Google seems intent on creating a more confusing UX in regards to EV certs as EV looks more similar to Non Secure than secure sites in Chrome 69.
For now this has given me the impetus to ditch Chrome. All of the other major desktop browsers still provide useful UI for EV certs. I’m less inclined to deal with finances on mobile through a website anyway, as every financial org I’ve had to deal with has an app, and Apple ends up being the gatekeeper in that realm.
Hopefully there will be some sort of push for useful additions to certificate security coming out of Google, as right now they seem more determined to just be undermining things.
That is an interesting way to describe the most effective mover in all of TLS security. No company has done more to improve it. We owe to Google, in at least a substantial way, if not always entirely:
* The dis-trusting of basically every skeezy dis-trusted CA.
* The adoption of TLS 1.3.
* Certificate pinning.
* HSTS preloading.
* The modernization of OpenSSL.
* The Heartbleed attack that prompted the modernization of OpenSSL.
* Certificate transparency.
I'm rattling these off my head and certainly forgetting something. Obviously, if you broaden the question to everything relevant to browser security, the list gets much longer.
I'm definitely not giving you "dis-trusting of basically every skeezy dis-trusted CA" for Google.
All the heavy lifting continues to be done by m.d.s.policy, which is Mozilla's, not Google's if it's anybody's. I used to want to believe that the (behind closed doors) other root programmes also had their own effective mechanisms. A few years of working with m.d.s.policy and watching absolutely nothing else making any difference disabused me of this notion. It gets done in public or it doesn't get done at all, and m.d.s.policy is where it gets done in public.
Does Google have (mostly in the form of Ryan Sleevi who is a Google employee) a contribution to m.d.s.policy? Sure they do. But there are quietly also people from Microsoft and others paying attention, it's just that Ryan is much noisier, for good or bad.
If I was going to single out a _person_ for this work it would be the late Gervase Markham, who was a Mozilla employee. The big list of problems at StartCom is Gerv's list, for example. I think even the idea to go after auditors not just CAs was Gerv's idea.
Your list seems focused on behind-the-scenes TLS implementation details. I have no doubt Google has contributed positively in that regard.
Personally, I've found their handling of the Symantec root distrust mediocre (from the perspective of an affected site owner). However, the biggest issue is the changes to the display of certificate info in Chrome 69. To present a certificate with an authenticate legal entity the same as an insecure site indicates we have different priorities, and they no longer align.
Please re-read my comment. The issue is that non-TLS and EV cert TLS sites are presented with exactly the same visual presentation. Low-contrast gray icon, low-contrast gray text, vertical bar, domain name.
If I'm reading you correctly, your actual point of contention is “nonidentical icon/text without a much larger color/layout difference looks sufficiently similar in overall appearance as to be essentially identical for the purpose of conditioning users who aren't intentionally looking”. Except you've decided to incorporate this assumption into the definition of “same visual presentation” and frame it as implicitly true in such a way that anyone who might not agree with it is assumed to have misunderstood you. Charitably assuming that this wasn't deliberate, there's a lot more inferential distance here than you think.
I actually suspect you're mostly right (the EV color is green, not gray, in the Chromium I'm using, but I can imagine this not being easily visible under many conditions), but the way you've decided to talk about this has made me very hesitant to openly agree with you. But for those whose answers are meant as “it says ‘Not Secure’, therefore it's adequately different”, I might be skeptical on the grounds of “having the user know that requires clearing a higher attention bar first”, aka “users don't read”.
> If I'm reading you correctly, your actual point of contention is “nonidentical icon/text without a much larger color/layout difference looks sufficiently similar in overall appearance as to be essentially identical for the purpose of conditioning users who aren't intentionally looking”.
Yes, the decision seems to be intentionally making them confusing. That or else I can only assume they didn't really think through the design decision much.
However, my understanding is that Google is intending the EV company info to be removed from the address bar altogether in a future release. Both of these decisions seem to be poor choices, in my opinion, and I think it is a loss of useful information.
By contrast, Safari 12 no longer displays the EV company name in the address bar, however EV certs result in the lock and domain name being green, and if you click on it, you get a nice popup explaining what legal entity the certificate is issued to. In Chrome, to get that information you have to dig a few levels deep, expanding a tree control and understand X.509 certificate fields.
Based on that changes that are being made in Chrome, it seems they want it to be difficult to learn what information is contained within the cert. But then the rationale is that no one understands what EV certificates means. If there was an honest effort in helping users understand security, I would think their experiments would involve making it easier to find certificate details and understand them, not remove them and make them similar to non-secure sites. This is why I said in my original comment "Hopefully there will be some sort of push for useful additions to certificate security coming out of Google, as right now they seem more determined to just be undermining things."
