As part of a series of data-driven changes to Chrome’s security indicators, the Chrome Security UX team is announcing a change to the Extended Validation certificate indicator on certain websites starting in Chrome 77. This doc explains what’s being changed and why, as well as the supporting research that guided this decision.
On HTTPS websites using EV certificates, Chrome 76 currently displays an EV badge to the left of the URL bar that looks like this:
Starting in Version 77, Chrome will move this UI to Page Info, which is accessed by clicking the lock icon:
Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended (see Further Reading below). Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.
Altering the EV UI is a part of a wider trend among browsers to improve their Security UI surfaces in light of recent advances in understanding of this problem space. In 2018, Apple announced a similar change to Safari that coincided with the release of iOS 12 and macOS 10.14 and has been implemented as such ever since.
This change is being incorporated into the Chrome-specific UI code and will not affect embedders that are based solely on the underlying content layer. Embedders that incorporate the Chrome-specific code will either take up these changes or maintain a diff from the master Chromium branch.
A series of academic research in the 2000s studied the EV UI in lab and survey settings, and found that the EV UI was not protecting against phishing attacks as intended. The Chrome Security UX team recently published a study that updated these findings with a large-scale field experiment, as well as a series of survey experiments.
No one single study conclusively determines that EV UI is completely ineffective or cannot be made to be effective. However, we believe that the body of research, as well as the product principles outlined above, together strongly suggest that the EV UI does not belong in Chrome’s most visible UI surface.