After news broke that Chrome and Firefox are relocating Extended Validation (EV) indicators, users began questioning if they’re worth having.
Where Did Extended Validation Certificates Go?
In the new Chrome 77 release, the EV badge will display under “Page Info”, accessed by clicking on the lock icon in the URL bar. Even if web browsers are relocating SSL security indicators, Extended Validation certificates prove to be more important than ever in today’s digital age. In this article we’ll tell you how and why that is.
In Chrome 77 Extended Validation certificates display under “Page Info”
SSL Security Awareness: Reward Vs. Punishment
To understand the importance of Extended Validation certificates, we first need to understand why web browsers are making these changes. Google and other browsers are adjusting their strategy from a reward to punishment approach. Instead of relying on website owners to implement SSL encryption for the obvious positive rewards including improved search ranking, increased trust, conversions and more, they are turning to negative conditioning.
Browsers are playing up the negative effects of not having SSL with warning signs and error messages. In addition, they are using other scare tactics to deter users from visiting non secure websites. Therefore, by removing positive indicators and doubling-down on the negative, they hope to scare owners into implementing SSL.
Do Users Care About Extended Validation Certificates?
Now that we know why they are removing positive indicators, we need to look at how this will affect users. One argument for removing signs of Extended Validation certificates in the URL is that it doesn’t make a difference.
“Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed” – Chrome announcement
The argument is that users do not change their intentions when they see certain security indicators. For instance, a lock, a green address bar, or an entity name in the URL bar. Likewise, their behavior isn’t going to be any different with the absence of these indications either. Since this is the case, there is no purpose of keeping security indicators in the browser UI. Hence, the decision to relocate the entity name of Extended Validation certificates to “Page Info”.
Image Source: deskmodder.de
If Users Don’t Care, Businesses Sure Need To
Although it now requires an additional click for users to access the visual security indicators of Extended Validation certificates, they are more important than ever. Here’s 5 reasons why:
1. Rise of phishing scams
First, free and Domain Validated (DV) SSL secure websites will become the new standard for cyber attacks. Moreover, adding any old SSL certificate to a website will remove negative security indicators in browsers, so that’s exactly what phishers and scammers will do. All it takes is investing a little more seed money or effort into their plans with a free or basic DV SSL certificate. The additional effort is worth it when such high stakes are on the line.
Furthermore, the new browser updates make it hard to tell the difference between a malicious website and a legitimate business. For this reason, it is more important than ever for companies to differentiate their digital assets with Extended Validation certificates.
Case Study: PayPal
Many if not all phishing filters use EV certificate information to help recognize valid companies and their sites against phishing sites. Paypal, for example, has more impostors than anyone else. Phishing sites are created and secured with DV certificates all the time under cybersquatted domain names like pay-pal.com and paypalverification.com. Phishing scanners can check Paypal’s Extended Validation certificates to see that they have been validated to be the correct company and site.
2. Responsibility shifts to users
Businesses can only do so much as far as investing in the highest levels of security with Extended Validation certificates. The rest is up to the users, and browsers aren’t making it easy on them. In fact, browsers are making things more difficult for users by relocating crucial SSL security indicators.
As more and more attackers adopt free and DV SSL solutions, users will need to take necessary precautions to stay safe online. Further, as businesses we have a responsibility to uphold the highest standards of security. We need to educate and encourage users to make the extra effort in checking for SSL.
3. Extended Validation certificates helps businesses cover their asse(t)s
If the argument is that Extended Validation certificates are not relevant or necessary because of a UI redesign, we beg to differ. Not all SSLs are the same, nor will they ever be just because they appear the same at a first glance.
One thing Extended Validation certificates offer that other SSL options cannot is higher warranties and liability protections. It may not matter to scammers which SSL they use. However, for companies with significant security requirements this is a different story. When we are talking about a data breach like the one that happened to Equifax, it matters. The breach which lasted for 76 days was caused by a certificate they had let expire 10 months prior! Although a warranty doesn’t cover user-error, it’s nice to know you will be protected in incidents otherwise.
4. Greater control, visibility, and functionality
Extended Validation certificates give organizations greater control and visibility into the certificates being issued for their domains. Specifically, this makes the purchase process and certificate management easier, while enhancing security.
On average, maintaining certificates for portfolios that have more than 50 domains, amounts to an astonishing 250 hours per year! EV helps you save time and money.
5. Extended Validation certificates are sometimes required
There are many compliance laws and frameworks that require SSL, including GDPR, PCI, HIPPA, CCPA, FIPS, etc. Some of these (such as the European Banking Authority) mandate Extended Validation certificates for compliance. You can see why this would be a major concern for banks and financial institutions that handle people’s life savings through online banking. It’s one of the reasons why verified domain extensions like .bank domain exist today – to increase security for online users.
For this reason, we recommend EV SSL certificates for all industries and companies who operate at an enterprise level.