It isn't too far a stretch to think that the lack of effort in improving he display of certificate information and trying to downplay URLs is because Google wants more users to become more dependent on them as the way to find and authenticate web sites.
non-TLS sites show up as: "Not Secure | neverssl.com". The literal words "Not Secure" appear for non-TLS sites. Those words do not show up for EV sites. That seems like a pretty drastic difference. I'm on Chrome 69. Maybe I'm part of some experiment - but, I don't think so.
Well, you can certainly apppreciate the fact that for EV, Apple is also changing the indicator. Perhaps it is only a matter of time before Fifrefox does it as well. The logic is reasonable, EVs are not widely used and therefore not worth having as most users probably don't use it to assess the legitimacy of websites. They are also expensive as all hell as I can see from the article.
Considering your point that the way EV are displayed is similar in form to not secure, I find it weird. As the article points out, on mobile the EV looks not different than a DV. On desktop, it is written the full EV name versus the "Not secure" label.
It seems EVs are on their way out, you should at least concede that. It seems the Chromium team are pushing for accentuating the top domain name instead, so there's that.
> I think you're approaching this precisely backwards.
Based on what criteria? It seems that Google and my interests are aligning less and less. I am starting to care more about privacy. And now Google is removing useful features that I use regularly, so I am stopping using one of their main products, and starting to look into alternatives for other product.s
> There is no useful UI for EV certs, because EV certs are not useful.
You are incorrect in this statement. They are useful to me, because they help me ensure that I am interacting with the website belonging to the company I have an existing relationship with.
> Citation needed?
The citation was the topic of my post. In Chrome 69 they are making the UI for EV certs confusingly similar to non secure sites. The handling of the removal of the Symantec root was handled poorly in terms of helping site operators know they could get a replacement certificate from DigiCert. As a certificate consumer, these are the two interactions I've had with Google in regards to certificates, and both have been negative.
> And now Google is removing useful features that I use regularly
The article makes pretty compelling points that almost no one finds EV certs useful. Maybe you do. Maybe you think you do. I dunno. But, regardless, unless the article is wrong, you are in a tiny minority. Removing special handling of EV certificates reduces pressure on people to buy these certs based on false promises being made about them being generally useful - and that's a good thing.
> The handling of the removal of the Symantec root was handled poorly in terms of helping site operators know they could get a replacement certificate from DigiCert.
The problem with Symantec having horrific security was that Google handled it wrong? This was Symantec's issue. I also don't like that when I google "Do I have to pay my parking tickets" the answer is yes - but that isn't Google's fault either.
Google have done no research on the effectiveness of their browser identity indicators, so I'm not sure where the evidence that they're not useful have come from.
No, actually I said it gave me the "impetus", which is rather unlike the caricature you presented of my comment.
Google and I are starting to align less and less. Removing a useful feature that helps me maintain security gave me the push to try other options. I don't care how small you may consider the change, if it increases the chance that I fall pray to a phishing site, I'll use another tool that does help me.
> No, actually I said it gave me the "impetus", which is rather unlike the caricature you presented of my comment.
I'm not really sure how that is any difference than what I said. Google has made a minor UI change that the article makes a pretty compelling case is in the user's best interest. You are making a public declaration with an unclear audience that you won't stand for it.
> Removing a useful feature that helps me maintain security gave me the push to try other options.
The single biggest thing you can do to ensure your security is to use a password manager that auto-fills your passwords. Password managers can't be fooled by look-alike URLs. You can switch to another browser (and yeah, avoiding a browser mono-culture is a great thing!). However, I suspect strongly that you're going to see the other vendors follow suit and drop the special designation for EV certs. And good riddance. The article makes a pretty compelling point that CA certs aren't useful.
That link is about Show HNs - and this isn't a Show HN.
What really grinds my gears are companies selling nonsense that is actively hurtful. And the article makes a pretty compelling point that EV certs are pointless - and they cost a whole bunch of money - and that makes them actively hurtful. And, then we have a self aggrandizing comment here with no clear audience defending a status quo that helps no one and hurts small businesses. That, I find disrespectful.
For now this has given me the impetus to ditch Chrome. All of the other major desktop browsers still provide useful UI for EV certs. I’m less inclined to deal with finances on mobile through a website anyway, as every financial org I’ve had to deal with has an app, and Apple ends up being the gatekeeper in that realm.
Hopefully there will be some sort of push for useful additions to certificate security coming out of Google, as right now they seem more determined to just be undermining things.