Security News > 2021 > March > It's not easy being green: EV HTTPS cert seller Sectigo questions Chrome's logic in burying EV HTTPS cert info

It's not easy being green: EV HTTPS cert seller Sectigo questions Chrome's logic in burying EV HTTPS cert info
2021-03-03 11:45

Sectigo's chief compliance officer has hit out at Google for minimizing the visibility of Extended Validation HTTPS certificates in Chrome.

In a chat with The Register, Sectigo CCO Tim Callan said his biz, which among other things is one of the biggest sellers of EV HTTPS certificates, was "Going to remove street and postal information from all of our public sites," seeing as Google thinks no one cares where a business is based.

"Like in some browsers, it's very difficult to even find it. And you have to really know what you're doing... Firefox does a good job of displaying certificate information around but in Chrome, that stuff is buried. Burying is such an awkward word. But that'll do - burying of that information."

Burying is indeed what the number-one browser-maker did: when visiting a website that uses an EV HTTPS cert, desktop Chrome 88 displays the owner's legal name under the heading 'Certificate' when you click on the now-grey padlock icon in the URL bar.

Callan said Google had justified its move within the browser security certificate community by insisting the decision was "Data driven." The Chocolate Factory said at the time: "The Chrome Security UX team has determined that the EV UI does not protect users as intended ... users do not appear to make secure choices when the UI is altered or removed." Thus, we're told, it doesn't matter if the EV info is obvious or hidden away.

Sectigo charges $465 a year for a multi-domain EV HTTPS certificate, if you purchase one for five years; the price goes up if you opt for a shorter duration.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/03/03/sectigo_google_certificates/