Sometimes the discussion around extended validation certificates (EV) feels a little like flogging a dead horse. In fact, it was only September that I proposed EV certificates are already dead for all sorts of good reasons that have only been reinforced since that time. Yet somehow, the discussion does seem to come up time and again as it did following this recent tweet of mine:
Always find comments like this amusing: “The main concern about SSL certificates is that all of them are losing their intrinsic trust”
Yet an excluded purpose for certs is: “That it is safe to do business with the Subject named in the EV Cert”https://t.co/slZVzqGLfN https://t.co/7FSbBHjj1l
— Troy Hunt (@troyhunt) April 3, 2019
Frankly, I think this is more a symptom of people coming to grips with the true meaning of SSL (or TLS) than it is anything changing with the way certs are actually issued, but I digress. The ensuing discussion after that tweet reminded me that I really must check back in on what I suspect may be the single most significant example of why EV has become little more than a useless gimmick today. It all started on stage at NDC Sydney in September, more than 8 months ago now. Here’s the exact moment deep-linked in the recorded video:
Well that was unexpected. I came off stage afterwards and sat down with Scott Helme to delve into it further, whereupon we found behaviour that you can still see today at the time of writing. Here’s PayPal in Firefox:
You can clearly see the green EV indicator next to the address bar in Firefox, but load it up in Chrome and, well…
Now, you may have actually spotted in the video that the cert was issued by “DigiCert SHA2 Extended Validation Server CA” which would imply EV. It also the same cert being issued to both Firefox and Chrome too, here’s a look at it in both browsers (note that the serial number and validity periods match up):
The reason we’re seeing the EV indicator in Firefox and not in Chrome has to do with the way the certificates chain in the respective browsers and again, here’s Firefox then Chrome:
Whilst “DigiCert SHA2 Extended Validation Server CA” is the same in each browser, the upstream chain is then different with Firefox and Chrome both seeing different “DigiCert High Assurance EV Root CA” certs (even though they’re named the same) and Chrome obviously then chaining up another couple of hops from there. But frankly, the technical explanation really isn’t the point here, the point is that we’re now nearly 8 months in which can only mean this:
PayPal really doesn’t care that the world’s most popular browser no longer displays the EV visual indicator.
And that’s all EV ever really had going for it! (Note: yes, I know there can be regulatory requirements for EV in some jurisdictions, but let’s not confuse that with it actually doing anything useful.) The entire value proposition put forward by the commercial CAs selling EV is that people will look for the indicator and trust the site so… it’s pretty obvious that’s not happening with PayPal.
Furthermore, as I’ve said many times before, for EV to work people have to change their behaviour when they don’t see it! If someone stands up a PayPal phishing site, for example, EV is relying on people to say “ah, I was going to enter my PayPal credentials but I don’t see EV therefore I won’t”. That’s how EV “stops phishing” (according to those selling the certs), yet here we are with a site that used to have EV and if it ever worked then it was only by people knowing that PayPal should have it. So what does it signal now that it’s no longer there? Clearly, that people aren’t turning away due to its absence.
And finally, do you reckon PayPal is the sort of organisation that has the resources to go out and get another EV cert that would restore the visual indicator if need be? Of course they are! Have they? No, because it would be pointless anyway because nobody actually changes their behaviour in its absence!
It’s a dead duck, let’s move on.