Everything We Are Told About Website Identity Assurance Is Wrong troyhunt.com

Troy Hunt on Twitter:

Why are you still claiming this @digicert? This is extremely misleading, anyone feel like reporting this to the relevant advertising standards authority in their jurisdiction? https://www.digicert.com/faq/when-to-use-ev-ssl.htm

The linked page touted some supposed benefits of Extended Verification SSL certificates. Those are the certificates that promise to tie a company’s identity to their website, which was ostensibly confirmed by the company’s name appearing in a web browser’s address bar alongside the HTTPS icon.

Troy Hunt:

I have a vehement dislike for misleading advertising. We see it every day; weight loss pills, make money fast schemes and if you travel in the same circles I do, claims that extended validation (EV) certificates actually do something useful:


Someone had reached out to me privately and shared the offending page as they’d taken issue with the false claims DigiCert was making. My views on certificate authority shenanigans spinning yarns on EV are well known after having done many talks on the topic and written many blog posts, most recently in August 2019 after both Chrome and Firefox announced they were killing it. When I say “kill”, that never meant that EV would no longer technically work, but it killed the single thing spruikers of it relied upon – being visually present beside the address bar. That was 2 and a half years ago, so why is DigiCert still pimping the message about the green bar with the company name? Beats me (although I could gue$$), but clearly DigiCert had a change of heart after that tweet because a day later, the offending image was gone. You can still see the original version in the Feb 9 snapshot on archive.org.

Website identity is a hard thing to prove, even to those who are somewhat technically literate. Bad security advice is commonplace, but it is outrageous to see companies like DigiCert using such frail justifications for marketing fodder.