Skip to content
Naked Security Naked Security

Chrome bumps ineffective EV certificates off the omnibar

Ever notice a missing company name next to the URL address bar? Ever change behavior because of it? Likely not, so bye-bye, useless badge.

Be strong, gentle reader, for change is coming: soon, the name Sophos will blink out and disappear from your Chrome omnibar, like so:

Just kidding! If you’re like many people, you have never, ever noticed that Sophos, and plenty of other brands, plunked down money to get its trusted name up there in that combined address/search bar, and there’s a very good chance that you haven’t changed your browsing behavior just because that name was missing.

According to research from Google’s Chrome Security UX team, you’ve gone right ahead and input your credit card or password even if that badge was missing. So just to keep things simple, and streamlined, and to save precious real estate in the omnibar that’s now being squatted on by names like Sophos, or, say, PayPal, Chrome is going to tuck that badge away under Page Info, which is accessed by clicking the lock icon (which is staying put).

This will happen starting in Chrome Version 77, released today.

Some background: that badge indicates that a company has ponied up for what’s known as an Extended Validation (EV) certificate, which can be displayed in Chrome, in Firefox or in other browsers. When you go to, you’ll see that “PayPal, Inc.” text displayed next to the lock, to the left of the site’s address in Chrome’s omnibox.

An EV certification is one of three types of Transport Layer Security (TLS) certificates: domain-validated, organization-validated and extended validation. The difference between them is that, from left to right, there’s more rigorous, and more expensive, checking to see that you are who the certificate says you are.

But in order for EV certificates to deliver that extra security, users have to actually recognize what the presence of the EV badge means, and therefore what the absence of the EV badge means …and then to actually change their behavior if the badge is missing.

But no, that’s not what happens. Google user testing says that users don’t make different decisions in the absence of an EV certificate.

As Google’s Devon O’Brien explained in a Chromium forum post on Sunday:

The Chrome Security UX team has determined that the EV UI does not protect users as intended.

Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection.

The EV badge not only takes up valuable screen real estate, he said. Sometimes, it also prominently displays “actively confusing” company names. All of that gets in the way of Google’s push toward “neutral, rather than positive, display for secure connections,” O’Brien said.

In other words, this is another one of the small browser changes that’s going to re-frame security for users, similar to how Google has been re-framing HTTPS from exception to norm by switching its UI from saying HTTPS is “secure” to saying HTTP is “insecure”. With this move, it’s taking aim one level deeper, at the TLS certificates required for HTTPS to work.

Not that EV certificates are going away, mind you. They’re just being tucked down:

Because of these problems and its limited utility, we believe it belongs better in Page Info.

Ditto for Firefox. In its own “EV certs are dead” announcement, Mozilla said that starting in desktop Firefox 70, the EV badges will be moved from the identity block (the left-hand side of the URL bar that’s used to display security/privacy information). It will instead be adding additional EV information to the identity panel instead, “effectively reducing the exposure of EV information to users while keeping it easily accessible.”

Mozilla called out the same bad juju that Google did: the same lack of EV cert display effectiveness, as well as “proof of concepts [that] have been pitting EV against domains for phishing.”

This is a reference to work done by Ian Carroll, who spent $100 to register a colliding entity name and got an EV cert for it. Specifically, as Hunt explained, Carroll registered “Stripe Inc” in a different US state than that of the payment processor you’d normally associate the name with. For another $77 to get the EV cert, plus one hour, Carroll set himself up with a convincing company name on a valid, legally obtained EV cert from which to phish were he to be a crook.

Here’s Hunt:

The only proponents of EV seemed to be those selling it or those who didn’t understand how reliance on the absence of a positive visual indicator was simply never a good idea in the first place.


The comment about Apple removing their indicator for EV certs appears to be inaccurate or no longer valid. They are happily alive and well in both Safari 13 for macOS Catalina and iOS 13.1.


Good point…I removed that bit from the article for clarity.

Safari (on iOS or macOS) doesn’t show you the EV certificate owner’s name (which is I think the point Troy Hunt was making) but it does still give you a green or a grey padlock to tell you what sort of certificate you are looking at. On macOS you can click the lock for further details, on iOS you can’t get anything about the cert up on the screen. Or if you can, I haven’t figured out how to do it even after faffing around for some time trying to find a tap or option to do so. Does Safari 13 actually show the certificate owner’s *name*, as it once did, or just denote the class of certificate via green/grey colouring?


They go green. The display of the owning organisation’s name was a difficulty because it might not match the brand consumers expected. I personally never had any interest in that. The change to green was far more important and how the feature started out in its early life. When they changed it to display just the company name, I didn’t like that. I want to see the address I’m on.

People still fall for Facebook and Twitter accounts that don’t have the verified symbol. I’ve done it myself, despite knowing better. It’s still better that extra authentication steps were taken. Many things can be abused but not necessarily over the long term.

Until the industry actually starts to withdraw them, I can’t take this seriously. I do not use Google as my yard stick.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!