An EV SSL (Extended Validation SSL certificate) is the uppermost form of SSL certificate in the market. While all the SSL levels (Domain Validated, Organization Validated and Extended Validation) provide data integrity and encryption, they provide varying levels of assurance in terms of the extent of identity validation and how they are displayed in web browsers.
What verified information is available in an EV SSL certificate?
As part of EV SSL certificate verification, the website owner must pass through a set of global identity verification processes that have been standardized by the CA/Browser forum. These processes ascertain the owner’s rights to make use of the domain, ensure its physical, operational and legal existence, and establish that the entity has approved certificate issuance. This verified information related to the owner’s identity is included as part of the certificate and some of these pieces, including the name of the business and country can be displayed directed on the web browsers. The EV SSL certificate also includes information related to the issuing CA authority.
Where do you find the details of EV SSL certificate in chrome?
EV SSL certificates have been well known for having the browsers display the company information regarding the certificate directly in the address bar of the browser. This was done to make the visitors feel the trustworthiness of the website.
Where you can find EV SSL certificate details in chrome depends on the version of the browser you are running. The address bar view in chrome for EV SSL certificates has undergone a change with the release of Chrome 77 on September 10, 2019. If you visited a secure website prior to chrome 77, you could see visibla indicator the “company name” next to the lock towards the left side of website address in the address bar. Beginning with chrome 77, you will just see a lock icon and the company name will not be shown in the address bar.
There is no loss of EV SSL certificate information in chrome 77 though, as your browser still has the information; what has changed is how you get to it. In chrome 77, you can get to the details of EV SSL certificate by clicking on the padlock that shows to the left to of the website URL in the address bar. This will open a bubble displaying the required information.
Why has chrome 77 changed the EV SSL certificate display?
In effect, all the different kinds of SSL/TSL certificates serve the single purpose of encrypting the communication between the website and the browser. The security UX team at Google undertook research and conducted surveys based on prior academic work. They concluded that the EV SSL indicator user interface was not contributing much to the protection of users as was originally intended.
Chrome UX team found that users was not considering EV indicator as a secure choice while entering passwords or credit card information on the website. Moreover, the team decided that the EV SSL certificate indicator was taking up valuable space on the screen and become useless in conveying security information and website authenticity to users. At the same time, Chrome has been pushing towards more neutral, rather than positive depiction of secure connections.
All these factors contributed to the team deciding that there was limited utility in displaying the EV SSL certificate information as part of the main user interface and that this information could be better represented in the page information bubble.
EV SSL user interface change in Chrome 77 change is part of a wider trend
Making the changes to remove the company information from the EV SSL certificate user interface is really a part of a wider trend that is prevalent in the browser world. Almost all the modern browsers are moving towards this approach to improve their security user interface surfaces to meet the latest common understanding of this problem area. Apple had announced a similar change in Safari back in 2018. This change was made to Safari at the time macOS 10.14 and iOS 12 were released and has been part of Apple’s offerings since then.
Need for a common user interface for EV SSL certificate information
As these changes to the browsers in terms of how the EV SSL certificate details are shown is still being debated in the industry, some requirements are clear.
There is a need for developing common user interface features across mobile devices, desktops and laptops. This would require that the browser community engage with the CAs to find ways that will help users in making good security decisions based on the identity information that is available.
Common user interface initiatives have proved to be highly successful in some other domains. For example, the international standardization of the STOP sign has led to much safer roads for people who travel between different countries.
The good thing is that the EV SSL certificate information is available with the browsers and you can still get to it, though it may take an extra click on a padlock in chrome 77.