Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection,” Google said. “Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended (see Further Reading below). But that information is not obvious to people visiting a site with an EV certificate. Extended validation certificates require a higher level of proof of identity for organizations, including the physical presence of the site owner and exclusive control over the domain. Google’s internal research, as well as previous academic research, shows that when the EV certificate information is removed from the address bar, people will still enter sensitive information into a site, with no indication that it’s secure. The reasoning behind the decision is that people apparently don’t pay much attention to the indicator and don’t miss it when it’s gone. Google is planning a major change to that in Chrome 77, removing the EV status information from the address bar altogether and moving it into a drop-down instead. Google, Microsoft, Mozilla, and Apple all have tinkered with the icons in the browser address bar recently, specifically with the icon that indicates the status of a site’s certificate and therefore the visitor’s connection to it. In some cases, the indicators were too small or too vague, and in others they didn’t communicate the information they were meant to communicate. Locks, open or closed or missing, stoplight colors, and various combinations thereof have all been tried, with varying degrees of success.
Browser makers have been making a series of changes to the way they display security indicators to users, and in the next major versions of Chrome and Firefox, Google and Mozilla will remove the information about extended validation SSL certificates from the address bar after deciding that it doesn’t communicate any useful information to users.įor many years, browser vendors have struggled to find effective ways to communicate the relative security of a given site to users.