back to article Google to bury indicator for Extended Validation certs in Chrome because users barely took notice

The next version of Google's Chrome web browser, 77, will not indicate whether a site has an EV (Extended Validation) certificate unless the user drills down into the Page Info dialogue. EV certificates, introduced in 2007, are issued only after verifying that the applicant is a genuine legal entity. Businesses must have a …

  1. Andrew Commons

    This is hilarious.

    Once upon a time, long, long ago - well in the late 1990s anyway - when eCommerce was becoming a thing the ".com" certificates were only issued after verifying that the applicant is a genuine legal entity. You had to produce a lot of paperwork and it was not a quick process.

    Roll forward to mid-2000s and all that has gone. Getting a ".com" is a trivial exercise. The certificate authorities responded by running road shows for "Extended Validation Certificates" that were only issued after verifying that the applicant is a genuine legal entity...and would cost more that the original ".com" that you had jumped though hoops to get. Oh...and they had this green stuff in the "chrome" in the browser that could not be manipulated.

    Roll forward...and it's all shit again. And it will always be shit. The technology works, the process doesn't.

    1. Cuddles

      Re: This is hilarious.

      "The technology works, the process doesn't."

      That's because the process includes the end users. As always, humans are the weak link.

      1. asdf

        Re: This is hilarious.

        >Roll forward...and it's all shit again. And it will always be shit. The technology works, the process doesn't.

        >That's because the process includes the end users. As always, humans are the weak link.

        Sure I am committing some type of logical fallacy but ergo humans are shit. No really I can buy that conclusion.

      2. bazza Silver badge

        Re: This is hilarious.

        Greedy humans are the weak link... Unfortunately they're in charge of many areas of technology.

        1. ACZ

          Re: This is hilarious.

          > Greedy, lazy and careless humans are the weak link... Unfortunately they're in charge of many areas of technology.

          FTFY :)

        2. Charles 9

          Re: This is hilarious.

          No, STUPID humans are the weak link. If you tell them not to go to fake sites and they STILL happily divulge their life details to MostDefinitelyNotAFakeSite . cxx, at some point you have no choice but to acknowledge You Can't Fix Stupid, throw up your hands, walk away, and start praying he doesn't take you with him.

          1. I ain't Spartacus Gold badge

            Re: This is hilarious.

            Charles 9,

            Why blame the users, for the utter shitshow that is internet security. It's fucking confusing - if the UI is pisspoor and the users are untrained, what do you expect? And don't say for the users to get trained, because there's no easy way to do that.

            Take for example the bit from the article about: accounts.google.com.amp.tinyurl.com

            Now I don't expect most users to understand that accounts.google.com is fine, in the way that www.google.com would also be fine. But a system that allows accounts.google.com.anything.else.at.all is inherently confusing.

            In the olden days it was com.google and so you knew the heirarchy, and you couldn't be fooled by a scam URL - but now you're expecting users to look at a deliberately long URL to notice that if it ends with .com/something.com then that's safe, but if it ends with .com.something.scam.com then it isn't. And that's just silly.

            1. Often Confused

              Re: This is hilarious.

              I know a lady who was told by a random scam phonecall that their bank account had been compromised and to move all her money to a particular account.

              Despite all of us telling her it was bogus, her bank telling her it was bogus and even the police (called by the bank) telling her it was bogus. She still believed the scammer and transferred all her cash to this random person.

              People are generally stupid. Does't matter what you do to try and help them. Although E-Commerce could be better though.

              1. asdf

                Re: This is hilarious.

                People are stupid, lazy, selfish and greedy. Older I get the more painfully clear it is.

            2. Charles 9

              Re: This is hilarious.

              "Why blame the users, for the utter shitshow that is internet security."

              Why blame the drivers for the utter shitshow that is the typical national road network?

              As the song goes, "That's just the way it is. Some things will never change."

