Intent to Ship: Move Extended Validation Information out of the URL bar

1,706 views
Skip to first unread message

Johann Hofmann

unread,
Aug 12, 2019, 4:05:09 AM8/12/19
to Firefox Dev, dev-platform, Wayne Thayer

In desktop Firefox 70, we intend to remove Extended Validation (EV) indicators from the identity block (the left hand side of the URL bar which is used to display security / privacy information). We will add additional EV information to the identity panel instead, effectively reducing the exposure of EV information to users while keeping it easily accessible.


Before:



After:



The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been pitting EV against domains for phishing.


More recently, it has been shown that EV certificates with colliding entity names can be generated by choosing a different jurisdiction. 18 months have passed since then and no changes that address this problem have been identified.


The Chrome team recently removed EV indicators from the URL bar in Canary and announced their intent to ship this change in Chrome 77. Safari is also no longer showing the EV entity name instead of the domain name in their URL bar, distinguishing EV only by the green color. Edge is also no longer showing the EV entity name in their URL bar.

 

On our side a pref for this (security.identityblock.show_extended_validation) was added in bug 1572389 (thanks :evilpie for working on it!). We're planning to flip this pref to false in bug 1572936.


Please let us know if you have any questions or concerns,


Wayne & Johann

Dão Gottwald

unread,
Aug 14, 2019, 7:52:00 AM8/14/19
to Johann Hofmann, dev-platform, Wayne Thayer, Firefox Dev
Are we going to remove support for this pref in a subsequent release?

_______________________________________________
firefox-dev mailing list
firef...@mozilla.org
https://mail.mozilla.org/listinfo/firefox-dev

Marissa (Reese) Wood

unread,
Aug 14, 2019, 4:38:06 PM8/14/19
to Johann Hofmann, Firefox Dev, dev-platform, Wayne Thayer

I quite like this.  Thank you for the update!

 

Marissa (Reese) Wood, PMP, CISSP  | Cell Phone 303-506-3282 | re...@mozilla.com | Slack: #Marissa (Reese)

Eric Shepherd (Sheppy)

unread,
Aug 14, 2019, 4:53:00 PM8/14/19
to Johann Hofmann, Firefox Dev, dev-platform, Wayne Thayer
I’m glad to hear it; the presence of the EV indicator often occupied so much space that the URL bar would become practically unusable. Example attached.


On August 12, 2019 at 4:05:09 AM, Johann Hofmann (jhof...@mozilla.com) wrote:

The Chrome team recently removed EV indicators from the URL bar in Canary and announced their intent to ship this change in Chrome 77. Safari is also no longer showing the EV entity name instead of the domain name in their URL bar, distinguishing EV only by the green color. Edge is also no longer showing the EV entity name in their URL bar.



Eric Shepherd
Senior Technical Writer
Reply all
Reply to author
Forward
0 new messages