Browsers alter the display and notifications for SSL certificates
15 August 2019
A lot is happening with regard to the display of HTTP and HTTPS by the different browsers. They are working on improving the recognisability of secure websites and the strive to HTTPS by default for some time now.
Warnings for HTTP become more serious
From version 70, the widely used web browser Mozilla Firefox will mark all webpages without HTTPS as insecure. Mozilla follows Google Chrome's example, who warns for unsecure connections already since 2018, followed by Safari by March this year. For some time Firefox has been warning when input fields are not secured - it shows a 'Not Secure' warning in the address bar. Today at least 80% of all webpages use a secure HTTPS connection, therefore Mozilla thinks the time has come for a negative HTTP indication instead of a positive HTTPS indication. Therefore, Firefox will show a 'Not Secure' warning for every webpage without an SSL certificate, starting from Firefox version 70, scheduled for October this year. The same warning will be shown for insecure FTP-connections and certificate errors.
Changes in EV SSL display
Chrome has been busy for some time with a switch to HTTPS as default, and simplifying the display of domain names. For example, the current version (76) no longer shows www or http / https, and the display of an EV SSL certificate is no longer green. The company name is shown immediately, which makes it clear to visitors that they are on the website of the right organization.
On August 12 Mozilla and Google announced that Firefox from version 70 (as of 22 October) and Chrome from version 70 (as of 10 September) will remove the company name and country code from the URL bar for all EV SSL certificates. The company name is then shown in the Page Info block, this is the pop-up that you will immediately see when you click on the lock next to the domain name in the url bar.
EV display in Chrome 77
EV display in Firefox 70
Why these changes?
It is evident that this change has a significant impact on EV SSL, and therefore provokes discussion. The browsers give the simplification of the display of SSL and the move to HTTPS as standard as a motivation. They also indicate that the current display takes up too much space, and that research shows that EV SSL has too little influence on visitor behavior.
On the other hand, CAs and other parties who value the the authentication property of SSL, state that the announced adjustment will only cause more confusion among users and therefore unsafe behavior. And despite the fact that the EV system is not flawless at the moment, it offers much more certainty than certificates without company data.
Does EV SSL have any added value left?
Recently, the use of SSL for phishing websites has increased substantially. Domain Validation (DV) certificates without company data are used for this, because their issuing process is less strict and they are inexpensive or even available for free. Due to the strict controls needed for EV issuance, EV considerably reduces the chance of phishing websites.
The notable appearance of EV, the company name in green, will soon not be shown anymore. Despite the decreased visibility, because of the strict validation, an EV certificate still has added value in the sense of a better identity guarantee. And when a visitor doubts the authenticity of a website, he can check the identity of the website owner with one click on the lock. Something that becomes even more important due to the substantial increase in the abuse e of DV certificates for phishing purposes.
The company name is shown with EV SSL by clicking on the lock in the Page-Info pop-up. It says: "Issued to: Company". An Organisation Validation (OV) certificate does not show this 'Issued to', the company name is only shown when you open the certificate, while a DV certificate contains no company information at all.
To promote the importance of SSL certificates with company data, and to improve the EV SSL process, a number of CAs established the London Protocol in June 2018. They strive for a clear representation of EV by all browsers and more focus on security awareness among users. This shows the developments in this area are dynamic and not final.