EV certs are dead, opines infamous Aussie infosec MVP

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

Extended Validation certificates: So long, we hardly knew ye.

That, at least, is the conclusion of our old mate Troy Hunt, the figurehead behind haveibeenpwned.com. He maintains that EV certs never really solved the problem they claimed to, and have become pointless after recent changes to how browsers display URLs (see also SecBW passim).

Strewth! Fair suck of the sav, EV is cactus. It’s Security Blogwatch, yous galahs.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: LED printers 

State of Security Operations 2018: Go Inside World SOCs

EV certs RIP

What’s the craic? Troy Hunt makes the call—Extended Validation Certificates are Dead:

I'm calling it - extended validation certificates are dead. … Their usefulness has now descended from "barely there" to "as good as non-existent."

[It’s due to] increasing use of mobile devices, removal of the EV visual indicator by browser vendors [including] Safari on iOS [and] Mac OS Mojave. … We're approaching two thirds of all browsing being done on mobile which means that [that is] the predominant browsing experience any website owner should be considering.

Companies cannot tell their customers to expect EV because most of them will never see it. … You know what makes people think the website is "secure"? When the website says "secure" … next to the URL in the browser … Paradoxically, you only get the "secure" indicator when not using an EV cert.

And in case you're reading this and thinking "hang on, Chrome doesn't do that anymore", you're completely right.

Which brings me to the second point: Certificate renewal should be automated and that's something that you simply can't do once identity verification is required. [Plus] the risk presented if [you need] to quickly get … a new cert (i.e., due to key compromise) as the hurdles you have jump over are so much higher.

As it turns out, many sites are actually removing EV certs. … From Shutterstock to Target to UPS to Visa to the UK police [to] Twitter. …
The world's top shopping sites … no EV. … Social media … the same deal. … The world's most popular health sites … nada. … Global government websites … not a single EV cert to be seen.

Nobody who's actually thought through the logic of EV properly is actually … recommending EV.

What is it good for? Absolutely nothing, according to niftich:

EV—or rather, people's mental model of the trust that EV confers—is broken. People typically care about whether the site they arrived at was the one they were intending to visit, which the computer can't possibly know.

But EV has attained a role of serving as a flawed signal of such, because the browser bar said something that doesn't look alarmingly different.

Literally everyone who'd want to visit Facebook knows Facebook's URL. User error about entering credentials on the wrong site … is better mitigated in other ways: multi-factor authentication … not by making the high-profile site pay thousands of dollars for a text string in green, when there's users who fall victim to phishing from bizarre domains too.

Stick a fork in it? GiantKiwi is hugely thankful for the obituary:

I can use this as further reasoning to completely ditch EV's in favour of the free LE certs at work.

Although, it's not like i've been paying much attention to them, currently got about 40 LetsEncrypt certs applied to various things, vs 2 remaining EV's.

And here’s “concerned human being” Steve Ibach:

I work in tech and many people I talk to don’t even know what EV certs are.

People like Chris Martin? @chris__martin:

I've been wondering why occasionally there'd be a company name next to the cert icon. It always looked sketchy as hell.

To assure your users of security, you want to look like everything's normal and familiar, not have something weird.

Doesn’t anyone have anything nice to say about EV? Robbing the poor to give to the rich, it’s Evan Hood: [You’re fired—Ed.]

Since we know "Revocation is broken", isn't the remaining benefit of EV certs the fact that browsers DO check EV cert revocation? For some organisations, that should be worth the price of the cert alone, no?

And snowwrestler offers this example:

EV does not provide better technical security than DV, it provides better information for following up on problems.

If Alice thinks Bob ripped her off, she can look at the EV cert on example.com to get the legal name of Bob's business and the locality in which it is incorporated, and file a complaint against him.

But linsomniac takes issue with the core of Hunt’s reasoning:

Another way to look at this … browsers are killing EV certs.

That seems to be the bulk of the point … EV certs are dead because, especially on Mobile, you can't even tell they are there. [Hunt] doesn't really, in my mind, support the case that EV certs never were worth anything.

I definitely liked to see them when I went to my banks and the like. But I'll admit that I don't remember which ones had them and which didn't.

So WorldMaker terraforms this neat riposte:

This is a core point … no one knows.

EV certificates are useless, not … because the browsers are dropping them, the browsers are dropping … EV certificates because they are useless for actual security. … Like the "take your shoes off at the airport," it only really helped you from maybe blowing up your own foot.

As if to illustrate the point, here’s Tay:

PayPal’s EV TLS certificate is showing as just a normal certificate and literally two people on the entire planet even noticed.

And they’re both TLS nerds.

But what of site authentication? How do you know that the site you're talking to is actually who you think it is? Our taxi’s here—ubernostrum:

[It] is still genuinely hard, because even extremely technically literate security-savvy people can still easily be phished. … Compounding the problem, many people insisted, for many years, that [it] was the overwhelming majority of all the value of SSL/TLS.

Meanwhile, can you hear the drums, Fernando Miguel? @BlnaryMlke:

We dropped our EV this month, improved TLS handshake speed, and no one single feedback came in saying they missed it.

The moral of the story? Think twice before paying extra for a green bar that people don't look for and no longer appears anyway.

And finally …

“If you’re among the 85% of people who don’t know what an LED printer is, then prepare to have your mind mildly blown.”


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Olaf (cc0)

Topics: Security