The end of Extended Validation certificates

Mattias Geniar, Wednesday, April 3, 2019

You know those certificates you paid 5x more for than a normal one? The ones that are supposed to give you a green address bar with your company name imprinted on it?

It's been mentioned before, but my take is the same: they're dead.

That is to say, they'll still work, but they don't warrant a 5x price increase anymore. Because this is what an extended validation certificate is supposed to look like on Chrome.

And this is what it looks like for some users that are part of a Chrome "experiment".

Notice the difference?

It looks exactly the same as a free Let's Encrypt certificate, like the one we use on Oh Dear!. That green bar -- the one we paid extra for -- is gone.

Those part of the Chrome experiment will notice this message in their Developer Console.

As part of an experiment, Chrome temporarily shows only the lock icon in the address bar.
Your SSL certificate with Extended Validation is still valid.

My feeling is it won't be temporary. There's little to no added value to EV certificates, users don't look at it. From a technical point of view, they're also just certificates. They encrypt your traffic just like a Let's Encrypt certificate would.

Today, I wouldn't bother buying Extended Validation certificates anymore. I wouldn't even renew them anymore and go for automated, often-rotated, Let's Encrypt certificates instead.

(Oh, and if you're going that route, give Oh Dear! a try to help monitor your expiration dates and chains. Just to feel safe.)



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Steven De Coeyer Wednesday, April 3, 2019 at 13:04 - Reply

Isn’t the validation process different? As in: they do rigorous checks on your company versus only checking DNS/mail/whatever.

You could argue those extra checks are bogus, but it’s definitely different from a regular certification. Or am I mixing things up here?


OhMyDeer Wednesday, April 3, 2019 at 17:20 - Reply

You are right Steven.
They do really check by placing a phone call and sending printed documents at your company address to be signed.
Indeed, its encryption level is the same as LE or standard DV and OV.
The difference is in the enrollment procedure that should guarantee autenticity and trust of the company requesting it.

The main concern about SSL certificates is that all of them are losing their intrinsic trust.
See https://www.zscaler.com/blogs/research/february-2018-zscaler-ssl-threat-report.

Regards,


Mattias Geniar Wednesday, April 3, 2019 at 19:59 - Reply

You could argue those extra checks are bogus, but it’s definitely different from a regular certification

Yup, you’re absolutely right. But the thing is, none of that matters.

It’s perfectly possible – albeit more work – to get an EV certificate with the same organization name attached to it. All you need is an organization with the same name in a different location, and that’s not very hard to do.

If what we want is encryption and perhaps data-anonimity in transit, all certificates are the same. If we want a mechanisme to validate the authenticity or ownership, I believe methods like certificate pinning are more robust (and annoying to manage) than EV certificates.


Peter Friday, April 5, 2019 at 13:13 - Reply

The thing is, when you visit a bank you see the name of the bank. One could register a domain name similar to a bank’s name and obtain a Let’s Encrypt certificate, and the average visitor might think he’s secure because of the lock in the URL bar. So I so would argue that WV certificates have not lost their use entirely.


Mattias Geniar Monday, April 8, 2019 at 07:22 - Reply

One could register a domain name similar to a bank’s name and obtain a Let’s Encrypt certificate, and the average visitor might think he’s secure because of the lock in the URL bar

This is still possible today, as proven by this fake Stripe EV certificate.

The problem with EV is that it validates *a* business name, not necessarily the one of the site you’re visiting. I can start a legit company with a name similar to a bank in a less-regulated country and get approved for an EV certificate.

It takes more effort, but it’s still fakeable. TLS is transport security, not proof of ownership. EV tried to make it proof of ownership, but that’s not its purposes.


Mike Thursday, April 11, 2019 at 11:33 - Reply

The biggest issue is that users will not avoid a web page that does NOT have an EV cert, which means that they don’t work to protect users. EV certs just don’t offer value – they’re more expensive (time, effort and money) and yet don’t change user behaviour.


Leave a Reply

Your email address will not be published. Required fields are marked *