Anne van Kesteren

TLS: browser UI

Browser address bar UI typically distinguishes

for a given domain. Note that if an EV domain had mixed content it would show as MIX. (For brevity I use e.g. “insecure domain” and “EV domain” to mean resource on a domain without TLS and resource on a domain with extended validation.)

Browser security makes a distinction between a domain using TLS and an insecure domain. Indeed, there a mismatch between what the address bar tells the user and what the domain is capable of. E.g. if a domain went from EV to DV, or even to MIX, the same cookies would be in effect, the same storage would be accessible from JavaScript, etc. (Cookies are especially bad as they can even leak from TLS domains to insecure domains if the Secure flag was forgotten.)

UI-wise the main issue is that insecure domains look more attractive than those with TLS. Often http:// is no longer displayed whereas https:// is. Making insecure domains a lot simpler to comprehend.

From the TLS options, EV is especially hard to understand UI-wise, while it is often advertized as better security. Not only do you need to verify the domain and lock icon (as well as scan over https:// and ensure it does not read https.), you also need to check that the organization name that is typically displayed matches what you expect for the domain name and remember that it was displayed there prior on subsequent visits to the domain. (There is no guidance from the browser if EV goes away. In part because browser security does not care about the distinction.)

On top of that you need to understand that for EV the organization name is scoped to a jurisdiction. Firefox and Chrome display this as (US) and [US] respectively after the organization in the address bar. Safari does not show the jurisdiction and Safari also does not show the domain, making it vulnerable to spoofing. If someone sets up a “Twitter, Inc.” in some jurisdiction where Twitter is not based, they could use any domain name they want and Safari would display it identically to how Safari would display (“Twitter, Inc.”). Safari also does not distinguish between domains that share an organization and therefore and (both have EV) appear identical, while there is a security boundary between them. That is probably less of an issue.

Given the above: