Chrome bumps ineffective EV certificates off the omnibar
Be strong, gentle reader, for change is coming: soon, the name Sophos will blink out and disappear from your Chrome omnibar, like so:
Just kidding! If you’re like many people, you have never, ever noticed that Sophos, and plenty of other brands, plunked down money to get its trusted name up there in that combined address/search bar, and there’s a very good chance that you haven’t changed your browsing behavior just because that name was missing.
According to research from Google’s Chrome Security UX team, you’ve gone right ahead and input your credit card or password even if that badge was missing. So just to keep things simple, and streamlined, and to save precious real estate in the omnibar that’s now being squatted on by names like Sophos, or, say, PayPal, Chrome is going to tuck that badge away under Page Info, which is accessed by clicking the lock icon (which is staying put).
This will happen starting in Chrome Version 77, released today.
Some background: that badge indicates that a company has ponied up for what’s known as an Extended Validation (EV) certificate, which can be displayed in Chrome, in Firefox or in other browsers. When you go to paypal.com, you’ll see that “PayPal, Inc.” text displayed next to the lock, to the left of the site’s address in Chrome’s omnibox.
An EV certification is one of three types of Transport Layer Security (TLS) certificates: domain-validated, organization-validated and extended validation. The difference between them is that, from left to right, there’s more rigorous, and more expensive, checking to see that you are who the certificate says you are.
But in order for EV certificates to deliver that extra security, users have to actually recognize what the presence of the EV badge means, and therefore what the absence of the EV badge means …and then to actually change their behavior if the badge is missing.
But no, that’s not what happens. Google user testing says that users don’t make different decisions in the absence of an EV certificate.
As Google’s Devon O’Brien explained in a Chromium forum post on Sunday:
The Chrome Security UX team has determined that the EV UI does not protect users as intended.
Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.
The EV badge not only takes up valuable screen real estate, he said. Sometimes, it also prominently displays “actively confusing” company names. All of that gets in the way of Google’s push toward “neutral, rather than positive, display for secure connections,” O’Brien said.