Google, Firefox, and Apple certainly think so. Extended Validation (EV) SSLs are effectively being put out to pasture. Upcoming changes to Chrome and Firefox will soon remove the EV badge from their browsers, citing concerns with its diminished reputation for protecting consumers.
Standard vs. EV SSL certificates
If you’re already familiar with SSL certificates and the difference between Standard and Extended Validation (EV) varieties, skip ahead to the Why Are Browsers Burying EV SSL Certificates? section.
SSL certificates are digital certificates that authenticate the identity of a website and allow for secure transmission of credit card data, login credentials, and other sensitive information. Though many types are available, standard SSL certificates provide the padlock icon in most browsers, help make your site PCI-compliant, and are a good choice for most merchants.
In most browsers, sites without SSL certification receive the “Not Secure” label, and anyone clicking on it will read a dire warning.
Furthermore, most browsers also will warn the user before entering any credit card information. Even if they don’t notice the lock, it’s almost impossible to miss the alert upon checkout. This tends to have a chilling effect on most users’ buying experience.
EV SSL certificates attempt to enhance this authentication with a more rigorous (and expensive) validation process. The end result is the addition of the merchant’s established legal identity just to the left of the web address.
In theory, this provides an additional visual cue for consumers, which makes them feel safer and more likely to spend their money on the site. In practice, most consumers don’t notice the absence of a site’s “legal identity,” meaning the EV SSL certificate provide little value to anyone other than the organization selling it.
Why Are Browsers Burying EV SSL Certificates?
In cyber security circles, criticism of EV SSL is not new. The stated goals for EV SSL are 1) to make it harder for phishing scams to fake their online identity, and 2) make consumers feel more safe. Their argument is that EV SSLs are only marginally effective at #1, and utterly ineffective at #2.
The core failing in the “legal identity” tactic against phishing scams is the relative fluidity of those legal identities. The phrase itself is a misnomer, one that falsely invokes images of face-to-face authentication and triple-checked claims. As demonstrated by one industry professional, the methods of identity verification vary by state, with many ranging between “woefully inadequate” and “cursory.” A determined bad actor would have little trouble registering “Identity Verified” or some other devious “legal identity” to dupe unsuspecting consumers into feeling secure.
However, such efforts would likely be wasted, because the same experts claim most users simply fail to notice the presence or absence of the legal identity. Apple has alread removed the visual cue from Safari and Mojave for this very reason. Recently, Chrome and Firefox announced their intent to follow suit, with the former stating:
Users do not appear to make choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.
For Chrome, this takes effect on September 10. The change comes to Firefox on October 22. The legal identifier will still be available, but buried in the interface and only accessible to the determined clicks of a knowledgeable user.
Despite the exaggerated claims of organizations eager to sell EV certificates, most users are content to see the padlock and not see any warnings at checkout, both of which are provided by other, less expensive SSL certificates.
If you have questions about which SSL certificate is right for you, contact our sales team for assistance.