EV certificates are dead
That's it, I said it: Extended validation certificates are dead. Of course, you can still buy them (and some companies will sell you with pleasure!), But their benefits have now decreased from “hardly” to “nonexistent”. A number of factors have changed, including the increase in the popularity of mobile devices, the removal of the visual EV indicator from browsers, from iOS (and also from MacOS Mojave):
For the illustration, I chose the Comodo website, because they showed such despair about selling EV, just a month ago sending me a sales letter with the heading "How to get the green address bar for your website." In the letter, they begin to tell the "alternative" version of the truth:
')
Indeed, this is how Firefox looks today, but they completely forget to mention in an advertising letter that this is a purely arbitrary visual indicator that is left to the discretion of browser developers. Obviously, Apple has already killed it, but even for many people on Chrome, the Comodo website actually looks very different (Chrome experiment):
The letter says how EV fights phishing, and states the following:
In other words, if we see the name of the company - this leads to a higher level of trust, and if you invert this statement, then if we do not see the name of the company, this leads to a decrease in trust, isn’t it? The problem is that people simply do not expect to see the name of the company, and there is a very simple, effective demonstration of why this is so:
Ten largest sites in the world: there is no EV anywhere
Comodo continues to convince in the effectiveness of EV, citing a "recent study":
They refer to a long page in ComodoStore and although this is not explicitly stated anywhere, but the words imply that the research was somehow independent and impartial: "Devops.com surveyed" and other similar phrases. I started talking about this back in July , but this screenshot says everything you need to know about the motives of the “survey”:
I honestly tried to find out the customer of this work, first writing the author Tony Bradley, and not receiving a response, asked @TechSpective on Twitter, where he is the chief editor, and @devopsdotcom (by the way, my followers), who published the survey:
In the end, already quite an obvious fact was confirmed by Tony Bradley. He apologized for the late reply, because he rarely logged on Twitter, and called the customer - Comodo CA.
I would like to see this indication in the report itself, because Comodo involvement clearly leads to bias. It’s as if the oil company orders a report with the conclusion that fossil fuels are not harmful to the environment, or the tobacco company will declare that smoking is not harmful to health. If you still think that DevOps.com really believes in the "benefit" of EV certificates, take a look at their own:
This resource is repeatedly mentioned in the comodo mail advertising letter, but let's move on. They further declare that you can "activate the green address bar" by simply purchasing an EV certificate:
Only not in the world's most popular browser for iOS:
And not in Chrome for Android, the most popular OS in the world:
Let's see Microsoft Edge on iOS, and again this predictable result:
These are very, very important screenshots that reduce the value of EV for two key reasons. First, almost 2/3 of all page views in the world come from mobile devices . That is, the screenshots above show the prevailing view that the site owner should think about. Secondly, as a result, companies cannot tell their customers to expect EV, because most of them will never see it. Despite this, Comodo assumes that EV has the benefit of a “longer green security line”:
Do you know what exactly is such a signal? The green icon next to the Chrome URL on the desktop! And if you read it and think: “Wait, Chrome no longer does that,” then you are absolutely right. The icon is no longer highlighted and there is no word Secure :
The change in Chrome 69 of September 4 affected not only DV, but also sites with EV:
Here I try to emphasize that visual indicators are completely at the discretion of browser developers and change over time. Thus, the phrase "How to get the green address bar on your site" is now even more incorrect than when it was written! In fact, the only more or less accurate representation of EV in this letter is a recognition that you cannot receive an EV wildcard certificate . But wait! There is an easily accessible solution, just a little more expensive, it is called a multi-domain certificate , this default option for Comodo's Enterprise SSL Pro with EV Multi-Domain really saves you $ 5002.44 *:
* Note: you need to spend $ 9,746.75 to get this savings
For clarity, this is not a four-year certificate. As the text below shows, the CA / B Forum rules limit the maximum validity of a certificate to two years, and then you need to manually repeat the verification and issuance process. But damn, it will not allow us to sell certificates for 4 years!
And what if you do not renew the certificate? Well, you get this :
You might think, “Well, that’s kind of obvious, as is the case with DV,” but there are nuances. First, the neglect of certificate renewal occurs with alarming regularity, and this happens with big guys. For example, Microsoft forgot to update secure.microsoft.co.uk in 2001 . Too long ago? They did not renew the certificate for the Azure domain in 2013 . And of course, not only Microsoft has such problems: so, HSBC forgot to renew the certificate in 2008, Instagram had such a disaster three years ago , and LinkedIn did it last year . There are many, many other examples, and they all make one and the same truism understand: if there is an important and repetitive task, automate it!
