Mastodon

Extended Validation Certificates are Dead

18 September 2018

That's it - I'm calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from "barely there" to "as good as non-existent". This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS (it'll also be gone in Mac OS Mojave when it lands next week):

Comodo With No EV Display in iOS12

I chose Comodo's website to illustrate this change as I was reminded of the desperation involved in selling EV just last month when they sent around a marketing email with the title "How To Get The Green Address Bar On Your Website". The "alternate truth" of what EV does comes through very early on, starting with this image:

Comodo in Firefox

This is indeed what Firefox looks like today, but they entirely neglect to mention anywhere within the marketing email that this is an arbitrary visual indicator chosen at the discretion of the browser vendor. Obviously Apple have already killed it off, but even for many people on Chrome, the Comodo website actually looks very different:

The email goes on to talk about how EV fights deceptive websites and claims the following:

The verified company name display allows the user to quickly determine the legal entity behind the website, making phishing and deception harder.

In other words, seeing the company name results in higher levels of trust or if we invert that statement, not seeing the company name results in decreased trust, right? The problem is, people simply aren't conditioned to expect to see the company name and there's very simple, effective demonstration of why this is the case:

Comodo goes on with an attempt to establish the efficacy of EV by referring to "a recent study":

A recent survey by DevOps.com found that customers are 50% more likely to trust and purchase from a website with a green address bar.

They link through to a lengthy page on the Comodo store and whilst never explicitly saying it, use language that implies the study was somehow independent and unbiased: "Devops.com conducted a survey", and other such phrases. I shared a tweet thread about this back in July, but this one tweet tells you all you need to know about the motives of the "survey":

I did honestly try to get clarity on the source of this work as well, first by tweeting the author of it then, after not receiving a reply, following up with him again and copying @TechSpective for whom he's the editor in chief along with @devopsdotcom (which follows me) who published the survey:

Eventually, what was already abundantly clear was confirmed:

I wish this was made clear in the report itself because Comodo's vested interest is clearly going to introduce bias. It'd be like an oil company commissioning a report that concludes fossil fuels aren't harmful to the environment or a tobacco company stating smoking doesn't lead to adverse health outcomes. If you ever had any doubt about whether DevOps.com actually believes in the "findings", take a look at how much confidence they themselves have in EV certificates and who they chose to go to when acquiring a cert:

Devops.com with DV cert

This resource is mentioned again throughout the Comodo email but we'll skip that for now. Moving on, they then state that you can "activate the green address bar" simply by purchasing an EV cert:

To activate the green address bar on your website, you just need to purchase and install an Extended Validation (EV) SSL certificate.

Unless you're using the world's most popular browser running on an iOS device:

Comodo in Safari on iOS

Same again if you load the site up in Chrome on an Android, the world's most popular operating system:

Comodo in Safari on Android

Even try going to Microsoft Edge on iOS and it's a now predictable result:

Microsoft Edge on iOS

These are really, really important images as far as the value proposition of EV goes for two key reasons: Firstly, we're approaching two thirds of all browsing being done on mobile which means that those images above - the ones that don't show EV - are the predominant browsing experience any website owner should be considering. Secondly, as a result, this means that companies cannot tell their customers to expect EV because most of them will never see it. Despite this, Comodo suggests there's value in EV because of the "bigger security display":

The larger security indicator makes it very clear to the user that the website is secure.

You know what makes people think the website is "secure"? When the website says "secure" just as it does next to the URL in the browser right now if you're reading this in Chrome on the desktop! Paradoxically, you only get the "secure" indicator when not using an EV cert and one could quite reasonably argue that this actually creates a greater sense of confidence by literally using the word "secure". And in case you're reading this and thinking "hang on, Chrome doesn't do that anymore", you're completely right:

troyhunt.com not green in Chrome-69

I wrote the first part of that paragraph before Chrome 69 hit on September 4 and removed both the "Secure" text and the green indicators. That's not just a DV change either, sites with EV now also look rather different:

Comodo not green in Chrome-69

The point I'm trying to highlight here is both the fact that visual indicators are entirely at the discretion of the client and that they change over time. As such, the title "How To Get The Green Address Bar On Your Website" is now even more incorrect than it was when it was written! In fact, the only piece of the email that even came close to accurately representing EV was the admission that you can't get an EV wildcard cert. But wait! There's a solution and it's easily available just by spending more money, it's called a multi-domain certificate and the default option when looking at Comodo's Enterprise SSL Pro with EV Multi-Domain product will actually save you $5,002.44*:

Comodo Enterprise SSL Pro with EV Multi-Domain

* Note: You must spend $9,746.75 before the saving is realised

To be clear, this isn't a 4-year certificate either; as the text at the bottom of the image points out, the CA/B Forum guidelines limit certificate validity to 2 years and after that you need to manually go back through the entire verification and issuance process again. But hey, let's not allow that to get in the way of selling 4 year's worth of certs!

