Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Chrome Chromium Firefox Google Security

Chrome and Firefox Changes Spark the End of 'Extended Validation' Certificates (bleepingcomputer.com) 56

"Upcoming changes in Google Chrome and Mozilla Firefox may finally spark the end for Extended Validation certificates as the browsers plan to do away with showing a company's name in the address bar," reports Bleeping Computer. When connecting to a secure web site, an installed SSL/TLS certificate will encrypt the communication between the browser and web server. These certificates come in a few different flavors, with some claiming to offer a more thorough verification process or extra perks. One certificate, called EV Certificates, are known for having a browser display the owner of the certificate directly in the browser's address bar. This allegedly makes the site feel more trustworthy to a visitor.

In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive "trustworthy" certificate. In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name.

With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt's predictions are coming true. EV Certificates will soon be dead.

AmiMoJo shared this post from Google's Chromium blog: Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.
This discussion has been archived. No new comments can be posted.

Chrome and Firefox Changes Spark the End of 'Extended Validation' Certificates

Comments Filter:
  • Scam (Score:2, Insightful)

    by StormReaver ( 59959 )

    Not to mention that extended validation certificates were just a scam to charge more money for the same service.

    • There is no good reason to have these automated simple SSL certs when we could just self-sign everything!

      Identity verification is a SEPARATE problem and should be handled separately. Create a 3rd party signing system - use it for automated domain identification like we have now but ALSO allow multiple signing parties. That would be 1st level identity...

      Multiple signed 3rd parties should be possible!

      Governments should sign certs for registered corporations. Corps already pay a fee to be incorporated and get

      • I essentially agree with you, but I think we should come at the problem another way:

        Treat self-signed HTTPS connections the same as plaintext HTTP connections. They are in no way less secure. There is no reason to throw up a big warning screen and make the user click a bunch of times to actually see the site. Show a warning tooltip on password fields, sure, same as HTTP connections.

        Also, verifying websites' SSL keys seems like one of the few problems that could actually be sensibly solved with a blockchain.

        • by ahodgson ( 74077 )

          They are much less secure because they could be MITM'd, a lot more easily than domain-validated certs.

          • Self-signed HTTPS is less secure than plaintext HTTP because it could be MITM'd?

            • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Saturday August 17, 2019 @11:02AM (#59097064) Homepage Journal

              When the user types http:, the user expects it to be MITMable. The scheme provides a true sense of insecurity.

              When the user types https:, the user expects it not to be MITMable. The scheme provides a false sense of security.

              • The average user doesn't type in "https" or even check the protocol, which is why browsers have lock icons and green address bars etc.

              • by DrXym ( 126579 )
                I doubt the average user even knows what the difference between http and https even means let alone what MITM is. They certainly don't know that most browsers have ~650 CAs that they implicitly trust so that signed cert basically means shit.

                Besides that, there is a simple way to prevent MITM attacks with self-signed certs - the site owner registers them with centralized cert repository (e.g. SSL observatory). Thereafter the visitor's browser would check the self-signed cert against the repository and issu

                • by tepples ( 727027 )

                  Besides that, there is a simple way to prevent MITM attacks with self-signed certs - the site owner registers them with centralized cert repository (e.g. SSL observatory). Thereafter the visitor's browser would check the self-signed cert against the repository

                  If this were the case, the SSL observatory would be acting as a CA. So what's the difference between that and Let's Encrypt?

                  • by DrXym ( 126579 )
                    SSL Observatory isn't acting as a CA. It signs nothing. It just checks if the cert the browser receives from the domain matches the cert that it has on file. So it acts as a protection against MITM.

                    Let's Encrypt is acting as a CA in its own right and therefore takes on an additional burden in terms of checking a site's owner's identity, reissuing certs and so on.

                    • Then I must have misunderstood what you meant by "the site owner registers them with centralized cert repository (e.g. SSL observatory)." Google Search for ssl observatory turned up this page at EFF [eff.org] which appears to lack a way for a site owner to make a submission, and ssl observatory registration failed to turn up any obvious official form for placing a cert "on file."