              Plainly put, humans suck when it comes to large groups. We're built for tribal/clan organizations, really. Plus security and ease of use can be at odds (classic example being your front door), creating dilemmas for people looking for rock-hard turnkey solutions (aka looking for an idiot-proof Internet your Grandma can just pick up and use--Good F'N Luck).

      3. Anonymous Coward
        Anonymous Coward

        Re: Blame the users?

        Why blame the users for the tech/businesses selling out to the scammers and cons?

  2. Anonymous Coward
    Anonymous Coward

    The real result of survey is that too many users are morons...

    ... so the other users must suffer removals of useful indicators.

    I'm quite sure Google will soon unveil some Google controlled technology to achieve the same result.

    Anyway, without proper vetting certificates are only good to encrypt communications, they lose the authentication feature.

    1. Anonymous Coward
      Anonymous Coward

      Re: The real result of survey is that too many users are morons...

      It sounds to me that Google used the same people Microsoft used when designing Windows 8!

    2. mbdrake

      Re: The real result of survey is that too many users are morons...

      Given Google's tech is embedded within the HTTP/2 and HTTP/3 protocols (SPDY and QUIC), then yes, it looks like their stake in the underlying functionality of how the web works is ever increasing.

    3. I ain't Spartacus Gold badge

      Re: The real result of survey is that too many users are morons...

      Why are users morons for not recognising that accounts.google.com.amp.tinyurl.com goes to tinyurl and not Google? That's pisspoor UI design, not the user's fault for not being able to parse it.

      Oh and since they won't allow you to check where it leads, why the hell does anyone who's not a scammer still use tinyurl?

  3. Pascal Monett Silver badge

    Security is hard

    It's because of users. Always has been, always will be.

    You can design the perfect security for a house, if the owner forgets to shut the door, it's screwed.

    And if you mandate vise-level security, the user will just go somewhere else.

    It is quite hopeless, but removing a valuable indicator just because 85% don't pay attention means that the 15% that do will have to do without.

    That's sad.

    1. Nick Kew

      Re: Security is hard

      It's also a matter of design.

      If you want users to beware of an unverified certificate, you display a warning. Perhaps for example display the padlock icon with a red questionmark over it, and a more detailed explanation to pop up if the user clicks it.

      Surely the issue here is that users are routinely told to look for the padlock, not for the owner's name alongside it. Displaying silly warnings over non-https sites just makes it worse, by telling users that the browser is indeed checking for them, and incorrectly placing unverified certs on the 'secure' side of that check.

      1. Glen Turner 666

        Re: Security is hard

        It *is* a matter of design, and designs around the address bar are poor but cheap. The screamingly obvious design is to prevent people entering credit card details onto a non-EV page.

        1. ACZ

          Re: Security is hard

          This hits the nail on the head. Unfortunately, the vast majority of people are lazy about security. And even if you're not being lazy, how many people actually double-check the URL of a link before clicking on it? How many people check the SSL certificate on their email provider when it changes? How many people check the issuing CA on a certificate before deciding to trust it?

          I suspect that even if you tried to block people from entering card details (i.e. recognisable patterns of information corresponding to a card), the workarounds employed by bad actors wouldn't deter people. In fact, the workarounds would probably be dressed up as being *extra* security to encourage people to trust the site...

          This is an issue of human behaviour, a subconscious desire to conform, and a generally irrational desire to complete something once we've decided to do it. Especially when it's a really good deal and somebody else might beat us to it - quick - buy buy buy.

          The simple fact is that people want to enter their card details and complete their purchase :(

    2. Anonymous Coward
      Anonymous Coward

      Skynet

      Security is hard. It's because of users.

      Skynet starts as an AI told "make the internet secure", and determined the only way to accomplish that would be if there were no more humans.

    3. Adam 1

      Re: Security is hard

      > It is quite hopeless, but removing a valuable indicator just because 85% don't pay attention means that the 15% that do will have to do without.