Which brings me to the second point: renewing the certificate should be automated, and this is something that you simply cannot do if identity verification is required. With a DV certificate, automation is simple; it is the cornerstone of Let's Encrypt and a really important attribute of this service. I recently spent some time with a development team at a large European bank, and they were seriously thinking about abandoning EV for just this reason. In fact, not only for this reason, there was also a risk that they would need to get a new certificate very quickly (for example, due to the compromise of keys), which is much more difficult for EV than for DV. In addition, long-term certificates actually create additional risks due to the inoperative revocation procedure , so fast iterations (for example, Let's Encrypt certificates last 3 months) become an advantage. Certificates valid for two years is not an advantage, except from the point of view of making money on them ...
(Paradoxically, the LinkedIn story at the link above is linked to TheSSLStore.com, which is a reseller of certificates. You understand the risks, but instead of offering automation as part of the certificate renewal solution, they offer solutions that "scale to enterprise level" from the centers Certification, such as Comodo, which, of course, pushes EV. There is no mention of Let's Encrypt. It is loudly criticized for issuing certificates to phishing sites (with proper verification of the domain name), although Comodo issued the same amount !
The lack of support for a wildcard is one of the main technical reasons why EV should be avoided (other reasons are basically just common sense), and filling in the subjectAltName field can hardly be called a sufficient alternative. For example, we have a wildcard certificate on our Report URI site, so you can send reports to https: // [my company name] .report-uri.com, and we have hundreds of such subdomains. Comodo is happy to support this scale:
Besides the fact that Scott Helm and I really do not have $ 808 thousand, this is also far from the real wildcard certificate, because at the time of its issuance you will have to specify all host names instead of dynamic maintenance.
And the last point in this marketing letter is the promise of a guarantee:
It refers directly to the page with super-expensive multi-domain EV certificates and does not even try to explain the essence of the guarantee, which is a bit strange. But this is completely understandable, because no one really knows what a guarantee is and whether anyone has applied for it at least once . Seriously - this should not be a frivolous statement, Scott and I honestly tried to figure it out at the beginning of the year - and simply could not get direct answers. When I managed to enter into dialogue, I was accused of being “out of nerds”:
Dialogue:
Andreas Mallek : Andy, these guys do not want to recognize their difference - they are too much of a nerd to understand that normal people have different needs than people in nerdville. I’m going to have Nerdville, I’ll come back to deal with the problems of my clients from the normal world. See you.
Troy Hunt : Andreas, I asked a very reasonable question and this is important because the certificates are sold with a guarantee, and I try to understand what this means. Real customers want to know what this guarantee covers and are there documented examples of its use? Do you know about them?
By all accounts, this was a very unexpected answer not from anyone, but from the CertCentre executive director, because he seemed to be the first to appreciate the high importance of the guarantee for the certificate (provided that it is really important, of course). If you pay such a company for a product with a stated set of functions, then being a “nerd” is quite normal to ask how these functions work, and this should not lead to ridicule from the guy managing this company. Unfortunately, instead of answering the question, Andreas applied the tried and tested ostrich method:
What really raises questions is that the guarantee is sold for money (of course, you do not receive a guarantee with Let's Encrypt certificate), but they are not ready to explain exactly what you get for your money. CertCentre also actively promotes the guarantee as an “element of the highest level of security” :
But friends, if you can't even spell the word Warranty correctly, what are the real chances of understanding what it does ?!
Another nail in EV's coffin is Scott's Semiannual Alexa Top 1M report from last month. It provides encouraging statistics on the transition of sites from HTTP to HTTPS:
HTTPS sites are already 52%, which is very good for the Internet as a whole. But I was interested in this comment regarding EV:
In numbers: in February, 366,005 sites forwarded HTTP requests to HTTPS and 19 802 of them used EV certificates, which is 5.41% of HTTPS sites. In August, 489,293 were redirected to HTTPS, and 25,158 of them had EV certificates, which is 5.14%. In other words, the EV market share declined by about 5%.
(Note: 489,293 really makes up 52% ​​of the million sample, because of 47 thousand sites, scanning failed and they are excluded from the statistics).
It turns out that many sites actually refuse EV certificates. A month ago, Scott gave a detailed list of the major sites that used EV earlier : among them Shutterstock, Target, UPS and the British police. At about the same time, I noticed that even Twitter abandoned EV.
