EV HTTPS cert seller Sectigo questions Chrome's logic in burying EV HTTPS cert info

Found on The Register on Saturday, 06 March 2021

Google all but hid these extra details in a Chrome update a couple of years ago, arguing that netizens couldn't care less if a site is protected by an EV or a vanilla HTTPS cert – it won't stop them putting in their credit card number or password. Others in the industry have questioned the usefulness of EV certs.

The Chocolate Factory said at the time: "The Chrome Security UX team has determined that the EV UI does not protect users as intended ... users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed." Thus, we're told, it doesn't matter if the EV info is obvious or hidden away.

So a UX team makes fundamental decisions about security. This is where things go wrong.

Browse all articles« Previous « » Next »