SSL certificates: Three reasons why green padlocks have to stay
US company Google has said goodbye to the visual indicators showing the different security levels of SSL certificates. Our expert Dr. Kim Nguyen states three reasons why this decision threatens to have a negative impact on consumer protection and the European digital single market.
Focus on encrypted website communication
Dr. Kim Nguyen, Managing Director of D-TRUST GmbH
At the same time, Google ignores the security differences that exist between the different types of certificates. The symbols previously displayed in the address line of the browser showing the user the security level have been removed. These include, for instance, a green padlock in the browser line or the name of the organization in green letters. What’s more, the “secure” notice will also be omitted and only a grey lock will be displayed.
SSL certificates differ in many ways
Google argues that the web is "safe by default", so that it is no longer necessary for the Chrome browser to additionally identify encrypted and hence secure websites. But that is a not the case. After all, SSL certificates differ in many ways. Although all certificate types encrypt communication between the Internet user and the website, they differ greatly when it comes to the way in which they establish identity. From our point of view, there are three reasons why the padlocks must remain:
Reason 1: There are different security levels for certificates
Certificates with "Domain Validation (DV)" are currently the most common certificates. They offer the lowest level of security. With this type of certificate, the issuing certification authority merely checks whether the requester is also the owner of the domain. The requester does not have to prove his or her identity.
An identity check is carried out for so-called organization-validated SSL certificates (Organization Validation, in short: OV). In this case, the domain owner is required to submit documents, such as an excerpt from the commercial register.
Extended Validation certificates (in short: EV) go one step further. In addition to validating the organization, these certificates require proof of identity from the requester. A check is carried out to ensure that this person is in fact employed by the company and is authorized to purchase an EV certificate.
Practice shows that without proof of identity websites are not secure. In April 2018 alone, the Phisbank.org website identified more than 3,200 websites with SSL certificates that were used for data misuse. 99 percent of these cases involved DV certificates.
Reason 2: Consumer protection is weakened
If website communication is to become more secure, it is not enough to simply increase the number of SSL certificates used. It is only with OV/EV certificates that Internet users can rest assured that the website they are visiting is truly secure so that they can disclose personal data without any worries. The aim must therefore be to promote the use of certificates with a high security level.
Google's measures are, however, leading to the exact opposite. Due to the elimination of the “positive security indicators”, website operators are less inclined to use such secure certificates. Especially since it is very difficult for Internet users to recognize websites with OV certificates. This now involves clicking on the grey padlock icon on the far left of the browser line and then selecting “certificate” in the menu opened. Before this, Internet users were able to quickly identify the organization behind the website thanks to the positive “green” colour and company name displayed there. This is now no longer possible and Internet users have lost an important orientation aid.
Reason 3: It will not be possible for European standards to become established
Europe’s “Regulation on electronic identification and trust services for electronic transactions in the internal market” (eIDAS) aims to enable secure and trusted electronic communications throughout the territory of the EU. New tools have been created for this purpose, including Qualified Website Authentication Certificates (in short: QWACs). Technically speaking, QWACs are the same as EV certificates. In addition, they are legally binding throughout the EU: The contents provided in the certificate regarding the holder’s identity can be used as evidence in a court of law.
QWACs may only be issued by so-called qualified trust service providers based in the EU. The Regulation defines these providers as particularly trusted certification authorities that must comply with stricter regulations on security and liability. Since Internet users would no longer be able to see which certificate is being used, we can expect to see a website providers’ interest in QWACs decline. But this will make it impossible to European standards to become established and European trust service providers would be marginalised.
Therefore, in the interest of stronger consumer protection and a successful digital internal market, we demand that the security level of SSL certificates must remain visible.