The Twitter story is a bit strange, because in fact you could see whether or not the EV certificate was on their website, depending on your location. This also says something about the effectiveness of EV: if they are ready to remove or add it, then people are unlikely to behave differently and trust the site without EV less. But this is the basis on which the EV mechanic is built!
Misinformation campaigns are not only Comodo and CertCentre, but many others, for example:
In addition to the choice of historical browsers (how old is this image ?!), the following statement is made in the article by reference :
I'm not sure who they refer to in the first words, but I know that, apart from banks, this statement simply does not hold water for other industries. It is easy to demonstrate how fundamentally wrong it is.
Here are the world 's largest e-commerce sites . Click each one and see if they have EV:
You can say that Alexa incorrectly classified Netflix as an e-commerce site, well then look at the next most popular walmart.com - and get the same result. There is no EV anywhere.
Moving on. With social media, the same situation :
As discussed earlier, Twitter has a small identity crisis in terms of whether it supports EV, so for accuracy, check out the fourth largest website: Pinterest .
On the most popular healthcare sites in the world, the same:
No EV. At all. Not the only one.
I could not find a clear list of the largest public websites, so I pulled the data from the night crawling Alexa Top 1M from Scott and chose the largest sites in the .gov area. The National Institute of Health is the largest, but we have already reviewed it, so we take the following three:
By now, you have already realized that the chance to meet EV is at least somewhere minimal. You are right - not a single hit.
Finally, the top insurance sites :
We found one! USAA really has an EV certificate! The other two don't, but that's at least something, right?
If “web security experts” recommend EV for these classes of sites, then obviously these sites do not listen to them. So such recommendations are poetic.
Another set of unsubstantiated claims about SSL is that EV "increases the conversion of transactions", "reduces the departure from the shopping cart" and "protects against phishing attacks." One can understand why they make such statements: the reason is visible in the form of buttons immediately below the text:
So, we are back to a clear bias. But hey, they are just trying to do business, so I understand the motives. You can still assume that starting such a business, they themselves would like to increase the conversion, is not it? Well, it's funny:
Even the EV seller itself is smart enough not to spend money on it! In addition, we recall, the “green address bar” itself has now completely disappeared thanks to the most popular browser in the world, which killed it in version 69.
There is an argument with phishing. It is often stated that EV somehow reduces it. This is exactly what has been stated on the slide from the Entrust presentation since the beginning of this year:
There is a whole bunch of frauds here, and for analysis, read this thread by Ryan Slevi best of all. He analyzed the study on which the slide is based.
Ryan is a very smart cryptographer who works on Chromium, and he has an excellent ability to display any nonsense clearly. In the end, he summarizes the situation : “In general, this is a bad article. But even worse, they are trying to pass it off as a “data” study. At the same time, an erroneous methodology and a selective approach are used to support a business model that relies on users who are fully responsible for detecting changes in the user interface. ”
That is, we return to the fact that EV will be effective only if people change their behavior due to a change in UI. In reality, people do not know what to pay attention to, and this change itself gradually ceases to exist. Either the change is too insignificant for people to pay attention to it. Remember the first screenshot in the article where Safari browser no longer displays the registered company name in the EV certificate? Compare it with the screenshot of my blog, also open in Safari on iOS 12:
See the difference? The EV site URL and the castle next to it are now green, while the DV site is black. Therefore, now, in order to create a corresponding wait for users, they need to tell them to look for green URLs and a lock ... unless they use Chrome, which has completely removed all green elements! Obviously, how ridiculous it is to explain such nuances in the browser to users, especially considering the speed of their change.
Returning to the About SSL site, there is a video where the speaker explains the advantages of EV in the same theses that we reviewed. Video about 6 minutes, if you have the patience to watch:
We can go directly to the interesting, for example, when the lead (and Comodo product marketing manager ) talks about the EV criticality for a financial transaction:
The thesis is supported by a screenshot of the Excalibur Cutlery & Gifts website:
You probably already feel that you will ... and you are right:
No EV. No commercial DV at all, but a quite normal free Let's Encrypt certificate. The video is like from an archaic era: it opens sites in IE8 on Windows XP ... I can’t do anything, but there is a feeling that the situation is somewhat ... outdated. It turned out that way:
I would not evaluate the video almost a decade ago from today's position, but there are the same theses expressed as today. And of course, an article with this video is referred to as a tweet , published just a month ago under the guise of "Important Guide to Advanced Certificate SSL Validation", so everything is fair.
