The requirements to issue an Extended Validation (EV) SSL is a complex process, resource-intensive and time-consuming. The benefits, in terms of enhanced encryption, is net-zero. All SSLs, from Domain Validated (DV) SSLs to EV SSLs use exactly the same cryptographic protocols, the only difference being the time and effort to verify the SSL.
Years ago, On HTTPS websites using EV certificates, Chrome would display a green EV badge in the URL, but since version 77, Chrome moved this UI to ‘Page Info’, which is accessed by clicking the lock icon. Similarly, Firefox removed the EV indicators from the identity block. So anyone checking to ensure that an SSL is present, can not discern between an EV, OV or DV SSL from a visual URL check.
The Visible Trust Indicators No Longer Stack up
Several years ago an SSL would display the organizational name in the browser and activate the green address bar, but today these key selling points no longer exist.
Even browsers are questioning the value of EV SSL
On the issue of EV, Chrome announced:
Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.
Registrars and Reseller still pushing EV SSL
We find it concerning that some Registrars still push EV SSLs on their clients, despite the clear lack of value. This seems to be purely money-motivated position because EV SSLs demand higher prices than their OV and DV compatriots. brandsec no longer recommends EV SSLs because our view is that they provide limited value in terms of encryption and bang for buck.
About brandsec
Brandsec is a corporate domain name management and brand protection company that looks after many of Australia, New Zealand and Asia’s top publicly listed brands. We provide monitoring and enforcement services, DNS, SSL Management, domain name brokerage and dispute management and brand security consultation services.