And what if you don't renew the cert then? Well, you get a great big pile of this:

Expired Cert

Now, you may be thinking "well that's kinda obvious and the same holds true whether it's EV or DV", but it's more nuanced than that. Firstly, neglecting to renew a cert happens with alarming regularity and it happens to the big guys too. For example, Microsoft failed to renew secure.microsoft.co.uk back in 2001. Too long ago? They also failed to renew an Azure one in 2013 and just to be clear about it certainly not being a Microsoft thing, HSBC forgot one in 2008, Instagram forgot one in 2015 and LinkedIn forgot one last year. There are many, many more examples and they all adhere to the same underlying truth; if something is important and repetitive, automate it!

Which brings me to the second point: certificate renewal should be automated and that's something that you simply can't do once identity verification is required. DV is easy and indeed automation is a cornerstone of Let's Encrypt which is a really important attribute of it. I recently spent some time with the development team in a major European bank and they were seriously considering ditching EV for precisely this reason. Actually, it was more than that reason alone, it was also the risk presented if they needed to quickly get themselves a new cert (i.e. due to key compromise) as the hurdles you have jump over are so much higher for EV than they are DV. Plus, long-lived certs actually create other risks due to the fact that revocation is broken so iterating quickly (for example, Let's Encrypt certs last for 3 months) is a virtue. Certs lasting for 2 years is not a virtue, unless you're coming from the perspective of being able to cash in on them...

(Paradoxically, the LinkedIn story I linked to above is on TheSSLStore.com which is a certificate reseller. You can probably see where this is going, but rather than suggesting that automation is a key part of the solution to cert renewal, they instead suggest solutions "that scale to Enterprise level" from CAs such as Comodo who, of course, are pushing EV. No mention of Let's Encrypt, but then this is also the company that's been vocally critical of them for issuing certs to phishing sites (that do correctly validate domain ownership) whilst neglecting to mention that Comodo was issuing just as many at that time!)

A lack of wildcard support is one of the big technical reasons EV is avoided (the other reasons are mostly just common-sense ones), and loading up subject alternate names is a barely sufficient alternative. For example, we use a wildcard cert for Report URI so that you can send reports to https://[my company name].report-uri.com and we've got hundreds of those. Comodo will happily support that scale too:

$808,447.25 for a Comodo EV cert

Other than the fact that Scott Helme and I aren't really in a position to shell out $808k, this is also a far cry from what a genuine wildcard cert does as you need to specify all host names at the time of issuance as opposed to being able to dynamically serve them up.

The final point of note on the marketing email is the promise of a warranty:

Comodo Warranty

That actually links straight back to the page with the super pricey multi-domain EV certs and doesn't even attempt explain what the warranty is, which is a bit odd. But it's also consistent because nobody actually knows what the warranty is and if anyone has ever claimed it. Seriously - that's not intended to be a flippant statement, Scott and I genuinely tried to get to the bottom of that earlier this year and we simply couldn't get straight answers. When we did manage to engage in dialogue, I was accused of being in "nerdville":

This was admittedly a very surprising response from someone that holds a position as the CEO at CertCentre because one would imagine that he, of all people, would want to espouse the virtues of cert warranties (assuming there actually are any, of course). If you're paying a company like CertCentre money for a product with a stated set of features, being a "nerd" by asking how those features work seems perfectly reasonable and not something that should result in ridicule from the bloke running the place. Unfortunately, rather than answering the question, Andreas decided it was easier to take the tried and tested ostrich approach:

You are blocked from following @amallek and viewing @amallek's Tweets.

