The end of Extended Validation certificates

Image of Mattias Geniar

Mattias Geniar, April 03, 2019

Follow me on Twitter as @mattiasgeniar

You know those certificates you paid 5x more for than a normal one? The ones that are supposed to give you a green address bar with your company name imprinted on it?

It’s been mentioned before, but my take is the same: they’re dead.

That is to say, they’ll still work, but they don’t warrant a 5x price increase anymore. Because this is what an extended validation certificate is supposed to look like on Chrome.

And this is what it looks like for some users that are part of a Chrome “experiment”.

Notice the difference?

It looks exactly the same as a free Let’s Encrypt certificate, like the one we use on Oh Dear!. That green bar – the one we paid extra for – is gone.

Those part of the Chrome experiment will notice this message in their Developer Console.

As part of an experiment, Chrome temporarily shows only the lock icon in the address bar.
Your SSL certificate with Extended Validation is still valid.

My feeling is it won’t be temporary. There’s little to no added value to EV certificates, users don’t look at it. From a technical point of view, they’re also just certificates. They encrypt your traffic just like a Let’s Encrypt certificate would.

Today, I wouldn’t bother buying Extended Validation certificates anymore. I wouldn’t even renew them anymore and go for automated, often-rotated, Let’s Encrypt certificates instead.

(Oh, and if you’re going that route, give Oh Dear! a try to help monitor your expiration dates and chains. Just to feel safe.)



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.