[Cryptography] Well, that only took ten years
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Aug 14 03:13:55 EDT 2019
Over the last few months, browsers have been quietly removing the UI bling
associated with EV certs in acknowledgement of a decade of data and research
publications showing that they have no effect on security, Chrome and Firefox
entirely:
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/h1bTcoTpfeI
https://bugzilla.mozilla.org/show_bug.cgi?id=1572936
and Safari and Edge severely sidelining it. Since EV was principally a CA
marketing technology, I've been trying to get comments from CAs on how they
feel about this, so far without response.
When EV was first introduced, various security people on this list predicted
it would have no effect. Several also predicted, tongue-in-cheek, that after
EV failed there'd be EEV certificates, and then EEEV certificates, and then...
Or maybe like C -> C++ or D, they'll be EV+, EV++, and so on certificates.
In any case it'll be interesting to see what the next deckchair-rearrangement
in browser PKI will be. Whatever it is, I'd like to take this opportunity to
predict in advance that it'll have no effect.
Peter.
More information about the cryptography
mailing list