You cannot have consumer privacy without a strong website identity
Today there is a huge wave towards protecting consumer privacy – in Congress, along with GDPR, etc. – but how can we protect user privacy on the web without establishing the identity of websites asking for consumer passwords and credit card numbers Huh? Extended verification (EV) certificates provide this information and can be very useful to consumers.
We believe this is a mistake – and would like to see Mozilla and Google come up with innovative ways to use EV data – rather than hide it from view.
For almost ten years, websites that want to show their confirmed identity to users have gone through the Extended Validation (EV) process when purchasing SSL / TLS certificates from their certificate authorities (CA). The process involves a number of steps, which are designed following the “know your customer” rules.
Extended verification involves confirming that the organization that controls the domain of the certificate is duly involved and in good standing, taking steps to confirm that it is a “real business” with its business address and phone number Confirms, and confirms the authority of the person ordering the certificate. This confirmed identity information is then inserted into the EV certificate, and is cryptographically signed so that it cannot be altered or copied by fraudsters.
Each EV certificate contains a wealth of information on the organization behind the website. As an example, here an EV certificate has been issued to Bank of America:
This information states that Bank of America is a Delaware, US Corporation with Delaware corporate registry number 2927442, and has confirmation of a business in Chicago. This information clearly identifies the organization governing the website www.bankofamerica.com, and contacts the world (users, law enforcement, etc.) and contact information in the event of anything bad happening on the website and even That potentially supports. All CAs in the world follow the same EV verification procedures, and in the same way include identity information in EV certificates. The process has been standardized under extended verification guidelines developed and maintained by the CA / Browser Forum.
Many major enterprises – including banks, financial institutions, hospital centers, and more – use EV certificates to protect their customers and their brands, which many phishers try to imitate.
The main options for EV certificates are domain verified (DV) certificates, which do not contain any identifying information.
. In many cases, the issuing CA does not know who owns the website, and often has no ability to contact the owner! Here is all the identifying information in the DV certificate for the website whoami.com:
For the past decade, browsers have used EV certificates to specific websites with a specific EV user interface (UI), so users can learn that the identity of the website owner has been confirmed by a third-party CA. As a result, sites with EV certificates have almost no phishing, while phishers have migrated to encryption using anonymous DV certificates – and phishing on DV sites has skyrocketed.
Google Chrome and Mozilla Firefox will soon phase out the current EV UI
Unfortunately, Google Chrome has announced that it will end the specific EV user interface with the next version of its browser, the Chrome 77, which will take effect in September-September 2019; Mozilla will do the same in October. After this change, users will only see the URL of a site, which is for DV sites. Here are examples of before and after user interfaces – in this case, for the website of the United States Senate, which uses the EV certificate.
Phishing on DV sites has skyrocketed. Users are protected on sites with EV certificates.
Until recently almost all phishing and malware were on unencrypted http sites. k as to their identity. Users were trained (and missed training) to “look for the lock symbol” for greater security.