The Extended Validation TLS certificate endgame is here (to my surprise)

September 19, 2018

Today, Troy Hunt published Extend Validation Certificates are Dead, which runs over the pretty strong evidence for that proposition. I'm genuinely startled by the pace of these developments; I expected the EV certificate endgame to happen sometime, but nowhere near this fast and this definitively. To me, what stands out in Troy Hunt's article is not just that major mobile browsers have aggressively moved away from doing special things for EV certificates, but that large organizations are considering migrating away from them, and for operational reasons instead of cost ones (modest cost savings may not be convincing to decision makers, but security and operational risk probably is).

In my view this matters a great deal; a perception that EV certificates are worse than plain TLS certificates is a quite bad thing for EV certificates. When the choice between EV and plain certificates was neutral except for cost, EV certificates had a chance in cost-insensitive situations and organizations, as such organizations were basically indifferent and so could be talked into it for various reasons. If EV certificates are worse in practice than plain certificates, organizations are not merely not going to take them, they are going to fight hard against attempts to impose them or sneak in requirements for them.

Back in May I wrote up some speculation on the long term future of EV certificates. A good chunk of that seems very unlikely now, in light of these developments. For example, I speculated that the PCI DSS would be talked into mandating EV certificates. If major banks are now considering moving away from EV certificates for operational reasons, that seems highly unlikely since none of the organizations involved will want to be yoked to EV certificates, and they have a lot of influence on the PCI DSS standards. And given that browsers are killing off EV certificate indicators, they're certainly not going to make future Javascript features conditional on having EV certificates instead of regular ones.

Between Let's Encrypt's relentless march to taking a larger and larger share of plain Domain Validated certificates (you have only to look at Troy Hunt's collection of sites that once may have bothered with EV certificates but have since rolled them over to LE) and the death of Extended Validation certificates, I have no idea what commercial Certificate Authorities can do next. Well, I expect they're going to try more 'marketing', but I'm not sure it's going to do them much good (especially in the long run, say in a year or two, when existing EV certificates come up for renewal and people start taking another look at things).

I'm honestly surprised that the CAs seem to have been so ineffective here at preserving EV certificates. I would have expected CAs to be working away full time to influence browser vendors, among other things. Instead all we seem to have gotten is some clumsy marketing campaigns that are probably not being particularly effective.

(Perhaps most CAs have already effectively written off their EV business as not going to survive and so are simply harvesting whatever money they can from it before they quietly shut it down.)

Written on 19 September 2018.
« Python 3 supports not churning memory on IO
Ubuntu pretty much is the 'universe' repository for us »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Sep 19 01:27:27 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.