Browser address bar UI typically distinguishes
for a given domain. Note that if an EV domain had mixed content it would show as MIX. (For brevity I use e.g. “insecure domain” and “EV domain” to mean resource on a domain without TLS and resource on a domain with extended validation.)
Secure flag was forgotten.)
UI-wise the main issue is that insecure domains look more attractive than those with TLS. Often
http:// is no longer displayed whereas
https:// is. Making insecure domains a lot simpler to comprehend.
From the TLS options, EV is especially hard to understand UI-wise, while it is often advertized as better security. Not only do you need to verify the domain and lock icon (as well as scan over
https:// and ensure it does not read
https.), you also need to check that the organization name that is typically displayed matches what you expect for the domain name and remember that it was displayed there prior on subsequent visits to the domain. (There is no guidance from the browser if EV goes away. In part because browser security does not care about the distinction.)
On top of that you need to understand that for EV the organization name is scoped to a jurisdiction. Firefox and Chrome display this as (US) and [US] respectively after the organization in the address bar. Safari does not show the jurisdiction and Safari also does not show the domain, making it vulnerable to spoofing. If someone sets up a “Twitter, Inc.” in some jurisdiction where Twitter is not based, they could use any domain name they want and Safari would display it identically to how Safari would display
twitter.com (“Twitter, Inc.”). Safari also does not distinguish between domains that share an organization and therefore
bugzilla.mozilla.org (both have EV) appear identical, while there is a security boundary between them. That is probably less of an issue.
Given the above:
http://. Instead we should only show the domain and a lock icon for TLS. That simplifies the UI and makes the trust decision for the end user easier.