The thing I have a real issue with here is that there's a financial incentive to promote the warranty (you certainly don't get a warranty with a Let's Encrypt certificate), but no willingness to explain what you get for your money. CertCentre actively lists warranties as a "Top Security Feature" too:

Warrenty

But hey, if you can't even spell warranty, what are the chances of actually understanding what it does?!

Driving the nail even further into the EV coffin is Scott's 6-monthly Alexa Top 1M report from last month. In here he shared a very encouraging stat which is the growth in sites redirecting from HTTP to HTTPS:

https-percent

It's now 52% which is enormously positive for the web in general. But it was this comment about EV which piqued my curiosity:

Despite seeing strong growth in HTTPS across the top 1 million sites, EV certificates have not seen much of that growth at all.

Let's put it in raw numbers: in Feb there were 366,005 sites redirecting from HTTP to HTTPS and 19,802 of them used EV certs so call it 5.41% of all HTTPS sites using EV. Fast forward to August and there were 489,293 sites redirecting to HTTPS with 25,158 serving up EV certs which equates to 5.14%. In other words, the EV market share declined by about 5%. As a proportion of all sites using certificates, EV is far from growing, it's actually going backwards.

(Incidentally, in case you're looking at the 489k figure above and thinking "that's actually less than half of 1M", Scott's scan failed on about 47k websites so they're excluded from the stats.)

As it turns out, many sites are actually removing EV certs. Last month Scott detailed a number of major sites that used to have EV and they spanned everything from Shutterstock to Target to UPS to Visa to the UK police. Around the same time, I noticed that even Twitter had killed their EV cert:

Twitter has been a bit of an odd duck for a while as far as EV goes; back in the earlier tweet showing the world's largest websites don't have EV, there were a bunch of replies from people saying it does have EV. We later discovered that depending on where you are in the world, you may or may not see EV on Twitter. For example:

Twitter with no EV

Certainly, as of today, EV is not being served up when I connect from Australia so for whatever reason, Twitter don't see it as important enough to show consistently and will switch in and out of EV as you move across the globe. That also says something significant about the effectiveness of EV: if they're willing to constantly add and remove it depending on where you are, do you think people are behaving differently and no longer trusting the site when they don't see EV? No, of course not, but that's the foundation that the mechanics of EV is built on!

I don't just want to focus on Comodo and CertCentre though because disinformation campaigns go well beyond those 2, for example:

Moving past the choice of historic browsers used in the illustration (just how old is that image?!), the piece that tweet links to makes the following claim:

Web security experts recommend adopting EV SSL Certificate for platforms such as E-commerce, Banking, Social Media, Health Care, Governmental and Insurance platforms.

Now I'm not sure who they're referring to in those first few words, but I do know that with the exception of banking, that statement simply doesn't hold water for the remaining industry sectors. It only takes a few minutes to demonstrate how fundamentally wrong this is so let's do it now:

Here's the world's top shopping sites, click through to see if any of them are on EV:

  1. Amazon
  2. Netflix
  3. eBay

You might argue that Alexa has miscategorised Netflix as "shopping" so just for good measure, try the next largest which is walmart.com and, well, it's the same result. No EV. Anywhere.

Moving on and social media is the same deal:

  1. Facebook
  2. Twitter
  3. LinkedIn

As discussed earlier, Twitter has a bit of an identity crisis in terms of whether it's in or out on the EV front so give the 4th largest a go if in doubt which is Pinterest.

Onto the world's most popular health sites and it's more of the same:

  1. National Institute of Health
  2. WebMD
  3. Mayo Clinic

No EV. Nada. Zip. Not a single one.

I couldn't find one clear listing of global government websites so I pulled the data from Scott's nightly Alexa Top 1M crawl and grabbed the biggest .gov ones. The NIH was the largest but we've already covered that so let's take the next 3:

  1. Unique Identification Authority of India (which has other fundamentally basic HTTPS problems)
  2. Indian Income Tax Department
  3. GOV.UK

By now you'll already realise the chances of EV being anywhere aren't real good. You're right - not a single EV cert to be seen.

Last up is the top insurance sites:

  1. United Services Automobile Association
  2. Kaiser Permanente
  3. Geico

We got one! The USAA actually does have an EV cert! The other two don't but hey, at least that's something, right?

If "web security experts" are recommending EV for sites of these classes then clearly those responsible for actually making the decisions aren't listening. Except that nobody who's actually thought through the logic of EV properly is actually making these recommendations anyway so perhaps there's just a bit of poetic licence there in the copy.