                      Besides, in order to distinguish a site owner putting a cert "on file" from an attacker doing the same, it would assume the same sort of "bu

          • by caseih ( 160668 )

            Not the way they are currently used. And certainly not the way my self-signed certificates are used. They are actually more secure because any attempt to MITM attack by any entity would be immediately detected by my browser, since my browser knows my self-signed certificates.

            Relying on domain-validated certificates allows governments and other CA authorities to issue their own certificates for any domain and the browser shows it as trusted. Seems to me the CA authority system we are now using is open to

            • by Nkwe ( 604125 )

              Not the way they are currently used. And certainly not the way my self-signed certificates are used. They are actually more secure because any attempt to MITM attack by any entity would be immediately detected by my browser, since my browser knows my self-signed certificates.

              Relying on domain-validated certificates allows governments and other CA authorities to issue their own certificates for any domain and the browser shows it as trusted. Seems to me the CA authority system we are now using is open to more abuse and MITM attacks than self-signed certificates are. Isn't this what EV certificates were supposed to help mitigate?

              It depends on the use case. Sounds like in your use case where you control both the browser's trusted CA list and the private web server where you are placing your self signed certificate, you are correct in that you have a very secure solution. Since you control both ends, you can be your own CA (which is what a issuing a self signed certificate is) and you can trust your own CA (which is what happens when you tell your browser to accept a self signed certificate.) However in the more common case for using

        • @gameboy that is very astute. This issue really shows that people are creating solutions to perceptions rather than solutions for actual problems.
      • There is no good reason to have these automated simple SSL certs when we could just self-sign everything!

        The reason for domain-validated certificates is to prove that the owner of the certificate's private key is also the owner of the domain name on the public Internet. However, it doesn't prove that the domain name's owner is a legitimate business, nor is it designed to prove anything about hostnames that are not public.

      • by I4ko ( 695382 )

        Firefox, Google, Apple are all on a virtue high horse anti-government agenda.

        All the browser makers tout encryption as protection they provide to the plebs from the (overreaching) government, and encryption is already a race to bottom with Let’s encrypt.
        Let’s not forget that the leading market share browser (backdoor in reality because of java script) is created and by an advertising agency whose real product is the data they mine of the browser user’s web visits.

        So what's a little identit

      • There is no good reason to have these automated simple SSL certs when we could just self-sign everything!

        We have that already. It's called DANE [ietf.org]. However, adoption has been poor, partially because it (rightfully) relies on DNSSEC, which has also seen little adoption.

    • Comment removed based on user account deletion
    • by Sigma 7 ( 266129 )

      I have a proxy server that intercepts HTTPS content, and replicates the connection with its own self-signed signature. For a bit of time, the browser called it "secure", when it was merely encrypted. It incorrectly implied that the self-signed certificate was just as secure as anything else.

      Even if EV is a scam, it's an improvement in that a certificate isn't intercepted by a third party and either examined or tampered.

    • by gweihir ( 88907 )

      Not always. Some now defunct CAs actually did a pretty good job ob verifying the identity. What Verisign does is just a bad joke and matches your comment exactly.

  • What I'm really shocked here is that the major browser vendors didn't go in the opposite direction. By that, I mean an approach where plain, garden-variety SSL certs get incrementally devalued. Right now, a password field on a non-SSL page will have most browsers showing all kinds of scary popups about transmitting passwords in clear.

    I fully expected, at some point, browsers also starting to show the same scary popups on pages that use standard SSL certs, and only be content by password fields on pages that

    • I'm pretty surprised by that too, that the CA cartel didn't get the browser vendors to ratchet up the warnings like they did with regular SSL to prop up the cert signing racket.
    • What we really want is to ditch the CA cartel whatsoever, and go to DNSSEC/DANE. But for some reason the projects to implement that in browsers got mysteriously axed. While DNSSEC+DANE is not perfect, it would make MitM by government-level actors a lot harder. And would be strictly stronger than the current LetsEncrypt model: with LE or legacy CAs.

