Looking beyond the Lock – Reliable Identity in Today’s Web Age

The standards for issuing Extended Validation (EV) certificates were initially developed in 2007, cooperatively with Certificate Authorities and Browsers. Since then, there have been at least 30 modifications approved by the CA/B Forum to enhance and improve them.

For years, browsers used a mostly similar user interface (UI) to distinguish EV from other types of certificates, which gave users a clear indication that the site operator had gone through a strong identity validation. This usually showed a green lock followed by the company name and its jurisdiction next to the URL, depending on the browser. Many have called for a uniform display to make it easier for web users to identify EV sites, but to-date browsers have decided independently of each other to pursue UI displays specific to their web browser community.

Fast forward to 2019, and several browsers have announced changes to the UI for EV certificates. Let’s look at what has changed in each of the popular browsers:

1. Apple Safari: Initially, Apple had a green padlock with the company name in green. Last year, they modified the display to remove the company name and replace it with the URL in green (Figure 1). This is the current display and no plans to change have been announced. A green lock and green domain name indicate that this site uses an EV certificate.
Figure 1: Safari EV display Version 13.0.2 (15608.2.30.1.1)

Figure 1: Safari EV display Version 13.0.2 (15608.2.30.1.1)

 
2. Google Chrome: There have been more iterations in the Chrome EV UI over the years than any other browser. Initially, Chrome displayed the company name and lock in green. Then they changed the company name to gray with a green lock. Then the company name and lock were changed to gray (Figure 2). For the current version 78, Chrome has moved the display to behind the lock, meaning one must click on the lock to see the company name (in gray) along with the jurisdiction of incorporation (in parentheses). See Figure 3.
Figure 2: Prior Chrome EV display

Figure 2: Prior Chrome EV display

Figure 3: Current Chrome EV display (Version 78)

Figure 3: Current Chrome EV display (Version 78)

 
3. Microsoft Edge: Edge is now built on top of Chromium, so the EV display is very similar to Chrome’s. See Figure 4.
Figure 4: Current Edge EV Display

Figure 4: Current Edge EV Display

 
4. Mozilla Firefox: Firefox version 69 was showing the full EV display; however, this just changed with the release of Firefox 70. Figure 5 shows the previous EV display from version 69.
Figure 5: Firefox 69 EV display

Figure 5: Firefox 69 EV display

 
Figure 6 shows the updated EV treatment.
Figure 6: Firefox 70 EV Display

Figure 6: Firefox 70 EV Display

 
An additional click in Firefox shows the extended details, allowing a relying party to verify the name and address of the website as shown in Figure 7.
Figure 7: Certificate details showing vetted name and address in Firefox 70

Figure 7: Certificate details showing vetted name and address in Firefox 70

 
The debate for the “right” EV display continues within the community, and there will be more iterations in the coming years. In the current absence of a uniform way of showing stronger identity and trust across all web browsers, consumers browsing the web and other relying parties need to know for themselves how to identify information about site ownership. Tool tips and other user aids would go a long way to helping consumers understand the importance of identity on the web.