Another set of unsubstantiated claims made by About SSL is that EV "increases transaction conversion rates", "lowers shopping cart abandonment" and "protects from phishing attacks". You can understand why they're making these claims and there's a pretty clear call to action immediately under the list of conveniently bold green selling points of EV:

Buy Now

So we're back to there being a clear bias again. But hey, they're just out there trying to run a business so I get the motives. One would also assume that in running this business where you can purchase items online they'd like to increase their transaction conversion rates and lower shopping cart abandonment, right? Well there's a funny thing about that:

No EV on About SSL

Even the company selling EV is smart enough to know it's not worth actually paying money for! Plus, of course, the whole "green address bar" thing is now completely defunct courtesy of the world's most popular browser killing it in version 69.

But then there's the phishing situation and indeed this is often touted as being a strength of EV in that it somehow reduces it. In fact, this (much maligned) slide by Entrust from earlier this year makes precisely that point:

There's a whole pile of things wrong here and the best way to understand precisely what is to read through this thread from Ryan Sleevi who analysed the paper the claims were based on:

Ryan is a super smart crypto guy working on Chromium and has a very articulate way of tearing bullshit arguments to shreds. Towards the end of the thread he summarises the problem:

And we're back to EV only being effective if people behave differently due to a UI change they don't know to look for and increasingly, doesn't even exist anymore. Either that or it's changed in nuanced ways people don't expect to look for; remember the first image in the blog post showing Comodo in Safari no longer displaying the registered business name in their EV cert? Take a look at it next to this blog, also loaded in Safari on iOS 12:

EV in Green

See the difference? The URL of the EV site and the padlock next to it are now in green whereas the DV site is in black. So now if you want to set an EV expectation you have to tell customers to look for the green URL and padlock... unless they're on Chrome which has now removed all the green bits! You can see how ridiculous this whole premise of telling normal everyday folks what nuances to look for in the browser is, especially with the rate at which they're changing.

Back on the About SSL site, there's an embedded video which espouses the virtues of EV along the same sorts of lines we've seen already. It's about 6 minutes long if you've got the patience to view it:

Or we can just skip to the good bits, such as when the presenter (and Comodo Product Marketing Manager) talks about the criticality of EV during a financial transaction:

Right at the moment of truth, when they're weighing whether or not to go forward with a transaction, this striking visual indicator (the green EV bar) accompanied by information certifying their business name, location and certification authority that validated it is presented providing needed reassurance to continue

Backing up her position is a screen cap of the Excalibur Cutlery & Gifts website:

Excalibur on EV

You can probably sense where this is going by now... and you're right:

Excalibur on DV

No EV. No commercial DV either but instead a perfectly good free Let's Encrypt cert. It's like the video was a remnant of a bygone era and as it progressed and showed websites running in IE8 on Windows XP I couldn't help but feel the information was somewhat... dated. Which turned out to be a fair assumption:

Comodo 2009

Now I wouldn't normally hold a video of almost a decade ago against today's standards were it not for the fact that the views expressed there are consistent with those expressed today. Plus, of course, the video was linked to from a tweet only last month under the guise of "An essential guide about an Extended Validation SSL Certificate" so it's fair game in this case.

Comodo using sites to promote EV that don't use EV seems to be a bit of a pattern. Just this month, someone forwarded me on a domain renewal email they got from Comodo that looks like this:

mostlydead.com on DV

Naturally, he was curious about Mostlydead.com and headed over to take a look at how well that "20% increase in sales was going". You know, because of how much EV "creates consumer confidence". Apparently, not so much anymore:

mostlydead.com with Let's Encrypt

The more you delve into it, the more you can't help but conclude that EV is... mostly dead (we're beginning to see a pattern here). The thing is, this isn't just some random site that went from EV to DV, it's one that Comodo specifically chose to show the value of EV! This is meant to be a poster child site for the value proposition of extended validation and it's one Comodo still promotes to this very day. Yet, here we are, with Ken Kriz obviously having a change of heart on the efficacy of EV (or possibly never having really been endorsed in it in the first place).