      I would argue that it is unimportant as to how many notice that it was there. Rather, it only matters how many of those 15% of people would notice that was is later missing, and of those tiny fraction of 15%, how many of those would consequently avoid the site after noticing.

      I would also argue a direct negative of EV is that same process introduces delays in reissuing a cert that you need to revoke.

  4. Cronus
    Happy

    and this is why I've switched to Firefox (actually I switched when they announced they were gimping the network APIs for addons and removing the https indicator from URLs, this is just yet another nail in the coffin.

    1. Brewster's Angle Grinder Silver badge

      Switching to Firefox doesn't help for long. Nobody is going to bother renewing EV certificates when ~80% of the market sees no benefit. So the indicator will disappear from Firefox, not because Firefox has removed the code, but because Google has declared it dead.

      1. Nick Kew

        Disagree. Serious sites will continue to want it. Until better options - like a Distributed Trust Authority - are widely available.

  5. Krassi

    pointless, even harmful

    Being a legal entity is such as low qualification it is almost worthless. Every year, huge amounts of financial fraud is carried out through perfectly valid legal entities for example. Being trustworthy is something totally different. Fraudsters like these sort of schemes as they distract from the underlying scam and give false security : we've got an EV (just like Google) - you can trust us with your life-savings / credit card details / bank log-ins .

    The public is right to be indifferent to EV.

    And BTW, if EV had caught on, there would be a black market in EV registrations, methods to spoof it, fake it, hack the register etc etc..

    1. Anonymous Coward
      Anonymous Coward

      Re: pointless, even harmful

      The vetting procedure makes much harder to spoof certificates, or create a black market.

      While it is true it can't save the world from Enron or Maddof,, they are still better than plain certificates. How many EV certificates you've seen on scam sites?

      Anyway, expect soon the Google Reputation Service (tm), a fully Google controlled registrar of safe sites companies can pay for to appear safe in Chrome....

      1. Anonymous Coward
        Anonymous Coward

        Re: pointless, even harmful

        The vetting process made things harder by ensuring there was a legal entity behind the certificate.

        However, that vetting process just passed the checks onto existing regulatory authorities who already had this issue and scammers went to countries where tracing legal entities was harder.

        The EV certificates provided some value for well known e-commerce sites, but beyond that it was basically just an additional cost with little real benefit. There was additional indemnity insurance but has there ever been a successful claim on one of these policies?

        At this point, Googles just cutting an unnecessary cost out of the e-commerce chain IMHO.

  6. Anonymous Coward
    Anonymous Coward

    because users barely took notice

    Maybe users no longer notice because certain browser developers keep changing things.

    Boiling Frog effect

    1. Anonymous Coward
      Anonymous Coward

      Re: because users barely took notice

      More likely users barely took notice because the vast majority of users wouldn't be able to tell you what a certificate is in the first place let alone an EV certificate (something I hadn't heard of until five minutes ago).

      And quite rightly too. Users don't care as long as shit works and they don't get ripped off.

      It's like asking the average car owner whether their car has disc or drum brakes. Most people wouldn't have a clue, and won't care either way until they have to stop in a hurry. (As an aside, I hired a car from the 19th century in Hungary once with drum brakes. I swear the car actually sped up a bit when I pushed the brake pedal. It certainly didn't slow down, that's for sure.)

      1. I ain't Spartacus Gold badge

        Re: because users barely took notice

        More likely users barely took notice because the vast majority of users wouldn't be able to tell you what a certificate is in the first place

        I should point out that most users don't know what a URL is.

        And although they do know that something.com is different to something.co.uk they certainly don't know that something.com/scam.com is critically different to something.com.scam.com.

        Also they don't know the difference between the address bar and the Google search bar. Which is apparently fine, as Google are perfectly happy with that situation...

        1. Anonymous Coward
          Facepalm

          Re: because users barely took notice

          Yep, I know people who Google URLs and click on the first result.

    2. Dan 55 Silver badge

      Re: because users barely took notice

      Not even changing things, just hiding them.

