Regular readers will know my view on EV certificates but in the last week there have been 2 very significant announcements from the 2 largest browser vendors in the world. There's a big change coming to a browser UI near you and as big as the change is, my bet is that it will have almost no impact.
Both Google Chrome and Mozilla Firefox have announced that they plan to move the EV indicator out of their main UI. The EV info will still be available but in both browsers, users will have to expand the information window by clicking on the lock icon in order to see it. Here is how that will look in Chrome and Firefox respectively.
Evolving browser UI
This change really shouldn't come as any surprise to technical users of the Web. Browser vendors have been moving away from positive UI with green highlights and lock icons, towards a more neutral UI that expects security be default, for quite some time. I wrote about some of those changes in Chrome to the future back in July 2018.
Moving the EV indicator is a natural progression of the simplification of the browser UI and removing positive indicators.
I can't help but feel that CAs have long been responsible for contributing to the demise of EV certificates with constant marketing to overstate their effectiveness and little to no evidence provided to their efficacy. I did a quick whip around a few of the larger EV CA sales pages to show you the kind of thing I mean...
Proven to improve website performance huh? Where's the link to the proof? A whitepaper? Some stats somewhere? Hello?...
I could honestly go on and on like this for hours. There is so much nonsense out there involved in the marketing of EV certs from CAs and I'm yet to read a single piece of compelling research that backs up these wild claims.
Further reading and thoughts
If you're interested in more of my views then there are a few blog posts you can read on this and related topics:
Are EV certificates worth the paper they're written on? The title of this post is fairly self explanatory but I go into more of the problems with EV.
Do SSL warranties protect you? As much as rocks keep tigers away... Another closely related piece of FUD with EV certs is certificate warranties. Generally speaking an EV cert will come with a higher warranty and that's often pointed out.
Go back in history and look at the cost of certificates over time, the price has only ever been going in one direction. Looking at my own data we can also see that whilst more and more sites are deploying encryption, less and less of them are choosing EV certs to do it. Whilst Let's Encrypt may have accelerated the reduction in cost of DV certs to $0, it's certainly a trend that was present before they existed (here's a blog post of mine from 2015 when I was using free certificates from another CA called StartCom - Guidance on setting up HPKP). The certificate ecosystem is evolving, browser UI is evolving and most CAs don't seem to be evolving with us.