Comodo is not the first time uses to promote EV sites that do not have EV. Most recently, someone showed me a letter from Comodo reminding me of the renewal of a domain:
Naturally, he became interested in the Mostlydead.com site and wanted to see how the “sales increase by 20%” went (according to Ken Creeze). Well, you understand, because EV "increases consumer confidence." It seems no more:
The more you delve into the topic, the more you are convinced that EV ... is almost dead. After all, this is not just a random site that has moved from EV to DV. This is a site specifically chosen to demonstrate the value of EV ! It should be an example of EV value, and Comodo advertises it to this day. However, we see that Ken Crease clearly changed his mind about the effectiveness of EV (and maybe he never had that opinion).
The situation with EV is starting to look like this:
But we have not finished yet: I want to mention one more site, which previously had an EV certificate, and now has returned to DV. This is the site:
Translator’s note: Troy Hunt himself launched a HIBP website with a database of stolen accounts.
I changed the certificate the day before yesterday, and so far no one has even mentioned it. No one. Not a soul, and my audience is much better versed in such things than your average user. Naturally, there was no shortage of people who might have noticed a change during this period:
Almost two years ago I wrote about my journey into the world of EV-certificates . As in many of my articles, here I learned on the go; I wanted to go through the EV certification process myself (others have always done it before), and I wanted to see if it really had any meaning. At that time I honestly did not understand and finished the article like this:
Two years later, I am quite convinced of the conclusion: there is no value. But this does not mean that there is a disadvantage in the availability of such a certificate, there are simply no advantages. As the renewal date approached (December 14), I called and asked to withdraw it in advance in order to return to the free, released Cloudflare. There is absolutely no reason to pay for renewal (I immediately paid $ 472 for a two-year certificate), and there was no reason to wait for the expiration date, except for aversion to losses , and it has as much sense as EV certificates.
I often wondered what was the point of paying for EV or DV certificates in an era of freely available certificates. I visit many companies around the world, discussing HTTPS, and when I try to probe this question, I regularly hear the phrase "I haven’t fired anyone yet for buying IBM." I was looking for a good link to explain the meaning of this phrase - and found a great one in the definition of FUD from Wikipedia :
In other words, people make ignorant decisions about what they consider to be “safe” because of the marketing FUD. I suspect that a similar mentality is with companies placing third-party "security seals" on their websites. They do not have enough knowledge and understanding that they actually can increase the risks , but damn, they were so advertised!
So yes - there is no more EV on HIBP, and no one will miss it, which is fully consistent with the experience of others who refused extended validation certificates:
The article was a long one, because every time I sat down to write, there appeared new evidence of the absolute meaninglessness of EV. I started taking notes long before some of the listed events, including before the release of Chrome 69 and the removal of the green address bar, which killed one of the main trump cards of EV marketing. This is not to say that EV is the only technology that gradually died from a thousand cuts. Once such certificates were a good product, but now the situation is completely different - and this is just a senseless relic of a bygone era. Browser manufacturers are aware of this and act accordingly. Just a matter of time, when the last nail is hammered into the coffin of EV:
Chrome Canary v70 is trying to remove the names of the companies EV-SSL, I wonder if it will fall into the final release?
When Chrome finally removes the visual EV indicator from the browser (just as they did on mobile devices, and as Apple did in the Safari line), it will be good and really put an end to EV. Perhaps then the FUD will finally end.
I will give you one last little proof of the absolute futility of EV: this is my lecture in London at the beginning of this year. This is the moment when I start talking about EV, and it is precisely the interaction with the audience that is significant here. See how the room responds, full of smart techies, when I ask what visual indicators they expect to see on popular sites. Enjoy!
For the illustration, I chose the Comodo website, because they showed such despair about selling EV, just a month ago sending me a sales letter with the heading "How to get the green address bar for your website." In the letter, they begin to tell the "alternative" version of the truth:
')
Indeed, this is how Firefox looks today, but they completely forget to mention in an advertising letter that this is a purely arbitrary visual indicator that is left to the discretion of browser developers. Obviously, Apple has already killed it, but even for many people on Chrome, the Comodo website actually looks very different (Chrome experiment):
The letter says how EV fights phishing, and states the following:
Displaying a verified company name allows you to quickly identify the legal entity behind the website, which makes phishing and deception difficult.