      • by sinij ( 911942 )
        What CA cartel? There are 100s of CAs approved by CA/Browser forum and loaded by default into browser's trust store. If you don't like CA A, there are always CA B to ZZ to chose from.
        • What CA cartel? There are 100s of CAs approved by CA/Browser forum

          You appear to have answered your own question. CA/Browser Forum is the CArtel. It has failed, for example, to provide an effective mechanism for limiting a CA certificate's scope to a single LAN or to a single domain name in a reserved TLD. How would you obtain a certificate for a router, printer, or NAS on a home LAN, for example?

          • by ahodgson ( 74077 )

            You can get a Letsencrypt cert for anything you can put in DNS.

            • by tepples ( 727027 )

              How would you obtain a certificate for a router, printer, or NAS on a home LAN, for example?

              You can get a Letsencrypt cert for anything you can put in DNS.

              You can't put a domain name under a reserved TLD in DNS. Or would it be desirable to require each householder to purchase a domain name and expose his or her home LAN's internal hostnames to the world through Certificate Transparency logs?

              • by sinij ( 911942 )

                For your home , if you want certificates, host your own CA using free CA software and you will be able to make your own issuance rules. You know to trust yourself, have a finite deployment to deploy your trusted CA cert, and most importantly don't need the whole world to trust your setup.
                 
                Public CAs are for internet-facing infrastructure.

          • by mvdwege ( 243851 )

            How would you obtain a certificate for a router, printer, or NAS on a home LAN, for example?

            Set up your own CA? It's really not that hard.

            Then again, if you're inside your own network, nothing wrong with self-signed certs, as you can easily do out of band verification.

            This is a non-problem.

            • by tepples ( 727027 )

              Set up your own CA? It's really not that hard.

              Even if it's not that hard to set up a CA on a desktop computer or a Raspberry Pi device, it may be hard to get a Chromebook, smartphone, or set-top streaming device to trust your CA or your self-signed certificate.

    • If your webhost didn't do that, they would get complaints from customers about the "NOT SECURE" warnings on the browser when they visit the site.

  • by sinij ( 911942 ) on Saturday August 17, 2019 @10:15AM (#59096942)
    Sure, for non-technical users that do not know a thing about secure websites and X509, it may not be adding any security. The problem with these users is indifference, and there is no technical solution to that. However, this does not mean that this feature is useless. Personally, I regularly check certificates, and when something unexpected is there I even manually inspect certificate chain and extensions. Removing my ability to do this will make my browsing less secure when using these browsers (I use PaleMoon).
    • "Removing my ability to do this will make my browsing less secure when using these browsers"

      -1, anti-informative

      The article makes no claim that the ability to check the certificate chain is being removed.

    • This just in, password to be abolished because users keep setting them to "12345" and therefore not providing security users need.

  • by tripmine ( 1160123 ) on Saturday August 17, 2019 @10:15AM (#59096944)
    "In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive "trustworthy" certificate." NO!!! If if the "single purpose" was encryption, browsers wouldn't throw a hissifit when a site uses a self-signed cert. CA-signed certificates are just as much about Identity The CA is vouching that the key in the cert does indeed belong to the entity that controls the domain EV certs go beyond that to verify that the the key in the Cert belongs to the legal entity claimed in it. Just because normal users don't understand it, doesn't mean that it has no usefulness. Do you think users would give a crap if browsers didn't go into Red Alert whenever you tried to type a password on a non-SSL site or browsing into an self-signed HTTPS site?
    • by duke_cheetah2003 ( 862933 ) on Saturday August 17, 2019 @10:41AM (#59097016) Homepage

      Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive "trustworthy" certificate." NO!!! If if the "single purpose" was encryption, browsers wouldn't throw a hissifit when a site uses a self-signed cert. CA-signed certificates are just as much about Identity

      Yeah, I noticed this too. Though, I would go further and say certs are all about identity. There's lots of ways to encrypt. You don't need a cert by any stretch to do that part of the security. Certs are about the site you're connecting to being the site you expected to connect to. They frankly have very little to do with actual encryption, other than being the 'key' for the encryption, which loops right back to identity, the cert holder is the only entity that should have the private key after all.

