Last updated: February 2021
The standards for issuing Extended Validation (EV) certificates were initially developed in 2007, cooperatively with Certificate Authorities and Browsers. Since then, there have been at least 30 modifications approved by the CA/B Forum to enhance and improve them.
For years, browsers used a mostly similar user interface (UI) to distinguish EV from other types of certificates, which gave users a clear indication that the site operator had gone through a strong identity validation. This usually showed a green lock followed by the company name and its jurisdiction next to the URL, depending on the browser. Many have called for a uniform display to make it easier for web users to identify EV sites, but to date, browsers have decided independently of each other to pursue UI displays specific to their web browser community.
Fast forward to 2021, and several browsers have announced changes to the UI for EV certificates. These changes require users to look beyond the lock to ensure the identity of the website. Let’s look at what has changed in each of the popular browsers:
1. Apple Safari: Initially, Apple had a green padlock with the company name in green. In 2018, they modified the display to remove the company name and replace it with the URL in green (Figure 1).
Apple again modified this display in 2020, removing the green lettering (which does not differentiate the type of certificate in the initial view). But by clicking on the lock once, Figure 1a is displayed. The last sentence indicates that this is an EV certificate because the site identity information is there. Safari does not provide this detail for other certificate types.
2. Google Chrome: There have been more iterations in the Chrome EV UI over the years than any other browser. Initially, Chrome displayed the company name and lock in green. Then they changed the company name to gray with a green lock. Then the company name and lock were changed to gray (Figure 2). For the current version, Chrome has moved the display to behind the lock, meaning one must click on the lock to see the company name (in gray) along with the jurisdiction of incorporation (in parentheses). See Figure 3. If “Issued to: {Company Name} [Jurisdiction]” appears under “Certificate (Valid),” then the site has an EV certificate.
3. Microsoft Edge: Edge is now built on top of Chromium, so the EV display is very similar to Chrome’s. See Figure 4.
4. Mozilla Firefox: Firefox version 69 showed the full EV display; however, this changed with the release of Firefox 70. Figure 5 shows the previous EV display from version 69.
Figure 6 shows the updated EV treatment.
An additional click in Firefox shows the extended details, allowing a relying party to verify the name and address of the website as shown in Figure 7.
5. Vivaldi: Popular in the tech and development community, browser Vivaldi currently still has the green lettering in addition to a green lock for websites with EV.
6. Internet Explorer: Internet Explorer’s (IE) current browser UI displays a green bar as an EV certificate indicator. Although not as prevalent as other browsers, about one to two percent of internet users use IE.
Look Beyond the Lock
The browser’s UI changes in recent years have made it more difficult to ascertain a site’s identity. However, it can still be easily done with one click if you know where to look.
The debate for the “right” EV display continues within the community, and there will likely be more iterations in the coming years. In the current absence of a uniform way of showing stronger identity and trust across all web browsers, consumers browsing the web and other relying parties need to know for themselves how to identify information about site ownership. Tool tips and other user aids would go a long way to helping consumers understand the importance of identity on the web.