In other words, if we see the name of the company - this leads to a higher level of trust, and if you invert this statement, then if we do not see the name of the company, this leads to a decrease in trust, isn’t it? The problem is that people simply do not expect to see the name of the company, and there is a very simple, effective demonstration of why this is so:
Ten largest sites in the world: there is no EV anywhere
Comodo continues to convince in the effectiveness of EV, citing a "recent study":
"A recent DevOps.com study found that customers are 50% more likely to trust and buy on sites with a green address bar."
They refer to a long page in ComodoStore and although this is not explicitly stated anywhere, but the words imply that the research was somehow independent and impartial: "Devops.com surveyed" and other similar phrases. I started talking about this back in July , but this screenshot says everything you need to know about the motives of the “survey”:
I honestly tried to find out the customer of this work, first writing the author Tony Bradley, and not receiving a response, asked @TechSpective on Twitter, where he is the chief editor, and @devopsdotcom (by the way, my followers), who published the survey:
In the end, already quite an obvious fact was confirmed by Tony Bradley. He apologized for the late reply, because he rarely logged on Twitter, and called the customer - Comodo CA.
I would like to see this indication in the report itself, because Comodo involvement clearly leads to bias. It’s as if the oil company orders a report with the conclusion that fossil fuels are not harmful to the environment, or the tobacco company will declare that smoking is not harmful to health. If you still think that DevOps.com really believes in the "benefit" of EV certificates, take a look at their own:
This resource is repeatedly mentioned in the comodo mail advertising letter, but let's move on. They further declare that you can "activate the green address bar" by simply purchasing an EV certificate:
"To activate the green address bar on your website, you just need to purchase and install the SSL Extended Validation (EV) certificate."
Only not in the world's most popular browser for iOS:
And not in Chrome for Android, the most popular OS in the world:
Let's see Microsoft Edge on iOS, and again this predictable result:
These are very, very important screenshots that reduce the value of EV for two key reasons. First, almost 2/3 of all page views in the world come from mobile devices . That is, the screenshots above show the prevailing view that the site owner should think about. Secondly, as a result, companies cannot tell their customers to expect EV, because most of them will never see it. Despite this, Comodo assumes that EV has the benefit of a “longer green security line”:
"The big green security bar is a very clear signal to the user that the site is safe."
Do you know what exactly is such a signal? The green icon next to the Chrome URL on the desktop! And if you read it and think: “Wait, Chrome no longer does that,” then you are absolutely right. The icon is no longer highlighted and there is no word Secure :
The change in Chrome 69 of September 4 affected not only DV, but also sites with EV:
Here I try to emphasize that visual indicators are completely at the discretion of browser developers and change over time. Thus, the phrase "How to get the green address bar on your site" is now even more incorrect than when it was written! In fact, the only more or less accurate representation of EV in this letter is a recognition that you cannot receive an EV wildcard certificate . But wait! There is an easily accessible solution, just a little more expensive, it is called a multi-domain certificate , this default option for Comodo's Enterprise SSL Pro with EV Multi-Domain really saves you $ 5002.44 *:
* Note: you need to spend $ 9,746.75 to get this savings
For clarity, this is not a four-year certificate. As the text below shows, the CA / B Forum rules limit the maximum validity of a certificate to two years, and then you need to manually repeat the verification and issuance process. But damn, it will not allow us to sell certificates for 4 years!
And what if you do not renew the certificate? Well, you get this :
You might think, “Well, that’s kind of obvious, as is the case with DV,” but there are nuances. First, the neglect of certificate renewal occurs with alarming regularity, and this happens with big guys. For example, Microsoft forgot to update secure.microsoft.co.uk in 2001 . Too long ago? They did not renew the certificate for the Azure domain in 2013 . And of course, not only Microsoft has such problems: so, HSBC forgot to renew the certificate in 2008, Instagram had such a disaster three years ago , and LinkedIn did it last year . There are many, many other examples, and they all make one and the same truism understand: if there is an important and repetitive task, automate it!
Which brings me to the second point: renewing the certificate should be automated, and this is something that you simply cannot do if identity verification is required. With a DV certificate, automation is simple; it is the cornerstone of Let's Encrypt and a really important attribute of this service. I recently spent some time with a development team at a large European bank, and they were seriously thinking about abandoning EV for just this reason. In fact, not only for this reason, there was also a risk that they would need to get a new certificate very quickly (for example, due to the compromise of keys), which is much more difficult for EV than for DV. In addition, long-term certificates actually create additional risks due to the inoperative revocation procedure , so fast iterations (for example, Let's Encrypt certificates last 3 months) become an advantage. Certificates valid for two years is not an advantage, except from the point of view of making money on them ...
