Sectigo’s chief compliance officer has hit out at Google for minimizing the visibility of Extended Validation HTTPS certificates in Chrome.
These are the certificates that contain verified details about the owner of the cert, such as its legal name, government-issued business ID number, and physical location. These records could be displayed in, or be easily accessible from, the browser’s address bar. This information is manually verified by humans at the certificate issuer prior to the cert being handed over. The idea being that if someone arrives at a website and wants to be certain it’s operated by, say, their bank, they can check the verified details of the owner and see that, indeed, yes, it is their bank.
Google all but hid these extra details in a Chrome update a couple of years ago, arguing that netizens couldn’t care less if a site is protected by an EV or a vanilla HTTPS cert – it won’t stop them putting in their credit card number or password. Others in the industry have questioned the usefulness of EV certs.
In a chat with The Register, Sectigo CCO Tim Callan said his biz, which among other things is one of the biggest sellers of EV HTTPS certificates, was “going to remove street and postal information from all of our public sites,” seeing as Google thinks no one cares where a business is based.
In some browsers, it’s very difficult to even find it. And you have to really know what you’re doing
“Once upon a time, if you went back to the 2000s, that information was very visible in the browser,” Callan said, “and it was considered to be an important value-add, because when I went to your browser, I could drop down and I could see where this business was located.”
Over the years, however, browser makers have given the “little green padlock” increasingly less prominence, said Callan – and by browser makers, he means one in particular: Google.
“Like in some browsers, it’s very difficult to even find it. And you have to really know what you’re doing… Firefox does a good job of displaying certificate information around but in Chrome, that stuff is buried. Burying is such an awkward word. But that’ll do – burying of that information.”
Burying is indeed what the number-one browser-maker did: when visiting a website that uses an EV HTTPS cert, desktop Chrome 88 displays the owner’s legal name under the heading ‘Certificate’ when you click on the now-grey padlock icon in the URL bar. To get to the location, you need to click on the name, then in the pop-up box click on the ‘Details’ tab, scroll to the ‘Subject’ certificate field and then squint at the records in the ‘Field Value’ box, in which you’ll hopefully find the business serial number and official physical location.
With desktop Firefox 78, you click on the grey padlock in the URL bar, and see the verified name in a drop-down box; click on the right-pointing arrow, and it opens up a panel containing the legal name and address. And this is after Firefox’s developer Mozilla also downgraded the prominence of EV certs: what used to be a green indicator in the URL bar is now text in a dialog box. Apple’s Safari followed suit.
Callan said Google had justified its move within the browser security certificate community by insisting the decision was “data driven.” The Chocolate Factory said at the time: “The Chrome Security UX team has determined that the EV UI does not protect users as intended … users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed.” Thus, we’re told, it doesn’t matter if the EV info is obvious or hidden away.
Had a bad weekend? Probably, if you’re a Sectigo customer, after root cert expires and online chaos ensues
“Sure, after you have systematically removed everything that a consumer would see,” sniffed Callan, comparing the certificate to “hazard lights in my car.” He said: “I will use them once a year. But when I need them, I need them. And I need to know where they are. And the fact that I don’t use them 364 days a year does not diminish their importance on that other day.”
A couple of years ago, the CA/Browser Forum, the industry’s standards-setting body, mulled cutting new HTTPS certificate lifetimes by half, from 27 months to 13 months, at the suggestion of Googler Ryan Sleevi. This would mean certificate-buying organizations would need to renew them roughly annually, thus theoretically boosting revenues for certificate issuers – unless said organizations use free certificates from Let’s Encrypt, which is backed by, among many others, the Google Chrome team.
The argument for shorter certificate lifespans is that it encourages organisations to use the latest and greatest encryption protocols with their certs, and minimises the damage potentially done if a certificate falls into the hands of fraudsters: the crooks can only masquerade as a legit outfit with the certificate for no more than about a year. Let’s Encrypt’s free vanilla certs are valid for 90 days at a time, and it provides tools to automate their regular renewal.
Sectigo, meanwhile, charges $465 a year for a multi-domain EV HTTPS certificate, if you purchase one for five years; the price goes up if you opt for a shorter duration. That does come with 24-hour support, we note. Whether or not you agree that Extended Validation certs are useful, it is in Sectigo’s interests to have browsers prominently display the certificates’ embedded data, or else its EVs are mostly pointless.
Google has long championed the widespread adoption of HTTPS, seeking for it to be the default, secure protocol for fetching web content everywhere for everyone. Its love for HTTPS stops at EV, it seems.
A spokesperson for Google was not available for comment. ®