      Google hides most of the URL, people don't know what a good URL looks like, Google hides EV info, people don't know if what they think is their bank's homepage is good or fake.

      And we're back where we're started 25 years ago.

      1. Mike 137 Silver badge

        Re: because users barely took notice

        They're in good company. Microsoft hid file extensions (ironically originally a Microsoft invention) "to avoid confusing users" decades back, opening the floodgates to malware.

        1. coconuthead

          Re: because users barely took notice

          File extensions were a thing in the 1960s, long before Microsoft existed.

          1. Anonymous Coward
            Anonymous Coward

            Re: because users barely took notice

            Comment was on the opposite, no? MS hiding them.

            By all means have an OS that cares not for them (some/many Linus/UNIX? as they use other things to determine/run the files, and thus are partly more secure as a user cannot change/force a file to run in certain instances).

            But MS have the legacy of file extensions, and don't want it anymore I guess.

            1. Charles 9

              Re: because users barely took notice

              "some/many Linus/UNIX? as they use other things to determine/run the files, and thus are partly more secure as a user cannot change/force a file to run in certain instances"

              But it also creates confusion when files share infrastructure. How does a magic number tell the difference between an ePUB, an OpenOffice/LibreOffice document, a CBZ, or a ZIP (hint: they're ALL essentially the latter)?

  7. rtharrison

    PEBKAC!

  8. tekHedd

    We control your bass, and we control your treble

    And, let's face it, we've always known that the users will never make decisions for themselves, instead doing whatever the browser (that they do trust) tells them to. We don't control the EV certificates, but we do control Let's Encrypt. And that's fine, because what we really need is control over your web site. You know, for the children.

    It's difficult to make your own certificates. But not impossible--so we no longer trust those. Instead, we made sure you have to buy them with money, or use our friendly-named "Let's Encrypt" service to get one. That gives us control over your domain: we can shut it down in a heartbeat with a revocation.

    Unless you're big enough to have a fancy cert, we own you.

    1. osmarks

      Re: We control your bass, and we control your treble

      Let's Encrypt isn't owned by Google or anything, and... you've never been able to make your own certificates any browser would trust, since that would defeat half the point of CAs.

  9. Anonymous Coward
    Anonymous Coward

    Sorry, what's been rescinded? I was distracted..

    I hadn't heard of EV (didn't receive any emails about it, saw no news about it, didn't receive a manual in the post...*), nor did I notice it - and I'm way more security conscious than yer average user. Why? Probably because of featuritis in browsers - specifically, in my case, Firefox.

    Mozilla have fiddled around with their browser (particularly the preferences section) so much in recent years that it has become irksome - there's' one of their security features where you're supposed to be able to edit a least of exception sites, where you don't want them to be flagged as a security risk. I used to be able to use this easily. Now, I simply cannot find how you are supposed to be able to add sites to that list. And trust me, the exceptions I want to add are few, and carefully chosen - I'm not the sort of user that "just wants all web pages to work, damnit!" And yes, generally, if I get a security warning from my browser, I will tend to shrug and try another site to find the information on whatever I'm looking into. And the plethora of sites that, due to GDPR tell me, in essence "We're trustworthy sites, honestly, but due to GDPR we have to ask you to accept cookies in order to show you our content" - why, I do believe they are fibbing, so I'll not use those sites, either. I am also well aware that URLs like (something).com.org.tinyurl are not to be trusted

    Then there's the websites themselves - flashy this and video that and slideshows and god knows what - all designed to grab ones attention. This is where psychology comes in. Banks have websites, you can do shopping on websites, heck, the governent has a website, businesses (which have to be set up complying with the laws of some country or other) have websites - so the internet generally must be government approved/regulated,and therefore generally be safe, right? Well... no. I know that, and you know that - but I'd be surprised if most folk do.