(Paradoxically, the LinkedIn story at the link above is linked to TheSSLStore.com, which is a reseller of certificates. You understand the risks, but instead of offering automation as part of the certificate renewal solution, they offer solutions that "scale to enterprise level" from the centers Certification, such as Comodo, which, of course, pushes EV. There is no mention of Let's Encrypt. It is loudly criticized for issuing certificates to phishing sites (with proper verification of the domain name), although Comodo issued the same amount !
The lack of support for a wildcard is one of the main technical reasons why EV should be avoided (other reasons are basically just common sense), and filling in the subjectAltName field can hardly be called a sufficient alternative. For example, we have a wildcard certificate on our Report URI site, so you can send reports to https: // [my company name] .report-uri.com, and we have hundreds of such subdomains. Comodo is happy to support this scale:
Besides the fact that Scott Helm and I really do not have $ 808 thousand, this is also far from the real wildcard certificate, because at the time of its issuance you will have to specify all host names instead of dynamic maintenance.
And the last point in this marketing letter is the promise of a guarantee:
It refers directly to the page with super-expensive multi-domain EV certificates and does not even try to explain the essence of the guarantee, which is a bit strange. But this is completely understandable, because no one really knows what a guarantee is and whether anyone has applied for it at least once . Seriously - this should not be a frivolous statement, Scott and I honestly tried to figure it out at the beginning of the year - and simply could not get direct answers. When I managed to enter into dialogue, I was accused of being “out of nerds”:
Dialogue:
Andreas Mallek : Andy, these guys do not want to recognize their difference - they are too much of a nerd to understand that normal people have different needs than people in nerdville. I’m going to have Nerdville, I’ll come back to deal with the problems of my clients from the normal world. See you.
Troy Hunt : Andreas, I asked a very reasonable question and this is important because the certificates are sold with a guarantee, and I try to understand what this means. Real customers want to know what this guarantee covers and are there documented examples of its use? Do you know about them?
By all accounts, this was a very unexpected answer not from anyone, but from the CertCentre executive director, because he seemed to be the first to appreciate the high importance of the guarantee for the certificate (provided that it is really important, of course). If you pay such a company for a product with a stated set of functions, then being a “nerd” is quite normal to ask how these functions work, and this should not lead to ridicule from the guy managing this company. Unfortunately, instead of answering the question, Andreas applied the tried and tested ostrich method:
What really raises questions is that the guarantee is sold for money (of course, you do not receive a guarantee with Let's Encrypt certificate), but they are not ready to explain exactly what you get for your money. CertCentre also actively promotes the guarantee as an “element of the highest level of security” :
But friends, if you can't even spell the word Warranty correctly, what are the real chances of understanding what it does ?!
Another nail in EV's coffin is Scott's Semiannual Alexa Top 1M report from last month. It provides encouraging statistics on the transition of sites from HTTP to HTTPS:
HTTPS sites are already 52%, which is very good for the Internet as a whole. But I was interested in this comment regarding EV:
"Despite the strong growth of HTTPS at the first million sites, there is no growth in the share of EV certificates."
In numbers: in February, 366,005 sites forwarded HTTP requests to HTTPS and 19 802 of them used EV certificates, which is 5.41% of HTTPS sites. In August, 489,293 were redirected to HTTPS, and 25,158 of them had EV certificates, which is 5.14%. In other words, the EV market share declined by about 5%.
(Note: 489,293 really makes up 52% ​​of the million sample, because of 47 thousand sites, scanning failed and they are excluded from the statistics).
It turns out that many sites actually refuse EV certificates. A month ago, Scott gave a detailed list of the major sites that used EV earlier : among them Shutterstock, Target, UPS and the British police. At about the same time, I noticed that even Twitter abandoned EV.
The Twitter story is a bit strange, because in fact you could see whether or not the EV certificate was on their website, depending on your location. This also says something about the effectiveness of EV: if they are ready to remove or add it, then people are unlikely to behave differently and trust the site without EV less. But this is the basis on which the EV mechanic is built!
Misinformation campaigns are not only Comodo and CertCentre, but many others, for example:
In addition to the choice of historical browsers (how old is this image ?!), the following statement is made in the article by reference :
"Web security experts recommend using the EV SSL certificate for platforms such as e-commerce, banks, social media, healthcare, government and insurance platforms."
