Anne van Kesteren

TLS: browser UI

Browser address bar UI typically distinguishes

• Insecure
• TLS with mixed content (MIX, TLS)
• TLS with domain validation (DV, TLS)
• TLS with extended validation (EV, TLS)

for a given domain. Note that if an EV domain had mixed content it would show as MIX. (For brevity I use e.g. “insecure domain” and “EV domain” to mean resource on a domain without TLS and resource on a domain with extended validation.)

Browser security makes a distinction between a domain using TLS and an insecure domain. Indeed, there a mismatch between what the address bar tells the user and what the domain is capable of. E.g. if a domain went from EV to DV, or even to MIX, the same cookies would be in effect, the same storage would be accessible from JavaScript, etc. (Cookies are especially bad as they can even leak from TLS domains to insecure domains if the Secure flag was forgotten.)

UI-wise the main issue is that insecure domains look more attractive than those with TLS. Often http:// is no longer displayed whereas https:// is. Making insecure domains a lot simpler to comprehend.

From the TLS options, EV is especially hard to understand UI-wise, while it is often advertized as better security. Not only do you need to verify the domain and lock icon (as well as scan over https:// and ensure it does not read https.), you also need to check that the organization name that is typically displayed matches what you expect for the domain name and remember that it was displayed there prior on subsequent visits to the domain. (There is no guidance from the browser if EV goes away. In part because browser security does not care about the distinction.)

On top of that you need to understand that for EV the organization name is scoped to a jurisdiction. Firefox and Chrome display this as (US) and [US] respectively after the organization in the address bar. Safari does not show the jurisdiction and Safari also does not show the domain, making it vulnerable to spoofing. If someone sets up a “Twitter, Inc.” in some jurisdiction where Twitter is not based, they could use any domain name they want and Safari would display it identically to how Safari would display twitter.com (“Twitter, Inc.”). Safari also does not distinguish between domains that share an organization and therefore mozilla.org and bugzilla.mozilla.org (both have EV) appear identical, while there is a security boundary between them. That is probably less of an issue.

Given the above:

• Insecure domains should probably be more clearly called out as such.
• We should not expect end users to distinguish https:// from https. and http://. Instead we should only show the domain and a lock icon for TLS. That simplifies the UI and makes the trust decision for the end user easier.
• EV is a more expensive certificate for arguably worse end user UI and gives the same amount of security as DV. With EV end users have to remember the organization name, organization jurisdiction, lock icon, and domain, and verify them each visit. That is a bad deal.