    As per one of my recent posts, we're back to the problem being that the internet is effectively run by businesses for businesses NOT for yer average member of the public. Never mind criminals, all too many businesses don't mind if they hoodwink people out of money! And they are responsible for the web having become the bloated monster of video adverts and flashy attention-stealing graphics that distract one from things like security indicators. Don't go blaming users for not noticing EV - Google itself is part of the problem (too much attention-stealing advertising) and browser makers are teh other part (too much fiddling with layouts and how things work). It's small wonder many folk wont notice discreet security features under the circumstances, nor thet even if they do, many will just throw their hands in the air and go "fuck it, I just wanna buy my shiny from that site; looks good to me" - because no-one sent them the email, manual, etc about how the web works, or the newsletter when stuff changed *, either.

    *I hope it isn't necessary for me to say this but yes, I am being facetious here. My point being that when it comes to the web, users are too often expected to be mind-readers and notice or use things they've never been informed about. Would you, as IT support people, expect users at work to use software without training?

  10. Tomato42

    Survey?

    So they ask a bunch of people that think that "The Facebooks is the Internets" and are surprised that they can't tell a green from grey colour, let alone know what it means?

    smh

  11. noHoper
    Meh

    Quack

    Enter the QWAC... https://www.enisa.europa.eu/publications/qualified-website-authentication-certificates

  12. TrumpSlurp the Troll
    Windows

    Does it take time and cost money?

    Extended validation takes time and costs money. So most businesses who want it now and why isn't it working and what do you mean renewal costs will avoid it.

    Having been exposed to OSI and PKI many years ago, both were designed by engineers for engineers.

    With OSI the standards were hard and expensive to implement and RFCs were quick and dirty and free. Guess which won? OK there was a naive lack of security awareness in early RFCs but that got fixed eventually (sort of).

    With PKI there were two hard and expensive bits. The Certificate Authority buried in a secure bunker somewhere so nobody could hack it. The validation of end user identity which involved a lot of proof being taken to a physical location and a secure token being issued to the validated user.

    I even got all enthusiastic and paid for a certificate to use with the Government Gateway.

    I didn't renew it because everyone else used a free but less secure method of validation.

    Surprise, surprise, all the crypto infrastructure will work with free and/or self signed certificates. Why sell your first born to VeriSign when you can get everything for free?

    When users are quite happy blindly clicking on email links and writing down the simple passwords they endlessly reuse, who is going to pay extra for another layer of security that 90% of users never even notice?

    Signed and encrypted email? But the address says that is from Fred. I know Fred. What?

  13. JavaJester

    It Doesn't Seem to Help Lusers, lets Hide It!

    At least in the past few years, the security interface of Chrome has gotten worse because a focus group populated with untrained lusers has no clue how to read a URL. Firstly they hide https / http and the www part of the URL. Surprise! Some miscreants figure out how to use a DNS cache poisoning attack with a twist: they poison www.example.com but leave example.com alone. The genius of this is that when people are warned about www.example.com and are using chrome they proceed because after all it says "example.com" in the address bar. When they call their administrator to check on example.com, all appears to be well because example.com wasn't impacted. Terrible, terrible idea. At least you can use the Suspicious Site Reporter to undo that behavior. Hopefully there will be a way to override this madness as well.

    Why is it assumed to be a UX flaw when the user doesn't understand browser security features? Wouldn't a better solution be a campaign to educate the users? Perhaps some kind of bubble that explains the significance of the company name the first time it is seen when using the browser? Hiding information from the user is never the right answer. Hiding information invariably gives hax0rz a way to exploit the user.

    1. Charles 9

      Re: It Doesn't Seem to Help Lusers, lets Hide It!

      "Why is it assumed to be a UX flaw when the user doesn't understand browser security features? Wouldn't a better solution be a campaign to educate the users?"

      You assume they're willing or even able to learn, in which case, why not just require a license to use the Internet?

      Thing is, most people just want to get crap done. Yesterday, if at all possible. Recall Click Fatigue.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like