I'm not sure who they refer to in the first words, but I know that, apart from banks, this statement simply does not hold water for other industries. It is easy to demonstrate how fundamentally wrong it is.
Here are the world 's largest e-commerce sites . Click each one and see if they have EV:
You can say that Alexa incorrectly classified Netflix as an e-commerce site, well then look at the next most popular walmart.com - and get the same result. There is no EV anywhere.
Moving on. With social media, the same situation :
As discussed earlier, Twitter has a small identity crisis in terms of whether it supports EV, so for accuracy, check out the fourth largest website: Pinterest .
On the most popular healthcare sites in the world, the same:
No EV. At all. Not the only one.
I could not find a clear list of the largest public websites, so I pulled the data from the night crawling Alexa Top 1M from Scott and chose the largest sites in the .gov area. The National Institute of Health is the largest, but we have already reviewed it, so we take the following three:
- Indian Agency for Unique Identification (which has other fundamental problems with HTTPS support )
- Tax Inspectorate of India
- GOV.UK
By now, you have already realized that the chance to meet EV is at least somewhere minimal. You are right - not a single hit.
Finally, the top insurance sites :
We found one! USAA really has an EV certificate! The other two don't, but that's at least something, right?
If “web security experts” recommend EV for these classes of sites, then obviously these sites do not listen to them. So such recommendations are poetic.
Another set of unsubstantiated claims about SSL is that EV "increases the conversion of transactions", "reduces the departure from the shopping cart" and "protects against phishing attacks." One can understand why they make such statements: the reason is visible in the form of buttons immediately below the text:
So, we are back to a clear bias. But hey, they are just trying to do business, so I understand the motives. You can still assume that starting such a business, they themselves would like to increase the conversion, is not it? Well, it's funny:
Even the EV seller itself is smart enough not to spend money on it! In addition, we recall, the “green address bar” itself has now completely disappeared thanks to the most popular browser in the world, which killed it in version 69.
There is an argument with phishing. It is often stated that EV somehow reduces it. This is exactly what has been stated on the slide from the Entrust presentation since the beginning of this year:
There is a whole bunch of frauds here, and for analysis, read this thread by Ryan Slevi best of all. He analyzed the study on which the slide is based.
Ryan is a very smart cryptographer who works on Chromium, and he has an excellent ability to display any nonsense clearly. In the end, he summarizes the situation : “In general, this is a bad article. But even worse, they are trying to pass it off as a “data” study. At the same time, an erroneous methodology and a selective approach are used to support a business model that relies on users who are fully responsible for detecting changes in the user interface. ”
That is, we return to the fact that EV will be effective only if people change their behavior due to a change in UI. In reality, people do not know what to pay attention to, and this change itself gradually ceases to exist. Either the change is too insignificant for people to pay attention to it. Remember the first screenshot in the article where Safari browser no longer displays the registered company name in the EV certificate? Compare it with the screenshot of my blog, also open in Safari on iOS 12:
See the difference? The EV site URL and the castle next to it are now green, while the DV site is black. Therefore, now, in order to create a corresponding wait for users, they need to tell them to look for green URLs and a lock ... unless they use Chrome, which has completely removed all green elements! Obviously, how ridiculous it is to explain such nuances in the browser to users, especially considering the speed of their change.
Returning to the About SSL site, there is a video where the speaker explains the advantages of EV in the same theses that we reviewed. Video about 6 minutes, if you have the patience to watch:
We can go directly to the interesting, for example, when the lead (and Comodo product marketing manager ) talks about the EV criticality for a financial transaction:
“At the most critical moment when deciding whether to complete a transaction, this striking visual indicator (green line EV) with information confirming the company name, location and certification authority gives the necessary confidence to make a decision.”
The thesis is supported by a screenshot of the Excalibur Cutlery & Gifts website:
You probably already feel that you will ... and you are right:
No EV. No commercial DV at all, but a quite normal free Let's Encrypt certificate. The video is like from an archaic era: it opens sites in IE8 on Windows XP ... I can’t do anything, but there is a feeling that the situation is somewhat ... outdated. It turned out that way:
I would not evaluate the video almost a decade ago from today's position, but there are the same theses expressed as today. And of course, an article with this video is referred to as a tweet , published just a month ago under the guise of "Important Guide to Advanced Certificate SSL Validation", so everything is fair.
