Since the CA/Browser forum officially ratified the first version of Extended Validation (EV) SSL Guidelines in 2007, EV certificates have been of great benefit to e-stores, financial institutions, enterprises, and even smaller companies. The EV indicator (green address bar) was specifically designed next to the URL to highlight the official company’s name. The CAs thought it would offer the highest level of assurance to visitors.
Fast forward a decade, and the leading browsers began to question the address bar’s efficiency in conveying information about a website’s security and authenticity. According to Google’s research, and a survey of prior academic work, the EV UI does not protect users’ as intended.
Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI.’’ Google said.
Both Google and Mozilla removed the EV indicator in Chrome 77 and Firefox 70. However, this move didn’t spell the end for EV certificates. You can still access the additional EV information by clicking the padlock icon.
“We will add additional EV information to the identity panel instead, effectively reducing the exposure of EV information to users while keeping it easily accessible,” Johann Hofmann of Mozilla said.
With over 95% of the traffic across Google encrypted, the HTTPS protocol has become the new standard. To emphasize the importance of encryption, browsers used colorful padlocks and address bars. Now, when we’re fast approaching the 100% figure, the tendency is towards a more neutral approach.
Chrome’s padlock is not even green but gray, in line with the URL text color. Google’s end-goal is to remove the padlock altogether and issue a security warning for unencrypted websites.
What’s next for Extended Validation certificates?
The relegation of EV information from the address bar to the certificate’s panel doesn’t impact the overall benefits of EV SSL. E-commerce platforms and organizations still need to verify their legal identity and attain the highest level of customer trust.
As these case studies show, EV certificates are much more than just the visible address bar, and there are more reasons why companies pay a premium price to pass Extended Validation. EV SSL improves conversion rates, and on top of that, protects websites from phishing attacks.
In the end, it doesn’t matter whether the company’s official name is in the address bar or the info panel. What’s imperative is the thorough validation process. To issue an extended validation certificate, a CA requires verification of the requesting entity’s identity and its operational status with its control over the domain name and hosting server. To the customers, whether they’re aware of it or not, it’s a safe way to share their sensitive credentials.