    • by dissy ( 172727 )

      You and the article are both conflating the technical purpose and the "human factor" purpose.

      At a technical level a CA signed cert and a CA signed EV cert perform the exact same function.
      As can your own personal-ca signed certs (presuming you create your cert with current hash methods and bit-sized keys)

      On a human level is the only way they are treated different, and differently by different humans.

      As you stated already, a personal-ca can easily be just as secure, and likely more so than a public CA, on a t

    • by mvdwege ( 243851 )

      EV does not bring extra security.

      By design, SSL/TLS can do only one thing: assert that a third party has certified that the server you are connecting to holds the private key corresponding to the public key with the server's name embedded in it. The quickest way to verify that is Domain Validation, where the CA sends an email to an address in the domain of the certificate CN, on the assumption that whoever controls the DNS also is the legitimate controller of the domain.

      EV is a pseudo-secure solution assert

  • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Saturday August 17, 2019 @10:20AM (#59096956) Homepage Journal

    Conventional wisdom to prevent phishing used to be that financial sites had a TLS certificate, whereas hobbyist sites would have cleartext. With dirt-cheap resellers driving down the price of a domain-validated, and later StartCom and Let's Encrypt driving it to zero, the price of mounting an attack on a bank's domain using a near-homoglyph or typosquat attack (such as paypaI.com or bankofarnerica.com) fell in parallel.

    For a while, Comodo tried to work around this by making the DV case appear more conspicuously dangerous. Its Dragon and IceDragon browsers, based on Chromium and Firefox respectively, treated domain-validated as less trustworthy, showing the same "lock with caution triangle" icon as for mixed passive content, whereas Extended Validation or otherwise organization-validated certificates got the ordinary lock. Some versions of these browsers would show an interstitial warning page when the user visits a website with a domain-validated certificate for the first time:

    The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with...

    This was styled similarly to the warning for an invalid certificate, with an amber border instead of a red one. But as Facebook and other widely used commercial but non-financial sites also switched to DV certificates from Let's Encrypt, interstitials warnings for DV certificates became noise leading to warning fatigue. Thus Comodo's model never caught on upstream or with other browser publishers.

    So with official versions of Chrome and Firefox no longer distinguishing EV certificates, what defense is there against phishing using a near-homoglyph or typosquat domain? Sending every domain that every user visits to Google LLC for a Safe Browsing check?

    • by sinij ( 911942 )
      Hello, I am from Microsofit Technical Support. I am pleased to notify you that you are entitled to a refund as a result of your /. post. Please download this form and fill your information to receive funds.
    • So with official versions of Chrome and Firefox no longer distinguishing EV certificates

      They still distinguish them. They've changed the colour scheme of DV certificates. DV certificates no longer show a green lock. However your Bank of America example is precisely why removing the full company name from the address bar for an EV certificate is a dumb fucking idea.

  • by BrookHarty ( 9119 ) on Saturday August 17, 2019 @11:52AM (#59097160) Journal

    I'm so tired of logging into network/server hardware all day and both firefox and chrome bitch about certs and give me no way to "permanently accept" certificates.

    Make them secure, but stop stripping out my choices to remember settings. Make a special setting, but stop removing features!

    • The solution is to not use self-signed certs. Either use a recognized CA or set up your own CA and add that to your trusted certs.

      Of course, they make the whole process unreasonably expensive and stupidly complicated. I can't really blame people for not wanting to do it "the right way".

    • Chrome uses your operating system's certificate store, so install it as a trusted certificate there.

You are always doing something marginal when the boss drops by your desk.

Working...