Comodo is not the first time uses to promote EV sites that do not have EV. Most recently, someone showed me a letter from Comodo reminding me of the renewal of a domain:
Naturally, he became interested in the Mostlydead.com site and wanted to see how the “sales increase by 20%” went (according to Ken Creeze). Well, you understand, because EV "increases consumer confidence." It seems no more:
The more you delve into the topic, the more you are convinced that EV ... is almost dead. After all, this is not just a random site that has moved from EV to DV. This is a site specifically chosen to demonstrate the value of EV ! It should be an example of EV value, and Comodo advertises it to this day. However, we see that Ken Crease clearly changed his mind about the effectiveness of EV (and maybe he never had that opinion).
The situation with EV is starting to look like this:
But we have not finished yet: I want to mention one more site, which previously had an EV certificate, and now has returned to DV. This is the site:
Translator’s note: Troy Hunt himself launched a HIBP website with a database of stolen accounts.
I changed the certificate the day before yesterday, and so far no one has even mentioned it. No one. Not a soul, and my audience is much better versed in such things than your average user. Naturally, there was no shortage of people who might have noticed a change during this period:
Almost two years ago I wrote about my journey into the world of EV-certificates . As in many of my articles, here I learned on the go; I wanted to go through the EV certification process myself (others have always done it before), and I wanted to see if it really had any meaning. At that time I honestly did not understand and finished the article like this:
“All these pieces with EV certificates are difficult to measure in terms of value. I have no idea how many more people will check their email address in the service, how much more media coverage or donations they will receive. No idea at all. ”
Two years later, I am quite convinced of the conclusion: there is no value. But this does not mean that there is a disadvantage in the availability of such a certificate, there are simply no advantages. As the renewal date approached (December 14), I called and asked to withdraw it in advance in order to return to the free, released Cloudflare. There is absolutely no reason to pay for renewal (I immediately paid $ 472 for a two-year certificate), and there was no reason to wait for the expiration date, except for aversion to losses , and it has as much sense as EV certificates.
I often wondered what was the point of paying for EV or DV certificates in an era of freely available certificates. I visit many companies around the world, discussing HTTPS, and when I try to probe this question, I regularly hear the phrase "I haven’t fired anyone yet for buying IBM." I was looking for a good link to explain the meaning of this phrase - and found a great one in the definition of FUD from Wikipedia :
“By spreading dubious information about the shortcomings of lesser-known products, an established company can prevent decision-makers from choosing these products instead of their own, regardless of their relative technical merit. This is a recognized phenomenon, embodied by the traditional axiom of purchasing agents, that “no one has yet been dismissed for purchasing equipment from IBM”. The goal is for IT departments to buy the technically worst software because top management is more likely to recognize the brand. ”
In other words, people make ignorant decisions about what they consider to be “safe” because of the marketing FUD. I suspect that a similar mentality is with companies placing third-party "security seals" on their websites. They do not have enough knowledge and understanding that they actually can increase the risks , but damn, they were so advertised!
So yes - there is no more EV on HIBP, and no one will miss it, which is fully consistent with the experience of others who refused extended validation certificates:
« EV, TLS, , - ».
« EV @letsencrypt:
— ( , )
—
—
— — »
« , , . — ».
« , . Target $1000 . , . , 18 EV .org. ? Not! ».
« , : 1. wildcard . 2. , . 3. , - ».
The article was a long one, because every time I sat down to write, there appeared new evidence of the absolute meaninglessness of EV. I started taking notes long before some of the listed events, including before the release of Chrome 69 and the removal of the green address bar, which killed one of the main trump cards of EV marketing. This is not to say that EV is the only technology that gradually died from a thousand cuts. Once such certificates were a good product, but now the situation is completely different - and this is just a senseless relic of a bygone era. Browser manufacturers are aware of this and act accordingly. Just a matter of time, when the last nail is hammered into the coffin of EV:
Chrome Canary v70 is trying to remove the names of the companies EV-SSL, I wonder if it will fall into the final release?
When Chrome finally removes the visual EV indicator from the browser (just as they did on mobile devices, and as Apple did in the Safari line), it will be good and really put an end to EV. Perhaps then the FUD will finally end.
I will give you one last little proof of the absolute futility of EV: this is my lecture in London at the beginning of this year. This is the moment when I start talking about EV, and it is precisely the interaction with the audience that is significant here. See how the room responds, full of smart techies, when I ask what visual indicators they expect to see on popular sites. Enjoy!
Source: https://habr.com/ru/post/425261/
All Articles