Right about now, the whole EV thing may be starting to feel a bit like this:

He's Already Dead

But we're not done yet, there's more and that brings me to another site which used to have EV and has now gone back to DV. It's this site:

HIBP with no EV

I changed that cert just over one day ago and so far, nobody has even mentioned it. Nobody. Not a single person and I've got an audience that's far more aware of this sort of thing than your average person. There's certainly been no shortage of people that could have noticed it over that period too:

230k Unique Visitors to HIBP

Nearly 2 years ago now, I wrote about my journey to an EV cert. Like many of the posts I write, this one was as much for my own education as it was for yours; I wanted to go through the EV process myself (it had always been done by other teams in my previous roles), and frankly, I wanted to see if it actually provided any value. I honestly didn't know at the time and I summarised the post as follows:

This whole EV cert thing is hard to measure in terms of value; I have no idea how many more people will put their email address into HIBP or how much more media or good will or donations it will get. No idea at all.

A couple of years on, I'm pretty convinced of the value: there isn't any. Now that's not to say there was a downside to having the cert in place as I became increasingly disillusioned with the whole premise of EV, but rather there's also no upside. As the renewal date approached (it was 14 December), I made the call to proactively kill the cert and roll over to a free one issued by Cloudflare. There was absolutely no reason at all to pay the renewal fee (I'd previously paid $472 for a 2 year cert) and there was also no reason to wait to roll over to DV short of loss aversion which makes about as much sense as, well, EV certs.

I've often pondered the rationale of paying for EV certs and indeed paying for certs at all in an era of freely available ones. I spend a lot of time in companies around the world talking about HTTPS and when I probe on the decision-making process for certs, the phrase "nobody ever got fired for buying IBM" regularly comes up. I wanted to find a good reference to explain the intention of this phrase and I found an excellent one on Wikipedia's definition of FUD:

By spreading questionable information about the drawbacks of less well known products, an established company can discourage decision-makers from choosing those products over its own, regardless of the relative technical merits. This is a recognized phenomenon, epitomized by the traditional axiom of purchasing agents that "nobody ever got fired for buying IBM equipment". The aim is to have IT departments buy software they know to be technically inferior because upper management is more likely to recognize the brand.

In other words, people are making uninformed decisions on what they think is a "safe bet" due to the marketing FUD. I suspect it's a similar mentality to companies placing third party security seals on their websites; they lack the sophistication to realise they can actually increase risk but hey, they were marketed well!

So that's it - EV is now gone from HIBP and nobody will miss it which would be entirely consistent with the experiences of others who've dropped it:

This turned out to be a long blog post because every time I sat down to write, more and more evidence on the absolute pointlessness of EV presented itself. I started jotting notes down well before some of the events listed above, not least of which was Chrome 69 and the removal of the green address bar which killed one of the big EV marketing headlines. It's hard to conclude anything other than EV has gradually suffered death by a thousand cuts; it was something that could be sold at a point in time in the past when the landscape was very different but today, it's just become a pointless relic of a bygone era. Browser vendors know this and are acting accordingly and it's only a matter of time before the final nail is in the coffin:

That tweet was obviously from before I removed EV from HIBP and it's a glimpse into the future. When Chrome does finally remove the EV visual indicator from the browser (just as they've already done on mobile devices and as Apple has done across the Safari line), that'll well and truly be the end of EV. Perhaps then, the FUD will finally end.

I'll leave you with one final piece that explains the absolute futility of EV and it's a talk I did in London earlier this year. It's embedded at the point where I begin talking about EV and it's the audience interaction here that really makes it. Have a look at how a room full of smart technical people responds when I ask about what visual indicators they expect to see on popular websites. Enjoy!

Security SSL
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, run "Have I Been Pwned" and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Upcoming Events

I often run private workshops around these, here's upcoming events I'll be at:

Must Read

Don't have Pluralsight already? How about a 10 day free trial? That'll get you access to thousands of courses amongst which are dozens of my own including:

  1. OWASP Top 10 Web Application Security Risks for ASP.NET
  2. What Every Developer Must Know About HTTPS
  3. Hack Yourself First: How to go on the Cyber-Offense
  4. The Information Security Big Picture
  5. Ethical Hacking: Social Engineering
  6. Modernizing Your Websites with Azure Platform as a Service
  7. Introduction to Browser Security Headers
  8. Ethical Hacking: SQL Injection
  9. Web Security and the OWASP Top 10: The Big Picture
  10. Ethical Hacking: Hacking Web Applications