandoned EV, improved the speed of the TLS handshake, and none said that something was missing."

"On the payment portal, we replaced the EV certificate with @letsencrypt:
- automatic renewal (without a long and complicated manual process, reducing the risk of expiration)
- price
- people do not care about the type of certificate
- more often update - faster recovery from possible compromise"

“We realized that people trust the cute green badge more than our unfamiliar company name. Saving is a bonus. ”

“I do not agree with the fact that the matter is in price. Target and other giants don't care about $ 1000 for a certificate. I think the point is awareness. I know that 18 months ago, an EV certificate seemed like a good idea for my .org site. But will I renew it? Not! Because I realized their senselessness. "

“I can’t say what became the main factor: 1. The need for a wildcard to increase flexibility. 2. Costs are no longer justified, especially considering several sub-domains. 3. The lack of user awareness means that hardly anyone has noticed the changes. ”

The article was a long one, because every time I sat down to write, there appeared new evidence of the absolute meaninglessness of EV. I started taking notes long before some of the events listed, including the release of Chrome 69 and the removal of the green address bar, which killed one of the main trump cards of EV marketing. This is not to say that EV is the only technology that gradually died from a thousand cuts. Once such certificates were a good product, but now the situation is completely different - and this is just a senseless relic of a bygone era. Browser manufacturers are aware of this and act accordingly. Just a matter of time, when the last nail is hammered into the coffin of EV:

Chrome Canary v70 is trying to remove the names of the companies EV-SSL, I wonder if it will fall into the final release?

When Chrome finally removes the visual EV indicator from the browser (just as they did on mobile devices, and as Apple did in the Safari lineup), it will be good and really put an end to EV. Perhaps then the FUD will finally end.

I will give you one last little proof of the absolute futility of EV: this is my lecture in London at the beginning of this year. Here is the moment when I start talking about EV, and it is precisely the interaction with the audience that is significant here. See how the room responds, full of smart techies, when I ask what visual indicators they expect to see on popular sites. Enjoy!

Also popular now: