Looking beyond the Lock – Reliable Identity in Today’s Web Age

Last updated: January 2021

The standards for issuing Extended Validation (EV) certificates were initially developed in 2007, cooperatively with Certificate Authorities and Browsers. Since then, there have been at least 30 modifications approved by the CA/B Forum to enhance and improve them.

For years, browsers used a mostly similar user interface (UI) to distinguish EV from other types of certificates, which gave users a clear indication that the site operator had gone through a strong identity validation. This usually showed a green lock followed by the company name and its jurisdiction next to the URL, depending on the browser. Many have called for a uniform display to make it easier for web users to identify EV sites, but to date, browsers have decided independently of each other to pursue UI displays specific to their web browser community.

Fast forward to 2021, and several browsers have announced changes to the UI for EV certificates. These changes require users to look beyond the lock to ensure the identity of the website. Let’s look at what has changed in each of the popular browsers:

1. Apple Safari: Initially, Apple had a green padlock with the company name in green. In 2018, they modified the display to remove the company name and replace it with the URL in green (Figure 1).
Figure 1: 2018 Safari EV display Version 13.0.2 (15608.2.30.1.1)

Apple again modified this display in 2020, removing the green lettering (which does not differentiate the type of certificate in the initial view). But by clicking on the lock once, Figure 1a is displayed. The last sentence indicates that this is an EV certificate because the site identity information is there. Safari does not provide this detail for other certificate types.
Figure 1a: Safari EV display after one click on the lock.

2. Google Chrome: There have been more iterations in the Chrome EV UI over the years than any other browser. Initially, Chrome displayed the company name and lock in green. Then they changed the company name to gray with a green lock. Then the company name and lock were changed to gray (Figure 2). For the current version, Chrome has moved the display to behind the lock, meaning one must click on the lock to see the company name (in gray) along with the jurisdiction of incorporation (in parentheses). See Figure 3. If “Issued to: {Company Name} [Jurisdiction]” appears under “Certificate (Valid),” then the site has an EV certificate.
Figure 2: Prior Chrome EV display

Figure 3: Current Chrome EV display

3. Microsoft Edge: Edge is now built on top of Chromium, so the EV display is very similar to Chrome’s. See Figure 4.
Figure 4: Current Edge EV display
4. Mozilla Firefox: Firefox version 69 showed the full EV display; however, this changed with the release of Firefox 70. Figure 5 shows the previous EV display from version 69.
Figure 5: Previous Firefox EV display
Figure 6 shows the updated EV treatment.
Figure 6: Current Firefox EV display
An additional click in Firefox shows the extended details, allowing a relying party to verify the name and address of the website as shown in Figure 7.
Figure 7: Certificate details showing vetted name and address in Firefox 70
The browser’s UI changes in recent years have made it more difficult to ascertain a site’s identity. However, it can still be easily done with one click if you know where to look.

The debate for the “right” EV display continues within the community, and there will likely be more iterations in the coming years. In the current absence of a uniform way of showing stronger identity and trust across all web browsers, consumers browsing the web and other relying parties need to know for themselves how to identify information about site ownership. Tool tips and other user aids would go a long way to helping consumers understand the importance of identity on the web.

Posted in EV UI Changes